Hardware requirements

In order to make use of the verbs provided in the Common Cryptographic Architecture (CCA) API for Linux® on IBM® Z, your hardware must meet certain minimum requirements.

This is the minimum supported hardware configuration:

  • Minimum supported generation of IBM Z® systems: IBM z13®.
  • One CEX5S adapter feature configured in CCA cryptographic coprocessor mode assigned to the LPAR or z/VM® guest that uses CCA. This is a CEX5C adapter with CCA 5.0.0z or greater firmware loaded.
  • If you plan to use a Trusted Key Entry (TKE) workstation, you must have a TKE V10.0 or later to manage CEX8C adapters and PCI-HSM 2016 compliance mode.
    • A TKE V8.0 workstation is required to manage CEX5C adapters.
    • A TKE V9.1 workstation is required to manage CEX6C adapters, especially to start exploiting PCI-HSM 2016 compliance mode.
    • A TKE V9.2 workstation is required to manage CEX7C adapters.
    • A TKE V10.0 or V10.1 workstation is required to manage CEX8C adapters.
    • A TKE V10.1 version of the Migrate Host Crypto Module Public Configuration Data application is required if the source or target host HSM is running CCA 8.4 firmware.

    For more detailed information about required TKE versions for accessing the various CEX*C features, see CEX8C information.

This is the maximum supported hardware configuration:

  • IBM z17 ™ with carry-forward configuration and CCA host library 8.4 loaded (see also IBM z17 (9175) Technical Guide).

    With the following restrictions:

    • 60 total adapters, minimum of 2 adapters
    • maximum of 16 single adapter features
    • maximum of 30 dual adapter features

    In any combination of:

    • 1-30 FC-0908 (dual CEX8C) features
    • 1-16 FC-0909 (single CEX8C) features
    • 1-30 FC-0898 (dual CEX7C) features
    • 1-16 FC-0899 (single CEX7C) features

This hardware configuration is also supported:

  • IBM z16® with 60 CEX8C adapters total in the machine with CCA 8.1z firmware loaded. The CEX8S adapter feature is available as single (feature code 0909) or dual HSM feature (feature code 0908). The maximum number of combined features of all types cannot exceed 60 HSMs on an IBM z16 A01. This means the maximum number for feature code 0908 (dual HSM) is 30, for all other (single HSM) types is 16 when installed exclusively (see IBM z16 (3931) Technical Guide).
  • IBM z16 with carry-forward configuration and CCA host library 8.4 loaded.

    With the following restrictions:

    • 60 total adapters, minimum of 2 adapters
    • maximum of 16 single adapter features
    • maximum of 30 dual adapter features

    In any combination of:

    • 1-30 FC-0908 (dual CEX8C) features
    • 1-16 FC-0909 (single CEX8C) features
    • 1-30 FC-0898 (dual CEX7C) features
    • 1-16 FC-0899 (single CEX7C) features
    • 1-16 FC-0893 (single CEX6C) features
  • IBM z15® with carry-forward configuration and CCA host library 8.4 loaded. loaded.

    With the following restrictions:

    • 60 total adapters, minimum of 2 adapters
    • maximum of 16 single adapter features
    • maximum of 30 dual adapter features

    In any combination of:

    • 1-30 FC-0898 (dual CEX7C) features
    • 1-16 FC-0899 (single CEX7C) features
    • 1-16 FC-0893 (single CEX6C) features
    • 1-16 FC-0890 (single CEX5C) features
  • IBM z14® with carry-forward configuration and CCA host library 8.4 loaded.

    With the following restrictions:

    • 16 total adapters, minimum of 2 adapters
    • maximum of 16 single adapter features

    In any combination of:

    • 1-16 FC-0893 (single CEX6C) features
    • 1-16 FC-0890 (single CEX5C) features
  • IBM z13® with CCA host library 8.4 loaded. loaded.

    With the following restrictions:

    • 16 total adapters, minimum of 2 adapters
    • maximum of 16 single adapter features

    In a combination of:

    • 2-16 FC-0890 (single CEX5C) features

See Concurrent installations/> for details about a mixed environment of CEX8S and previous CEX*C features.

To determine whether a Crypto Express adapter available to Linux on IBM Z is a CEX5C, CEX6C, CEX7C, or a CEX8C, see Listing CCA coprocessors.

Apply the following APAR fixes on the appropriate z/VM systems to achieve the applicable cryptographic coprocessor support:

On z/VM 7.2, apply the following APAR fixes:

VM66496
APVIRT live guest relocation (LGR) improvements
VM66532
Guest exploitation support for CEX8s adapters on the IBM z16family.
VM66534
Host interrupt support for APVIRT processing

On z/VM 7.3, apply the following APAR fixes:

VM66423
Hardware filtering to enforce restrictions on classes of requests. This support is intended to be used to limit operations on shared crypto resources

For z/VM 7.4, there are no crypto-relevant APARS. The z/VM 7.4 base is adequate.