Confidential computing with LinuxONE

Confidential computing is enabled on LinuxONE (s390x processor architecture) by using the IBM Secure Execution for Linux technology. This technology is part of the hardware of IBM z16, IBM z15, IBM LinuxONE Emperor 4, and IBM LinuxONE III systems. With IBM Secure Execution for Linux, you can securely deploy workloads in the cloud. It ensures the integrity and confidentiality of boot images, and server authenticity. Applications are isolated from the operating system, thus providing more privacy and security for the workload.

By using IBM Secure Execution for Linux, you can create encrypted Linux images that can run on a public, private, or hybrid cloud with their in-use memory protected. The workload or data is protected from external and insider threats.

You would need a valid contract, which is used to provide container details at instance creation. If no contract is passed, then the instance eventually shuts down. The IBM Hyper Protect Virtual Servers (HPVS) image consists of different components or services that decrypts the contract (if it is encrypted), validates the contract schema, checks for contract signature, creates the passphrase to encrypt the disk device, and brings up the container that is specified in the contract. For more information, see About the contract.

For a technical deep dive into the IBM Hyper Protect Platform, see the white paper The Second Generation of IBM Hyper Protect Platform.