Supported environments

Secure boot requires hardware and software support.

Support for secure boot of Linux® on IBM® Z was introduced with IBM z15® for boot of Linux in LPAR mode from SCSI devices, using certificates from Red Hat®, SUSE, and Canonical that were integrated in IBM Z® firmware.

Since then, secure boot was continuously extended, and now includes support of:

Locally-attached NVMe and ECKD DASD boot devices
Linux running as a z/VM® guest (for SCSI and ECKD DASD boot devices)
Custom certificates that are provided to the hardware operator, and that the operator can then upload and assign to LPARs.

Table 1 lists the supported boot media by hardware and Linux distribution.

Table 1. Secure boot hardware and software requirements
Boot media	Minimum hardware or hypervisor	Minimum Linux version
FCP-attached SCSI disk	IBM z15 IBM LinuxONE III	Red Hat Enterprise Linux 8.1 SUSE Linux Enterprise Server 15 SP2 Ubuntu 19.10
NVMe	IBM LinuxONE III	Red Hat Enterprise Linux 8.3 SUSE Linux Enterprise Server 15 SP3 Ubuntu 20.10
ECKD DASD	IBM z16™ IBM® LinuxONE 4	Red Hat Enterprise Linux 8.8, and 9.2 SUSE Linux Enterprise Server 15 SP5 Ubuntu 23.04
SCSI and ECKD DASD for z/VM guests	IBM z16 IBM® LinuxONE 4 z/VM 7.3 with PTFs	Red Hat Enterprise Linux 8.8, and 9.2 SUSE Linux Enterprise Server 15 SP5 Ubuntu 23.04

Environments that support secure boot still allow a standard (non-secure) boot of Linux. Choose a secure boot IPL option to boot an operating system with the secure boot function.

If this option is chosen, an unsigned operating system, or an operating system whose signature cannot be verified, fails to boot. If you do not choose the secure boot IPL option, booting a signed operating system whose signature cannot be verified triggers a warning that is logged on the HMC.