From: Harald Freudenberger <freude@linux.ibm.com>
To: Finn Callies <fcallies@linux.ibm.com>
Cc: richard.henderson@linaro.org, iii@linux.ibm.com,
david@kernel.org, thuth@redhat.com, berrange@redhat.com,
qemu-s390x@nongnu.org, qemu-devel@nongnu.org,
linux390-list@tuxmaker.boeblingen.de.ibm.com,
linux-s390@vger.kernel.org, dengler@linux.ibm.com,
borntraeger@linux.ibm.com, cohuck@redhat.com
Subject: Re: [PATCH v7 15/17] docs/s390: Document CPACF instructions support
Date: Tue, 23 Jun 2026 15:20:53 +0200 [thread overview]
Message-ID: <e24743de41855903880667f0f12f66bd@linux.ibm.com> (raw)
In-Reply-To: <b2dd136a-828a-4771-9f9d-5da8a4f6634e@linux.ibm.com>
On 2026-06-18 08:28, Finn Callies wrote:
> On 17.06.26 11:48, Harald Freudenberger wrote:
>> Add a first document covering the Qemu s390 CPACF instructions
>> and functions supported.
>>
>> Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
>
> With the one comment applied:
>
> Reviewed-by: Finn Callies <fcallies@linux.ibm.com>
>
>> ---
>> docs/system/s390x/cpacf.rst | 116
>> +++++++++++++++++++++++++++++++++++
>> docs/system/target-s390x.rst | 1 +
>> 2 files changed, 117 insertions(+)
>> create mode 100644 docs/system/s390x/cpacf.rst
>>
>> diff --git a/docs/system/s390x/cpacf.rst b/docs/system/s390x/cpacf.rst
>> new file mode 100644
>> index 0000000000..85f35b4e9c
>> --- /dev/null
>> +++ b/docs/system/s390x/cpacf.rst
>> @@ -0,0 +1,116 @@
>> +CPACF Support
>> +=============
>> +
>> +CPACF
>> +-----
>> +
>> +CP Assist for Cryptographic Function (CPACF) is a hardware-integrated
>> +coprocessor feature built into every processor core of IBM Z and
>> +LinuxONE mainframes (s390x architecture). It provides high-speed,
>> +hardware-accelerated encryption and hashing directly on the CPU.
>> +
>> +CPACF provides a set of z/Architecture instructions (known as Message
>> +Security Assist or MSA) that execute cryptographic operations
>> +synchronously with the main processor.
>> +
>> +- Symmetric Encryption: Support for AES (128, 192, 256-bit), DES, and
>> + Triple-DES (TDES).
>> +- Hashing: Acceleration for SHA-1, SHA-2 (up to SHA-512), SHA-3 and
>> + SHAKE.
>> +- Random Number Generation: Pseudo Random Number Generator (PRNG) and
>> + a hardware-based True Random Number Generator (TRNG).
>> +- Asymmetric Support: Elliptic Curve Cryptography (ECC) primitives
>> + P-256, P-384, P-521, Montgomery/Edwards curves (e.g., Ed25519).
>> +
>> +Documentation about CPACF instructions is public available and
>> +can be found in the "z/Architecture Principles of Operation"
>> +accessible at the IBM documentation hub https://www.ibm.com/docs/en.
