Key security considerations for Linux on IBM Power Systems

By and George Wilson | 5 minute read | February 17, 2020

One of the greatest challenges in the computer industry is reducing the risk of cyber attack.  Cyber criminals are constantly developing new methods to infiltrate and attack organizations by circumventing computer security. Key to reducing cybersecurity risk is utilizing a “defense in depth,” or multilayered, approach. IBM Power Systems and the POWER9 processor are designed to facilitate this security approach by providing different layers of security protection, including security for the hardware, operating system, firmware, hypervisor and security tooling, like IBM PowerSC.

In this post, we’ll focus on some key security recommendations related to Linux on IBM Power Systems for you to consider utilizing as you move to IBM POWER9.

1. OS boot security improvements on OpenPOWER systems

Systems can be easily configured to boot a compromised OS kernel if no measures are taken to ensure kernels’ integrity. Two new firmware features are being developed that are designed to improve the security of booting non-virtualized operating systems on OpenPOWER hardware.

The first is called secure boot. Secure boot — or verified boot — checks that OS kernels are valid before allowing them to boot. OS providers supply OS kernels that they sign cryptographically.  When system administrators install OS kernels, they also install corresponding kernel verification keys into protected system flash storage. Before the bootloader boots a selected kernel, it uses the one of the verification keys to check the kernel against the original kernel signature. The bootloader boots the kernel only if the check succeeds, thus preventing unvetted kernels or modified kernel images from booting.

The second we call trusted boot. Trusted boot securely stores a cryptographic hash of a kernel image before it boots, which provides an indelible record of precisely which kernel booted for future assessment. The bootloader takes a cryptographic hash of the kernel image, records it in an event log, and uses it to update the state of a register in the Trusted Platform Module (TPM) called a Platform Configuration Register.

A prominent use case for trusted boot is called remote attestation. After a system boots, a second system can check which kernel has booted on the first system by requesting its event log and TPM-signed Platform Configuration Register set. The second system can then use this data to appraise the first system’s state before it continues interacting.

Firmware secure boot and trusted boot are already enabled on IBM POWER9 systems. We anticipate that OpenPOWER OS secure boot and trusted boot will become available for select Power Systems in a future firmware update.

2. Cybersecurity profiles available with PowerSC graphical user interface

IBM PowerSC is a suite of cybersecurity tooling for IBM Power Systems. The “S” in PowerSC stands for “security,” and the “C” stands for “compliance.” There are several different tools in this suite. One tool, the PowerSC graphical user interface, provides a web browser-based interface that provides centralized security configuration, management, monitoring and reporting information. It provides the ability to deploy a security profile, which consists of a set of operating system security settings, to multiple systems from the web browser-based centralized management server.

For Linux on Power endpoints (excluding those running in big endian mode on Red Hat Enterprise Linux [RHEL] 7), PowerSC can provide security hardening for SUSE Linux Enterprise Server (SLES) 12 SP3 and Red Hat Enterprise Linux Server 7.4. PowerSC currently provides Linux security hardening profile support for your PCI-DSS and GDPR compliance obligations. The goal of these two profiles is to help clients address the subset of their compliance requirements that relate to operating system security hardening. It’s also possible to create customized profiles that include any portion or combination of these two profiles.

3. SLES Security Hardening Guide for the SAP HANA® Platform

If you run the SAP HANA platform for Linux on Power, you should be aware of system hardening advice from SUSE. SUSE provides the “Operating System Security Hardening Guide for SAP HANA,” which offers recommendations for operating system security hardening measures for SLES 11 when running SAP HANA on an SLES host, as well as the “Operating System Security Hardening Guide for SAP HANA for SUSE Linux Enterprise 12,” which is updated for SLES 12 hosts. Both of these guides provide numerous recommendations for improving the security of your operating system environments when specifically running SAP HANA on SLES. Additionally, SUSE has also recently released a hardening guide version for SLES 15. It’s our opinion that most of the recommendations in these guides can also be utilized to reduce cybersecurity risk when running SAP HANA on Red Hat Enterprise Linux.

4. Cryptographic enhancements

Poorly performing cryptography can be an impediment to the protection of sensitive data, both in transit and at rest. OpenSSL in RHEL 8, SLES 15 and Ubuntu 19.04 utilizes Vector Multimedia Extension (VMX) cryptographic support instructions available with POWER9. This new support is designed for better performance of cryptographic operations for the following algorithms:

  • AES
  • ChaCha20
  • ECC Curve NISTZ256
  • ECC Curve X25519
  • Poly1305
  • SHA2
  • SHA3

Also, the Linux kernel contains VMX acceleration for these algorithms:

  • AES

And, Golang incorporates VMX acceleration for these algorithms:

  • AES
  • MD5
  • SHA-2
  • ChaCha20
  • Poly1305

Similar updates are currently in progress for additional upstream projects including libgcrypt, NSS and GnuTLS, and IBM continues working to improve the performance of cryptography on POWER9 in these and other open source projects.

Defend yourself against cyberattack

An organization can never reduce its cybersecurity risk to zero. Reducing cybersecurity risk is a never-ending process of adapting your security measures to a constantly changing cybersecurity landscape. However, thoughtfully and carefully implementing a defense in depth cybersecurity strategy might be the difference in preventing your organization from experiencing a cybersecurity breach. This post has recommended four layers of security that can help you take meaningful steps towards achieving a robust defense in depth cybersecurity implementation.

IBM Systems Lab Services provides a Linux Security Assessment for SAP HANA. This consulting service is the first step in realizing what it takes to implement a defense in depth cybersecurity implementation for Linux systems. Lab Services also provides a PowerSC proof of concept service that assists organizations with installation, configuration and administrative best practices when using PowerSC with AIX, Linux systems or IBM i.

For more information on either of these services, or anything related to Linux on Power security, please contact us today.