Managing a secure boot certificate for an LPAR

Use the HMC Secure Boot Certificate Management task to upload custom secure boot certificates.

Before you begin

A secure boot certificate must meet the following requirements before it can be uploaded:

It must be an X.509 v3 certificate.
It must be PEM or DER encoded.
It must have a maximum file size of 20 kB.
Its file name extension must be .pem, .der, .cer or .crt.
The certificate must not be expired.
The certificate can be signed by a Certificate Authority (CA), or self-signed.

Note: No CA certificate validation is performed during import.

Additional restrictions regarding the use of digital signature algorithms may be imposed by the actual operating system version that is booted.

About this task

As of IBM z16 and IBM® LinuxONE 4 with the update from May 2023 you can upload certificates. You can then assign these certificates to an LPAR for use with secure boot.

For operators, advantages of this feature include the ability:

to react to secure boot certificate revocation according to the policies of their company (that is, without being forced to wait for a new firmware update).
to restrict the securely bootable kernels to specific Linux distributors.
to configure the system to securely boot Linux with kernels signed by the customer or a trusted vendor of the customer’s choice.

Procedure

On the HMC, click Search.
For detailed steps without using search, see Detailed steps on the HMC or Detailed steps in DPM mode.
In the search field, enter Secure Boot.
From the search results list, select Secure boot certificate management.
Click Import.
Click File Upload, and Choose file on the panel shown in Figure 1, then click Next.

Figure 1. HMC panel for importing Secure Boot certificates
On the next panel, enter a name and optional description for the certificate, then click Next.
Review the entered data and finalize the import by clicking Import certificate.