linux-drivers/
drivers/s390/crypto

IBM Z Crypto Express (CEX) hardware security modules

Support for IBM Z mainframe Crypto Express adapters and the Adjunct Processor bus that connects them. These cryptographic coprocessors and hardware security modules accelerate RSA, ECC, and symmetric crypto in accelerator, CCA, or EP11 modes, and are standard equipment on current IBM z16 and z17 systems used by banks, governments, and other regulated Linux-on-Z workloads.

keep conf=0.91 deploy=medium replacement=none subsystem=s390 category=crypto
91%

recommendation

It should stay because the hardware still ships on IBM's current z16 and z17 mainframes, the directory sees sustained upstream development with patches landing as recently as 2026, and nothing else in the kernel covers the AP bus, zcrypt, pkey, or vfio_ap stack. The on-CPU CPACF facility is a separate feature, not a replacement, so this is a clear keep for any kernel used on IBM Z.

repository signals

39 files
21,922 source lines
316 commits, 5y
+14,959 / −11,099 lines added / removed, 5y
48 authors, 5y
monthly commits · 2021-04-21 → 2026-04-21 · 316 total · active in 58/61 months
2021 2022 2023 2024 2025 2026 2021-04: 3 commits · +113 −23 2021-05: 3 commits · +20 −15 2021-06: 8 commits · +196 −150 2021-07: 1 commit · +1 −3 2021-08: 9 commits · +442 −316 2021-09: 6 commits · +143 −61 2021-10: 8 commits · +390 −143 2021-11: 7 commits · +376 −98 2021-12: 1 commit · +44 −0 2022-01: 3 commits · +139 −67 2022-02: 2 commits · +28 −7 2022-03: 11 commits · +347 −134 2022-04: 5 commits · +1,020 −708 2022-05: 3 commits · +17 −44 2022-06: 1 commit · +6 −3 2022-07: 9 commits · +56 −91 2022-08: 1 commit · +30 −0 2022-09: 13 commits · +133 −119 2022-10: 3 commits · +57 −31 2022-11: 5 commits · +8 −14 2022-12: 2 commits · +18 −2 2023-01: 9 commits · +103 −65 2023-02: 5 commits · +301 −307 2023-03: 9 commits · +344 −144 2023-04: 5 commits · +387 −225 2023-05: 3 commits · +136 −1 2023-06: 6 commits · +62 −1,108 2023-07: 7 commits · +317 −126 2023-08: 15 commits · +224 −122 2023-09: 3 commits · +89 −21 2023-10: 5 commits · +53 −40 2023-11: 7 commits · +229 −162 2023-12: 0 commits · +0 −0 2024-01: 16 commits · +860 −659 2024-02: 11 commits · +109 −47 2024-03: 6 commits · +165 −114 2024-04: 5 commits · +240 −33 2024-05: 7 commits · +71 −75 2024-06: 0 commits · +0 −0 2024-07: 6 commits · +66 −78 2024-08: 8 commits · +4,773 −3,530 2024-09: 4 commits · +271 −26 2024-10: 8 commits · +433 −206 2024-11: 2 commits · +23 −11 2024-12: 1 commit · +64 −64 2025-01: 2 commits · +55 −3 2025-02: 3 commits · +6 −6 2025-03: 2 commits · +57 −29 2025-04: 24 commits · +1,042 −1,100 2025-05: 2 commits · +5 −5 2025-06: 2 commits · +10 −1 2025-07: 1 commit · +1 −1 2025-08: 1 commit · +3 −1 2025-09: 1 commit · +1 −1 2025-10: 4 commits · +42 −10 2025-11: 6 commits · +239 −310 2025-12: 2 commits · +9 −7 2026-01: 2 commits · +21 −5 2026-02: 4 commits · +36 −40 2026-03: 1 commit · +14 −18 2026-04: 0 commits · +0 −0

sources

  1. lore.kernel.org

    The subsystem is still receiving upstream work in 2026; a March 24, 2026 patch touched ap_bus.c ('s390/ap: use generic driver_override infrastructure').

  2. ibm.com

    IBM z16 product material explicitly references the Crypto Express 8S card, showing Crypto Express hardware remained part of current IBM Z offerings in the z16 generation.

  3. ibm.com

    IBM z17 HMC documentation describes configuring and monitoring installed Crypto Express features as current system hardware, indicating ongoing availability/use in the z17 generation.

  4. ibm.com

    IBM Linux on Z documentation describes Crypto Express adapters, their accelerator/CCA/EP11 modes, and AP queues, matching this driver's hardware scope and showing it remains a supported Linux-on-IBM-Z feature.

codex reasoning notes (technical)

Real driver directory: contains AP bus, zcrypt, pkey, and vfio_ap driver code. lore_file_timeline tool on drivers/s390/crypto/ap_bus.c showed sustained activity through 2026-03-24 with hundreds of touches in the last 5 years; that argues strongly against deprecation/removal. Web search found IBM z16 product material and IBM z17/HMC + Linux-on-Z docs showing Crypto Express is still present in current IBM Z generations, so hardware is still sold and deployed. No natural upstream replacement driver covers the same AP/Crypto Express/HSM stack; CPACF is a different facility, not a drop-in replacement. Removal-talk absence is an inference from active lore traffic plus failed/empty targeted removal-search attempts, not a direct cited negative proof.