Edition SC34-7731-03: Content for libzpc versions 1.3 and 1.4

What's new for libzpc version 1.3

Up to libzpc version 1.2, there were three possible origins for a protected key, namely the secure key of type CCA or EP11 from a crypto adapter, a randomly created protected key, or a protected key created from a clear key value.

With libzpc version 1.3, a new protected key origin is introduced, which is called ultravisor retrievable secret. Protected keys derived from retrievable secrets can be certain AES or ECC keys. You can use protected keys derived from retrievable secrets for encryption and decryption (AES), and for sign and verify operations (ECC). Support for such protected keys can only be exploited on a KVM guest running with IBM® Secure Execution for Linux® (KVM SEL guest) on an IBM z17 ™ processor.

What's new for libzpc version 1.4

Besides AES and ECC protected keys derived from retrievable secrets supported since version 1.3, libzpc version 1.4 supports further types of protected keys from origin retrievable secrets: full-XTS and HMAC protected keys.

For these types of libzpc key objects, the following enhancements are provided:

  • Support for full-XTS AES protected keys derived from retrievable secrets and created from clear key data is added. A new group of APIs is provided to perform AES-XTS operations. This requires CPACF functionality from MSA 10 on an IBM z17 .
  • Support for HMAC protected keys derived from retrievable secrets and created from clear key data is added. A new group of APIs is provided for hash-based message authentication (HMAC): HMAC-SHA-224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512. This requires CPACF functionality from MSA 11 on an IBM z17 .