There's a redbook (SG24-6870) which seems to offer an answer, specifically in Section 7.1. Here's what it says:
- - - - - Linux on zSeries does not support the CCF coprocessors. Instead, a generic device driver, z90crypt, is provided to route the cryptographic work to the PCICC or PCICA cards, as shown in Figure 7-1. According to Linux concepts, z90crypt is a device which is driven through the device node /dev/z90crypt using the device driver z90crypt.o. As such, z90crypt is invoked via the Linux I/O interface calls: get a device handle, open, read, ioctl, and close. As an example, "read" is used to get pseudo random bytes from the coprocessor, and other cryptographic services are requested via the 'ioctl' function parameter. In z90crypt, the focus is given to RSA cryptographic operations, the intent being mostly to provide hardware assistance to the SSL handshake. The extent of the hardware assistance depends on the type of PCI card used, as indicated in the provided hardware services, and all these cryptographic functions are performed using clear keys only. Therefore, the support of the hardware cryptographic coprocessors support by Linux can be characterized as follows: - If Linux for zSeries is the only hardware coprocessor exploiter running in the whole physical system, the CCF coprocessors do not have to be enabled (and therefore a system Power-on Reset is not required as a preamble to providing hardware crypto services). - If PCICC cards are to be installed, the PCICC FCV diskette must have been imported and loaded into the HSA for proper initialization of the PCICC card(s) at installation time. Note: If there is a mix of PCICC and PCICA in the system, z90crypt will use the PCICA card(s) only. There is no hardware assistance provided for symmetric encryption and decryption as it is performed, for instance, during the data transfer part of the SSL protocol. Because the provided services use clear keys only, note the following: - No key store facility, or PKDS equivalent, is provided. - The crypto "domain" concept, although still applied for the PR/SM setup, is irrelevant to the exploitation of the hardware coprocessors by Linux for zSeries. Note that the z90crypt driver can still access the cryptographic coprocessors through virtualization layers, as shown in Figure 7-2. - - - - - So the encryption acceleration is somewhat limited (i.e. SSL handshakes only, not with CCF) on the z900/z800 and prior. There's some updated information here: http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS802 which describes the newer encryption hardware available on newer models (e.g. CPACF on z990/z890/z9). Linux can better exploit the encryption facilities on newer hardware. Hope that helps! - - - - - Timothy F. Sipples Consulting Enterprise Software Architect, z9/zSeries IBM Japan, Ltd. E-Mail: [EMAIL PROTECTED] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
