From b4a4e0e3d63b5150e7e508bd36705706e9bb5042 Mon Sep 17 00:00:00 2001 From: Nikita Dubrovskii Date: Tue, 24 Oct 2023 16:04:42 +0200 Subject: [PATCH] s390x: SecureBoot enablement Signed-off-by: Nikita Dubrovskii --- os/20231024-s390x-zvm-secure-boot.md | 75 ++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 os/20231024-s390x-zvm-secure-boot.md diff --git a/os/20231024-s390x-zvm-secure-boot.md b/os/20231024-s390x-zvm-secure-boot.md new file mode 100644 index 00000000..fd42347e --- /dev/null +++ b/os/20231024-s390x-zvm-secure-boot.md @@ -0,0 +1,75 @@ +# IBM Secure Boot for Linux +--- + +# Overview + +z/VM® supports guest secure IPL. Guest secure IPL supports the NIAP (National Information Assurance Partnership) operating system protection profile, which supports the Common Criteria certification. + +A z/VM user can request that the machine loader validate the signed IPL code by using the security keys that were previously loaded by the customer into the HMC certificate store. The validation ensures that the IPL code is intact, unaltered, and originates from a trusted build-time source. + +This support provides the ability for a Linux guest to exploit hardware to validate the code being booted, helping to ensure it is signed by the client or its supplier. + +Support is provided for the following device types: +- SCSI devices. +- ECKD devices. + +--- + +## Prerequisites + +### Security keys are loaded onto the HMC certificate store + +It is the customer's responsibility to ensure that the security keys that are required by a guest are present on the destination system.Security keys are required on all members of a relocation domain where a guest might be relocated and later IPLed with the secure option. For more information, see [How to enable secure boot on the HMC](https://www.ibm.com/support/pages/how-enable-secure-boot-hmc). + +### The IPL device number and the SECURE option load parameters are set + +The load parameters can be set in the user directory LOADDEV statement or by using the [CP SET LOADDEV commands](https://www.ibm.com/docs/en/zvm/7.3?topic=commands-set-loaddev). All required parameters must be set, including the device number and the SECURE option. + +### A list-directed IPL is initiated and the LOADDEV or DUMPDEV operand is specified + +A list directed IPL can be specified in the user directory IPL statement or by using the CP IPL command. The IPL statement must specify the LOADDEV operand. The CP IPL command must specify the LOADDEV. + +# Enabling Secure Boot + +1) [Install RHCOS](https://docs.openshift.com/container-platform/4.13/installing/installing_ibm_z/preparing-to-install-on-ibm-z.html) +2) Login into installed system and ensure the output: + ``` + $ cat /sys/firmware/ipl/has_secure + 1 + ``` +3) Set target disk as zVM LOADEVICE +- ECKD + + Assuming RHCOS is installed on DASD disk `0.0.5223`, from zVM terminal execute: + ``` + # cp set loaddev eckd dev 5223 secure + ``` +- SCSI + + Assuming RHCOS is installed on FCP disk `0.0.8007,0x500507630400d1e3,0x4001404c00000000`, from zVM execute: + ``` + # cp set loaddev dev 8007 portname 50050763 0400d1e3 lun 4001404c 00000000 secure + ``` +4) Poweroff RHCOS and start it from zVM terminal: + ``` + # cp ipl loaddev + ``` +5) Ensure system runs with Secure Boot: + ``` + $ cat /sys/firmware/ipl/secure + 1 + ``` + Or + ``` + $ dmesg | grep "Secure-IPL enabled" + [ 0.029829] setup: Linux is running with Secure-IPL enabled + ``` + +# Proposal: Enabling Secure Boot at installation time + +Assuming zVM is ready for secure boot, we can setup LOADDEV at installation time + +## coreos-installer +1) Add new `coreos.inst.secureboot` karg and `--with-secure-boot` option. `coreos-installer-generator` appends the switch when karg is provided +2) During isntallation we check for `--with-secure-boot` and use `vmcp` tool to set LOADDEV +3) Add new systemd unit `coreos-installer-reboot-secure.service` to restart from LOADDEV or modify `coreos-installer-reboot.service` to do the same (which immediatly termintes running CoreOS VM)