>> +For example the latest version as a pdf is available here:
>> +https://www.ibm.com/support/pages/zvm/library/other/22783214.pdf
>> +
>> +
>> +CPACF instructions
>> +------------------
>> +
>> +Here is a list of implemented CPACF instructions and the supported
>> +functions for each instruction:
>> +
>> +KDSA (COMPUTE DIGITAL SIGNATURE AUTHENTICATION)
>> +- Function code 0x00 - Function Query
>> +
>> +KIMD (COMPUTE INTERMEDIATE MESSAGE DIGEST)
>> +- Function code 0x00 - Function Query
>> +- Function code 0x02 - CPACF_KIMD_SHA_256
>> +- Function code 0x03 - CPACF_KIMD_SHA_512
>> +
>> +KLMD (COMPUTE LAST MESSAGE DIGEST)
>> +- Function code 0x00 - Function Query
>> +- Function code 0x02 - CPACF_KLMD_SHA_256
>> +- Function code 0x03 - CPACF_KLMD_SHA_512
>> +
>> +KM (CIPHER MESSAGE)
>> +- Function code 0x00 - Function Query
>> +- Function code 0x12 - CPACF_KM_AES_128
>> +- Function code 0x13 - CPACF_KM_AES_192
>> +- Function code 0x14 - CPACF_KM_AES_256
>> +- Function code 0x1a - CPACF_KM_PAES_128
>> +- Function code 0x1b - CPACF_KM_PAES_192
>> +- Function code 0x1c - CPACF_KM_PAES_256
>> +- Function code 0x32 - CPACF_KM_XTS_128
>> +- Function code 0x34 - CPACF_KM_XTS_256
>> +- Function code 0x3a - CPACF_KM_PXTS_128
>> +- Function code 0x3c - CPACF_KM_PXTS_256
>> +
>> +KMAC (COMPUTE MESSAGE AUTHENTICATION CODE)
>> +- Function code 0x00 - Function Query
>> +
>> +KMC (CIPHER MESSAGE WITH CHAINING)
>> +- Function code 0x00 - Function Query
>> +- Function code 0x12 - CPACF_KMC_AES_128
>> +- Function code 0x13 - CPACF_KMC_AES_192
>> +- Function code 0x14 - CPACF_KMC_AES_256
>> +- Function code 0x1a - CPACF_KMC_PAES_128
>> +- Function code 0x1b - CPACF_KMC_PAES_192
>> +- Function code 0x1c - CPACF_KMC_PAES_256
>> +
>> +KMCTR (CIPHER MESSAGE WITH COUNTER)
>> +- Function code 0x00 - Function Query
>> +- Function code 0x12 - CPACF_KMCTR_AES_128
>> +- Function code 0x13 - CPACF_KMCTR_AES_192
>> +- Function code 0x14 - CPACF_KMCTR_AES_256
>> +- Function code 0x1a - CPACF_KMCTR_PAES_128
>> +- Function code 0x1b - CPACF_KMCTR_PAES_192
>> +- Function code 0x1c - CPACF_KMCTR_PAES_256
>> +
>> +KMF (CIPHER MESSAGE WITH CIPHER FEEDBACK)
>> +- not supported
>> +
>> +KMO (CIPHER MESSAGE WITH OUTPUT FEEDBACK)
>> +- not supported
>
> You list these as unsupported but KMA is missing completely. At least
> mention it as unsupported as well as you do so for KMO and KMF or
> leave the unsupported ones out completely.
>
KMA is MSA 8. I am not sure if qemu even has configured some MSA 8.
I'll check this - but as of now all unknown instructions (and KMA is
one of this) would result in a Operation Exception. However, at least
KMA shold be listed then below. I'll check this maybe add KMA query
support or at least document it here.
Update: MSA 8 is listed in qemu. So i added KMA to the docu.
>> +
>> +PCC (PERFORM CRYPTOGRAPHIC COMPUTATION)
>> +- Function code 0x00 - Function Query
>> +- Function code 0x32 - compute XTS param AES-128
>> +- Function code 0x34 - compute XTS param AES-256
>> +- Function code 0x3a - compute XTS param Encrypted AES-128
>> +- Function code 0x3c - compute XTS param Encrypted AES-256
>> +
>> +PCKMO (PERFORM CRYPTOGRAPHIC KEY MANAGEMENT OPERATION)
>> +- Function code 0x00 - Function Query
>> +- Function code 0x12 - CPACF_PCKMO_ENC_AES_128_KEY
>> +- Function code 0x13 - CPACF_PCKMO_ENC_AES_192_KEY
>> +- Function code 0x14 - CPACF_PCKMO_ENC_AES_256_KEY
>> +
>> +PRNO (PERFORM RANDOM NUMBER OPERATION)
>> +- Function code 0x00 - Function Query
>> +- Function code 0x72 - CPACF_PRNO_TRNG
>> +
>> +Note that the use of a not supported CPACF instruction (KMF and KMO)
>> +or invocation of a not listed function will result in a Specification
>> +Exception.
>> +
>> +Not listed CPACF instructions (KMF, KMO) cause an Operation Exception
^^^ here I added KMA
>> +when used. Not listed functions cause a Specification Exception when
>> +called. If only the query function is listed (KDSA), then the query
>> +function will return a function status word with all but the query
>> +function bit set to 0.
