Linux as an IBM Secure Execution host or guest

Red Hat Enterprise Linux 8.6 LPAR mode KVM guest

With IBM® Secure Execution for Linux®, you can run encrypted Linux images on a public, private, or hybrid cloud with their in-use memory protected.

IBM Secure Execution for Linux was introduced with IBM z15™ and LinuxONE III.

Both KVM hosts and KVM guests must be set up to support IBM Secure Execution mode. This setup includes two kernel parameters, one for hosts and one for guests.

prot_virt=: By default, KVM hosts do not support guests in IBM Secure Execution mode. To support such guests, KVM hosts must boot in LPAR mode with the kernel parameter specification prot_virt=1.
KVM hosts that successfully start with support for IBM Secure Execution for Linux issue a kernel message like this: prot_virt: Reserving <amount>MB as ultravisor base storage.
swiotlb=: KVM guests in IBM Secure Execution mode require bounce buffers for their virtio devices. Use the swiotlb= kernel parameter to assign 2 KB memory blocks for these bounce buffers. A suitable setting for most cases is swiotlb=262144, which corresponds to 512 MB.

For details about setting up KVM hosts and guest, see Introducing IBM Secure Execution for Linux, SC34-7721.

Indicators for IBM Secure Execution mode

Two read-only sysfs attributes indicate whether a running Linux instance detects an environment of a KVM guest in IBM Secure Execution mode or of a KVM host that can run such guests.

/sys/firmware/uv/prot_virt_guest: The value of this attribute is 1 for Linux instances that detect their environment as consistent with that of a secure guest. For other instances, the value is 0 or the attribute does not exist.
/sys/firmware/uv/prot_virt_host: The value of this attribute is 1 for Linux instances that detect their environment as consistent with that of a secure host. For other instances, the value is 0. If the attribute does not exist, the Linux instance is not a KVM host in an environment that supports IBM Secure Execution for Linux.

Note: These values are indications, but do not prove that the Linux instance is a secure guest or host in the context of IBM Secure Execution for Linux. Use these indications for technical evaluations in trusted environments, but do not base security-related decisions on them.

The following example shows a Linux instance that runs as a KVM guest in IBM Secure Execution mode, but is not a KVM host that can run such guests.

# cat /sys/firmware/uv/prot_virt_guest
1
# cat /sys/firmware/uv/prot_virt_host
0