Secure boot

With secure boot enabled, an IPL fails if a component containing code is not signed or cannot be verified.

6.10 LPAR mode z/VM guest

Secure boot requires hardware support.
  • As of IBM z15 and IBM® LinuxONE III, the operating system loader can verify that components that are loaded from FC-attached SCSI disks or NVMe devices come from a trusted source. You can cancel loading for components that cannot be verified.
  • As of IBM z16™ with the updates of May 2023, secure boot support is available for ECKD DASD with the CDL layout and with a secure-boot enabled format of the boot data.

For details about how to prepare a device for secure boot, see zipl modes and syntax overview.

To check if a Linux® instance was IPLed with secure boot see Displaying current IPL parameters.

Kernel interfaces are restricted in a securely booted kernel. In particular, in a kernel prepared for secure boot, all kernel modules must be signed by the distributor. You cannot load modules that are not signed by the distributor, like lin_tape.

Booting in Linux secure boot and LPAR mode

Figure 1 shows an example of a load panel on the Support Element with Enable Secure Boot selected. The example shows an ECKD DASD as the boot device, but the expanded Secure boot certificates section is similar for all device types that support secure boot.
Figure 1. Load panel for ECKD DASD with secure boot enabled
Screen capture of the Support Element Load panel with Enable Secure Boot selected.

KVM guests and secure boot mode

You can IPL a KVM guest from a device with the secure boot format, but signatures are not verified.

More information

For more information about using secure boot, including booting from z/VM and handling certificates, see Secure Boot for Linux on IBM Z and IBM LinuxONE, SC34-7755.