-
Notifications
You must be signed in to change notification settings - Fork 12
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Nikita Dubrovskii <[email protected]>
- Loading branch information
1 parent
31a0284
commit 821351b
Showing
1 changed file
with
51 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| # IBM Secure Boot for Linux | ||
| --- | ||
|
|
||
| # Overview | ||
|
|
||
| z/VM® supports guest secure IPL. Guest secure IPL supports the NIAP (National Information Assurance Partnership) operating system protection profile, which supports the Common Criteria certification. | ||
|
|
||
| A z/VM user can request that the machine loader validate the signed IPL code by using the security keys that were previously loaded by the customer into the HMC certificate store. The validation ensures that the IPL code is intact, unaltered, and originates from a trusted build-time source. | ||
|
|
||
| This support provides the ability for a Linux guest to exploit hardware to validate the code being booted, helping to ensure it is signed by the client or its supplier. | ||
|
|
||
| Support is provided for the following device types: | ||
| - SCSI devices. | ||
| - ECKD devices. | ||
|
|
||
| --- | ||
|
|
||
| ## Prerequisites | ||
|
|
||
| ### Security keys are loaded onto the HMC certificate store | ||
|
|
||
| It is the customer's responsibility to ensure that the security keys that are required by a guest are present on the destination system.Security keys are required on all members of a relocation domain where a guest might be relocated and later IPLed with the secure option. For more information, see [How to enable secure boot on the HMC](https://www.ibm.com/support/pages/how-enable-secure-boot-hmc). | ||
|
|
||
| ### The IPL device number and the SECURE option load parameters are set | ||
|
|
||
| The load parameters can be set in the user directory LOADDEV statement or by using the [CP SET LOADDEV commands](https://www.ibm.com/docs/en/zvm/7.3?topic=commands-set-loaddev). All required parameters must be set, including the device number and the SECURE option. | ||
|
|
||
| ### A list-directed IPL is initiated and the LOADDEV or DUMPDEV operand is specified | ||
|
|
||
| A list directed IPL can be specified in the user directory IPL statement or by using the CP IPL command. The IPL statement must specify the LOADDEV operand. The CP IPL command must specify the LOADDEV. | ||
|
|
||
|
|
||
| # Turning Secure Boot on | ||
|
|
||
| 1) Assuming we have RHCOS installed on disk ECKD disk `ABCD` (`rd.dasd=0.0.abcd`), we have to set from zVM terminal it as LOADDEV: | ||
| ``` | ||
| # cp set loaddev eckd dev ABCD secure | ||
| ``` | ||
|
|
||
| 2) Install RHCOS same way as [before](https://docs.openshift.com/container-platform/4.13/installing/installing_ibm_z/preparing-to-install-on-ibm-z.html) | ||
|
|
||
| 3) Login into installed RHCOS and ensure the output: | ||
| ``` | ||
| $ cat /sys/firmware/ipl/has_secure | ||
| 1 | ||
| ``` | ||
|
|
||
| 4) Poweroff RHCOS and start it from zVM terminal: | ||
| ``` | ||
| # cp ipl loaddev | ||
| ``` |