Generate an Secure Execution image

Edit online

This section introduces how to create a Secure Execution image that can be used by the IBM® Cloud Infrastructure Center for the Secure Execution virtual machine provisioning.

Introducing IBM® Secure Execution for Linux.

**Note** These steps must be performed in the guest which used to generate secure execution enabled Linux KVM image.
1. Launch a guest with the regular image that can be used to generate a SE image. Reference instruction 1 to instruction 3 in [Creating images from ISO for KVM](./index.html).
2. Download the host key file from [Obtaining a host key document from Resource Link](https://www.ibm.com/docs/en/linux-on-systems?topic=linux-obtain-host-key-document) to the host. example: **`HKD-8561-025C5E8.crt`**
3. The login the guest is created from 'Configure the Linux server' instruction in [Creating images from ISO for KVM](./index.html) as root, copy the host key file to the guest.
4. Get root UUID from command "cat /proc/cmdline" result after login to the guest.
  ```
  For example: 
  [root@rhel84-official ~]# cat /proc/cmdline
  root=UUID=d47ead13-ec24-428e-9175-46aefa764b26 console=tty0 console=ttyS0,115200n8 no_timer_check net.ifnames=0 crashkernel=auto

  ```
5. Create "parmfile" with root UUID from previous steps.
  ```
  For example: 
  root=UUID=d47ead13-ec24-428e-9175-46aefa764b26 crashkernel=196M swiotlb=262144
  ```
6. Get "vmlinuz" file from path "/boot/" of the guest. For example: `/boot/vmlinuz-4.18.0-305.el8.s390x`.
7. Get "initramfs" file from path "/boot/" of the guest. For example: `/boot/initramfs-4.18.0-305.el8.s390x.img`.
8. [Generate an IBM Secure Execution image](https://www.ibm.com/docs/en/linux-on-systems?topic=linux-genprotimg-command-reference) boot part by command `genprotimg` with information "parmfile", "vmlinuz file", and "initramfs file".
  ```
 For example:
    genprotimg -i /boot/vmlinuz-4.18.0-305.el8.s390x -r /boot/initramfs-4.18.0-305.el8.s390x.img -p parmfile -k HKD-8561-025C5E8.crt -o /boot/secure-linux --no-verify

 ```
9. Add the boot information to `/etc/zipl.conf`, reference [A generic zipl configuration file](https://www.ibm.com/docs/en/linux-on-systems?topic=linux-boot-configurations). 
  ```
 For example:
    # vi zipl.conf
    ...
    [secure]
    target=/boot
    image=/boot/secure-linux
    ...
 ``` 
10. Create a device by `zipl -V`, reference [Red Hat Enterprise Linux BLS configuration](https://www.ibm.com/docs/en/linux-on-systems?topic=linux-boot-configurations).
11. Reference the instruction: [Get the image](./index.html) capture image.

Note: The key file used to create a Secure execution image must match with the host used as compute node. If it does not match, deploying the virtual machine successful, but it's status is in error soon due to a boot crash.