Linux as an IBM Secure Execution host or guest
With IBM® Secure Execution for Linux®, you can run encrypted Linux images on a public, private, or hybrid cloud with their in-use memory protected.
KVM guests in IBM Secure Execution mode are controlled by the ultravisor, which is a trusted firmware feature that uses memory-protection hardware to attain this protection.
IBM Secure Execution for Linux was introduced with IBM z15 and IBM LinuxONE III.
Kernel build options for KVM guests
The kernel of a KVM guest must be compiled with specific build options to enable IBM Secure Execution for Linux and its features.
Virtualization --->
Protected virtualization guest support (CONFIG_PROTECTED_VIRTUALIZATION_GUEST)
...
Device Drivers --->
...
Character devices --->
...
--- S/390 character device drivers (depends on S390) ---
...
Ultravisor userspace API (CONFIG_S390_UV_UAPI)
- CONFIG_PROTECTED_VIRTUALIZATION_GUEST
- provides base support for IBM Secure Execution for Linux.
- CONFIG_S390_UV_UAPI
- enables user-space interaction of KVM guests in IBM Secure Execution
mode with the ultravisor. For example, attestation that a
guest runs in IBM Secure Execution
mode depends on this
enablement.
Support for user-space interaction with the ultravisor can be compiled into the kernel or as a separate module,
uvdevice
.
Kernel parameters
Both KVM hosts and KVM guests must be set up to support IBM Secure Execution mode. This setup includes two kernel parameters, one for hosts and one for guests.
- prot_virt=
- By default, KVM hosts do not support guests in IBM Secure Execution
mode. To support such guests, KVM hosts must boot in LPAR mode with the kernel parameter
specification prot_virt=1.
KVM hosts that successfully start with support for IBM Secure Execution for Linux issue a kernel message like this:
prot_virt: Reserving <amount>MB as ultravisor base storage
. - swiotlb=
- KVM guests in IBM Secure Execution mode require a bounce buffer for their virtio devices. Use the swiotlb= kernel parameter to assign 2 KB memory blocks for this bounce buffer. A suitable setting for most cases is swiotlb=262144, which corresponds to 512 MB.
Indicators for IBM Secure Execution mode
Two read-only sysfs attributes indicate whether a running Linux instance detects an environment of a KVM guest in IBM Secure Execution mode or of a KVM host that can run such guests.
- /sys/firmware/uv/prot_virt_guest
- The value of this attribute is 1 for Linux instances that detect their environment as consistent with that of a secure guest. For other instances, the value is 0 or the attribute does not exist.
- /sys/firmware/uv/prot_virt_host
- The value of this attribute is 1 for Linux instances that detect their environment as consistent with that of a secure host. For other instances, the value is 0. If the attribute does not exist, the Linux instance is not a KVM host in an environment that supports IBM Secure Execution for Linux.
# cat /sys/firmware/uv/prot_virt_guest
1
# cat /sys/firmware/uv/prot_virt_host
0
Attestation of IBM Secure Execution mode
Use attestation to prove that a guest runs in IBM Secure Execution mode on trusted IBM zSystems or IBM LinuxONE hardware, and optionally that the guest image runs on a specific hardware instance. Attestation requires hardware support and is available as of IBM z16™ and IBM LinuxONE 4.
Attestation depends on process steps on the ultravisor. Guests that support attestation have a character device /dev/uv for attestation-related communication with the ultravisor.
uvdevice
device driver. If this device driver has been compiled as a separate module,
you might have to load it before the /dev/uv device becomes available. If
applicable, issue the following command to load the module:# modprobe uvdevice
KVM host setup for Crypto Express support
Support for Crypto Express for KVM guests running in secure-execution mode requires an IBM z16.
As a KVM host operator, you can decide whether your IBM Secure Execution guests can use Crypto Express adapters.
# qemu-system-s390x
<...>
-cpu gen16a,ap=on,appv=on,appvi=on
<cpu mode='host-model' check='partial'>
...
<feature policy='require' name='ap'/>
<feature policy='require' name='appv'/>
<feature policy='require' name='appvi'/>
</cpu>
# qemu-system-s390x
<...>
-cpu gen16a,ap=off,appv=off,appvi=off
More information
For more information about setting up KVM hosts and guests and about attestation, see Introducing IBM Secure Execution for Linux, SC34-7721.