Prerequisites and assumptions

Edit online

All Linux® instances that participate in the described scenario must support certain different requirements.

Software requirements

Distributions that include the required modules and packages are listed in Introducing IBM Secure Execution for Linux (SC34-7721).

KVM SEL host requirements

A KVM host running with IBM Secure Execution for Linux (SEL) is referred to as KVM SEL host in the remainder of this document.

  • The KVM SEL host must be a Linux instance running in an LPAR that has access to one or more AP queues (APQNs). There is no special setup needed for the KVM host to run KVM guests with Crypto Express adapters for secure execution beyond the KVM host requirements for regular KVM guests without Crypto Express support. These are described in chapter Configuring for IBM Secure Execution for Linux of KVM Virtual Server Management.

    The APQNs that will be passed through to the KVM SEL guest must be on CEX8S or later cryptographic coprocessors.

    You can use Crypto Express8S adapters:

    • configured in accelerator mode.
    • configured in Enterprise PKCS #11 coprocessor mode. You require Enterprise PKCS #11 version 5.8.30 or later.
  • The Linux version running the KVM SEL host must support the adequate vfio_ap device driver that was integrated into the upstream Linux kernel version 6.6.
  • The KVM SEL host also requires QEMU version 8.2 or later.
  • libvirt version 4.9 or later.

KVM SEL guest requirements

A KVM SEL guest supporting Crypto Express adapters for secure execution is available as of Linux kernel version 6.6 or later (same as for a KVM SEL host). For the command line tools to be used, s390-tools version 2.29 or later is required. The support of Crypto Express support for KVM SEL guests requires a machine level of at least IBM® z16® or IBM LinuxONE 4 hardware with firmware bundle S30.

Requirements of a trusted Linux instance

The hardware requirements of a trusted Linux instance on which you create your secrets are the same as for the KVM SEL host.

Additionally, you need the s390-tools upstream version 2.7 or later.

Naming conventions for involved systems and users

In our scenario, we use the following names for involved systems and users:

Table 1. Naming conventions for systems and users

Naming conventions for involved systems and users

System role System name User name
trusted system trusted_system user@trusted_system
KVM SEL host sel_host admin@sel_host>
KVM SEL guest sel_guest user@sel_guest or root@sel_guest, as applicable