Use pvsecret create with the --disable-dump option to
prevent the hypervisor from creating guest kernel dumps.
Dump prevention can also be configured during SEL image creation by using
pvimg create --disable-dump. Disabling dumps is the default when creating guest
images.
About this task
If a secure execution image vendor creates a guest image with dumps enabled, any
dumps are encrypted with the vendor's keys. However, a tenant who takes ownership of such a guest
might prefer to prevent the hypervisor from dumping that guest by using the
--disable-dump option.
You can use the pvsecret create command to only disable dumping,
or add the disablement to an add-secret request.
You can enhance the security of the disable-dump request with methods that are
described in Preventing the misuse of add-secret requests.
Procedure
-
To prevent dumping, use pvsecret create with a meta secret to pass the
--disable-dump flag to the guest. Issue a command of the form:
# pvsecret create meta -k <host_key_document> --hdr <SEL_header> -o <request_file> \
--crt <CA_certificate> --crt <IBM_signing_certificate> \
--flags disable-dump
where:
- meta
creates an add-secret request that contains a meta secret. Use a meta secret to carry flags to the ultravisor without having to provide an actual secret value. Meta secrets do not appear in the list of secrets.
-k <host_key_document>
specifies the host key
document.
--hdr <SEL_header>
specifies the header of the KVM guest.
-o <request_file>
specifies the file that contains the generated add-secret request.
-C <CA_certificate>
specifies the certificate that is used to establish a chain of trust for the verification of the host key
documents. Specify this option twice to specify the IBM Z signing-key certificate and the intermediate CA certificate (signed by the root CA).
--flags disable-dump This flag disables host-initiated dumping for the target
guest instance.
For example, to use:
- a host-key document z16.crt
- a guest header se.hdr
- a CA certificate DigiCert.crt
- an IBM signing key ibm-sign.crt
and disable dump for this guest, issue the following command on a trusted system on one
line:
# pvsecret create meta -k z16.crt --hdr se.hdr -o addNoDumpReq \
--crt DigiCertCA.crt --crt ibm-sign.crt \
--flags disable-dump
The command prevents any memory dumps from
being taken from this Linux instance. The command creates an add-secret request and writes it to
addNoDumpReq.
- To prevent dumping and also create an association secret, issue a command of the form on
one line:
# pvsecret create association -k <host_key_document> --hdr <SEL_header> -o <request_file> \
--crt <CA_certificate> --crt <IBM_signing_certificate> \
--flags disable-dump <name>
where the options are the same as
explained in the previous example, except:
- association specifies that the add-secret request is for an association
secret.
- <name>
A string that identifies the new secret. Strings are hashed with SHA-256 to form the ID that is used by the ultravisor. The ID is saved in <name>.yaml with white-spaces mapped to underscores ( _ ).
For example, to use the same input as before, but also create an association secret, issue
the following command on a trusted
system:
# pvsecret create association -k z16.crt --hdr se.hdr -o addSecretReq \
--crt DigiCertCA.crt --crt ibm-sign.crt \
--flags disable-dump "myConfidentialSecret"
The command
prevents any dumps from being taken from this Linux®
instance. The command creates an add-secret request and writes it to
addSecretReq. It also creates an identifier for the request, consisting of a
SHA-256 hash of the association string myConfidentialSecret
. The ID is saved in
myConfidentialSecret.yaml