Running secure key under a z/VM guest
In order to use the CEX*C feature under z/VM®, you need to apply specific APAR fixes.
These fixes are described in Hardware requirements.
Also, to get secure key running under a z/VM guest, a directory control statement (CRYPTO APDED) for a given z/VM guest needs to be used. This requires that the AP's with this domain are owned by the LPAR. There is no virtualization done by z/VM.
For secure key, z/VM does
not virtualize the AP's. The AP's need to be dedicated, which is done
by the user statement:
CRYPTO DOMAIN 12 APDED 5 7This
statement dedicates AP's 5 and 7 for domain 12 to one Linux guest.Note: Shared crypto adapters, as defined with the z/VM user directory statement CRYPTO APVIRT,
cannot be used for secure key cryptographic operations. Because dedicated
and shared cryptographic adapters cannot be mixed in a z/VM guest virtual machine, additional crypto
adapters for use with clear key cryptography, coprocessors or accelerators,
must be defined as dedicated adapters.