IBM 4765 PCIe Cryptographic Coprocessor

Custom programming

IBM has created the IBM 4765 PCIe Cryptographic Coprocessor Toolkit that can be used to create or extend the application program that performs within the coprocessor. The Toolkit enables users to create entirely new applications for the coprocessor. It also enables users to extend the functionality of IBM's CCA application program in the form of a user-defined extension (UDX).

Such application programs operate within Segment 3 of coprocessor memory and can take full advantage of the Linux embedded operating system to perform security-sensitive tasks and/or to perform cryptographic operations.

The UDX development workstation supports the Red Hat® Enterprise Linux® (RHEL) operating system and SUSE® Linux Enterprise Server (SLES) operating system. Support is available for either 64-bit or 32-bit instruction set architectures on the following releases:

Note: The debugger currently requires a 32-bit environment.

When a UDX has been developed, it must be deployed to a supported server platform with an IBM 4765 PCIe cryptographic coprocessor installed. The IBM System x and the IBM Power Systems platforms are supported as shown:

IBM System x

Note: Smart card support currently requires 32-bit libraries.

IBM Power Systems

Note: AIX allows for flexible deployment in 64-bit or 32-bit mode. Smart card support is not available on AIX.

The Toolkit is not offered as an IBM product. Rather, it is available as part of a services offering on a custom contract.

A Toolkit custom contract normally provides:

  • Education on preparing programs to operate within the coprocessor
  • A copy of the Toolkit
  • Follow-up support
  • Assignment of a unique identifier for user code and certification of code-signing keys

Frequently a custom contract provides consultation to hasten application development, and sometimes provides for initial development by IBM. Whenever needed, IBM is also able to bid on developing your custom solution or extension.

Availability of the Toolkit is subject to the export regulations of the United States Government, and in some cases the import regulations of other countries. At the present time, IBM is generally able to export the Toolkit to customers within the European Union, and to customers in these additional countries: Australia, Canada, Japan, and New Zealand. Other potential customers should submit an inquiry to one of the Toolkit contacts.

Applications created or extended with the Toolkit may also be subject to the export regulations of the United States Government, and in some cases to the import regulations of other nations.

Toolkit coprocessor application code is compiled and linked using the GNU Compiler Collection (gcc) which targets the PowerPC architecture of the 4765. The Toolkit also provides a source-level debugger called ICAT for examining application code as it performs within the coprocessor.

To gain a further understanding of the Toolkit and how applications are developed, review these IBM 4765 PCIe Cryptographic Coprocessor publications that are available for download from the library page:

  • Custom Software Developer's Toolkit Guide
  • Custom Software Interface Reference
  • CCA User-Defined Extensions Guide and Reference
  • ICAT Debugger Getting Started
  • CCA Basic Services Reference and Guide

Official MD5 sum for the 4.4.16 xSeries 4765 Toolkit

The official MD5 hexadecimal sum for the 4.4.16 xSeries 4765 Toolkit (y4tk.v44162.x86.20131206.tgz) is: cb7a573888802dbbe29b91bfe2f6bedb

Official MD5 sum for the 4.3.5 xSeries 4765 Toolkit

The official MD5 hexadecimal sum for the 4.3.5 xSeries 4765 Toolkit (y4tk.v43544.x86.20130430.tgz) is: 0da3c3983497205cf5bcbc83052e3e3a

Official MD5 sum for the 4.2.5 xSeries 4765 Toolkit

The official MD5 hexadecimal sum for the 4.2.5 xSeries 4765 Toolkit (y4tk.v42543.20111028.tgz) is: 13e0416d10860619c82c32fc80db333d

Toolkit contacts

If you wish to inquire further about the Toolkit, please contact the Crypto team.

If you wish to inquire further about a UDX, please contact one of the following IBM representatives:

News for current customers

Spotlight

New product release CCA 5.0 for Linux on IBM z Systems™ now available effective July 2015. See Overview page for additional information.

IBM PureFlex™ customers can purchase an IBM 4765 as an add-on feature as of September 10, 2013. See CCA Release 4.3.5 for more information.

New product release CCA 4.3.8 for IBM 4765 now available on IBM AIX operating system effective June 2013. See Library page for additional information.


As of February 19, 2013, the 4765 hardware security module (HSM) is validated to meet the MEPS (Méthode d'Évaluation des Produits Securitaire "bancaires") approval scheme used by Cartes Bancaires (CB) banking ecosystem. This standards certification allows the 4765 HSM to be used by CB member banks on their dedicated payment networks.


New product release for IBM 4765 now available on IBM ServerProven System x servers, effective July 2012. This release includes support for the SLES 11.2 O/S. Support is also included for controlling the wrapping of a key with a weaker key, DUKPT for encryption and MAC keys, ciphertext translation, and AMEX enhanced CSC generation and PIN/Change Unblock.

Important notice to ECC users: This release contains important security-related changes for ECC users. See Release 4.3.4 information for details.

Effective December 2011, new add-on features are being offered for the IBM 4765 on System x to support additional operating systems. See the IBM 4765 software updates page.


On System z, the coprocessor is available as Crypto Express3 and is also available for Linux.