What is IBM Secure Execution?

IBM® Secure Execution for Linux® is a z/Architecture® security technology that is introduced with IBM z15™ and LinuxONE III. It protects data of workloads that run in a KVM guest from being inspected or modified by the server environment.

In particular, no hardware administrator, no KVM code, and no KVM administrator can access the data in a guest that was started as an IBM Secure Execution guest.

Thus, IBM Secure Execution for Linux is a continuation and expansion of well-known security features of IBM Z® and LinuxONE. It supplements pervasive encryption, which protects data at-rest and data in-flight, to also protect data in-use. With IBM Secure Execution for Linux, it is possible to securely deploy workloads in the cloud. The data of the workload can be protected everywhere:
  • In flight with secure network protocols like TLS, SSH or IPsec
  • At rest with volume encryption like dm-crypt or file system encryption like with IBM Spectrum® Scale
  • In use in the memory of a running guest with IBM Secure Execution protection
When a KVM guest runs in a cloud, be it in-house or third-party, security risks to the workload include:
  • Intruders who might gain root privileges due to some error in the security administration of the hypervisor.
  • Malicious hypervisor code that might be introduced by exploits, including zero-day exploits, or intruders.
  • Malicious virtual machines that, hypothetically, can escape the control of the hypervisor, and gain hypervisor privileges.
Intruders, malicious hypervisors, or malicious virtual machines are risks for both the cloud provider and the cloud customer, see Figure 1.

To provide a secure hosting environment, a cloud provider might log every key stroke and conduct expensive audits to log any management action and deter any malicious actor.

With the introduction of pervasive encryption, all your data at rest could be encrypted with no application changes and at reasonable CPU cost.

With IBM Secure Execution, data is protected during processing. As a workload owner, your data in your KVM guest that is deployed in a cloud, which runs on IBM Z servers with IBM Secure Execution, are as safe as if you ran it in your own data center. In fact, it is safer. It is also protected from insider attacks. Only the workload owner can access the data.