genprotimg - Generate an IBM Secure Execution image

The genprotimg command builds an encrypted boot record from a given kernel, initial RAM disk, parameters, and public host-key document.

genprotimg syntax

Read syntax diagramSkip visual syntax diagramgenprotimg -k  <host_key_document> -i  <image> -r <ram_disk>-p <parm_ file> -o <output_image> -V--no-verify


-k <host_key_document> or --host-key-document=<host_key_document>
Specifies the host key document. The document must match the host system for which the image is prepared. Specify multiple host key documents to enable the image to run on more than one host. The document is a plain text file with a name of the form: HKD-<type>-<serial>.crt
-i <image> or --image=<image>
Specifies the Linux® kernel image.
Note: The genprotimg command cannot use an ELF file as a Linux kernel image.
-r <ramdisk> or --ramdisk=<ramdisk>
Specifies a RAM file system.
-p <parm_file>or --parmfile=<parm_file>
Provides a file with kernel parameters.
-o or --output
Specifies the target image name.
-V or --verbose
Prints additional runtime information.
Specifies that the host key document is not verified.
Warning: As long as a manual procedure (see Verifying the host key document) is in place for verification, use the --no-verify option. Working with an unverified key makes your image vulnerable to man-in-the-middle attacks. Whoever gave you the host key document might be able to decrypt your image.
-v or --version
Displays the version information for the command.
-h or --help
Displays out a short help text, then exits. To view the man page, enter man genprotimg.
Displays experimental usage information, then exits.
Displays all help text, then exits.

Example: Using genprotimg to generate an IBM Secure Execution image

Assume that you have an Ubuntu guest that you would like to convert into an IBM Secure Execution guest. You have the following information ready:
  • The guest has the following zipl.conf:
    parameters=root=UUID=694fd9a4-4180-4c47-92e0-7aa4fe06d370 crashkernel=196M
  • A host key document called HKD-8651-00020089A8.crt,
  1. Verify the host key document, see Verifying the host key document.
  2. Create a parameter file called parmfile. Copy the content of the parameter that specifies the root device.
  3. Specify bounce buffers with a swiotlb parameter with a value of 262144.
    The result is a parameter file with the following content:
    root=UUID=694fd9a4-4180-4c47-92e0-7aa4fe06d370 crashkernel=196M swiotlb=262144
  4. Generate an IBM Secure Execution image in /boot/secure-linux with the command:
    # genprotimg -i /boot/vmlinuz -r /boot/initrd.img -p parmfile --no-verify 
    -k HKD-8651-00020089A8.crt -o /boot/secure-linux