>> diff --git a/docs/system/target-s390x.rst
>> b/docs/system/target-s390x.rst
>> index 94c981e732..49159826eb 100644
>> --- a/docs/system/target-s390x.rst
>> +++ b/docs/system/target-s390x.rst
>> @@ -35,3 +35,4 @@ Architectural features
>> s390x/bootdevices
>> s390x/protvirt
>> s390x/cpu-topology
>> + s390x/cpacf
next prev parent reply other threads:[~2026-06-23 13:21 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-17 9:48 [PATCH v7 00/17] target/s390x: Extend qemu CPACF support Harald Freudenberger
2026-06-17 9:48 ` [PATCH v7 01/17] target/s390x: Rework s390 cpacf implementations Harald Freudenberger
2026-06-17 9:48 ` [PATCH v7 02/17] target/s390x: Move cpacf sha512 code into a new file Harald Freudenberger
2026-06-18 4:54 ` Finn Callies
2026-06-17 9:48 ` [PATCH v7 03/17] target/s390x: Support cpacf sha256 Harald Freudenberger
2026-06-18 5:18 ` Finn Callies
2026-06-17 9:48 ` [PATCH v7 04/17] target/s390x: Support AES ECB for cpacf km instruction Harald Freudenberger
2026-06-18 5:22 ` Finn Callies
2026-06-17 9:48 ` [PATCH v7 05/17] target/s390x: Support AES CBC for cpacf kmc instruction Harald Freudenberger
2026-06-18 5:27 ` Finn Callies
2026-06-17 9:48 ` [PATCH v7 06/17] target/s390x: Support AES CTR for cpacf kmctr instruction Harald Freudenberger
2026-06-18 5:31 ` Finn Callies
2026-06-17 9:48 ` [PATCH v7 07/17] target/s390x: Minimal AES XTS support for cpacf pcc instruction Harald Freudenberger
2026-06-18 5:35 ` Finn Callies
2026-06-17 9:48 ` [PATCH v7 08/17] target/s390x: Support AES XTS for cpacf km instruction Harald Freudenberger
2026-06-18 5:45 ` Finn Callies
2026-06-22 14:25 ` Harald Freudenberger
2026-06-17 9:48 ` [PATCH v7 09/17] target/s390x: Support pckmo encrypt AES subfunctions Harald Freudenberger
2026-06-18 5:50 ` Finn Callies
2026-06-22 14:34 ` Harald Freudenberger
2026-06-17 9:48 ` [PATCH v7 10/17] target/s390x: Support protected key AES ECB for cpacf km instruction Harald Freudenberger
2026-06-18 5:57 ` Finn Callies
2026-06-22 15:05 ` Harald Freudenberger
2026-06-22 15:41 ` Hendrik Brueckner
2026-06-18 6:05 ` Finn Callies
2026-06-23 12:02 ` Harald Freudenberger
2026-06-17 9:48 ` [PATCH v7 11/17] target/s390x: Support protected key AES CBC for cpacf kmc instruction Harald Freudenberger
2026-06-18 6:08 ` Finn Callies
2026-06-23 12:24 ` Harald Freudenberger
2026-06-17 9:48 ` [PATCH v7 12/17] target/s390x: Support protected key AES CTR for cpacf kmctr instruction Harald Freudenberger
2026-06-18 6:10 ` Finn Callies
2026-06-23 12:32 ` Harald Freudenberger
2026-06-17 9:48 ` [PATCH v7 13/17] target/s390x: Minimal protected key AES XTS support for cpacf pcc instruction Harald Freudenberger
2026-06-18 6:18 ` Finn Callies
2026-06-23 12:34 ` Harald Freudenberger
2026-06-18 6:21 ` Finn Callies
2026-06-17 9:48 ` [PATCH v7 14/17] target/s390x: Support protected key AES XTS for cpacf km instruction Harald Freudenberger
2026-06-18 6:22 ` Finn Callies
2026-06-23 12:36 ` Harald Freudenberger
2026-06-17 9:48 ` [PATCH v7 15/17] docs/s390: Document CPACF instructions support Harald Freudenberger
2026-06-18 6:28 ` Finn Callies
2026-06-23 13:20 ` Harald Freudenberger [this message]
2026-06-17 9:48 ` [PATCH v7 16/17] crypto: Add aes-helpers file to support some AES modes Harald Freudenberger
2026-06-18 6:31 ` Finn Callies
2026-06-23 13:24 ` Harald Freudenberger
2026-06-17 9:48 ` [PATCH v7 17/17] target/s390x: Use generic AES helper functions Harald Freudenberger
2026-06-18 6:35 ` Finn Callies
2026-06-18 5:37 ` [PATCH v7 00/17] target/s390x: Extend qemu CPACF support Finn Callies
2026-06-23 14:53 ` Harald Freudenberger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e24743de41855903880667f0f12f66bd@linux.ibm.com \
--to=freude@linux.ibm.com \
--cc=berrange@redhat.com \
--cc=borntraeger@linux.ibm.com \
--cc=cohuck@redhat.com \
--cc=david@kernel.org \
--cc=dengler@linux.ibm.com \
--cc=fcallies@linux.ibm.com \
--cc=iii@linux.ibm.com \
--cc=linux-s390@vger.kernel.org \
--cc=linux390-list@tuxmaker.boeblingen.de.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-s390x@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox