Secure boot
With secure boot enabled, an IPL fails if a component containing code is not signed or cannot be verified.
- As of IBM z15 and IBM® LinuxONE III, the operating system loader can verify that components that are loaded from FC-attached SCSI disks or NVMe devices come from a trusted source. You can cancel loading for components that cannot be verified.
- As of IBM z16™ with the updates of May 2023, secure boot support is available for ECKD DASD with the CDL layout and with a secure-boot enabled format of the boot data.
For details about how to prepare a device for secure boot, see zipl modes and syntax overview.
To check if a Linux® instance was IPLed with secure boot see Displaying current IPL parameters.
Kernel interfaces are restricted in a securely booted kernel. In particular, in a kernel prepared for secure boot, all kernel modules must be signed by the distributor. You cannot load modules that are not signed by the distributor, like lin_tape.
Booting in Linux secure boot and LPAR mode

KVM guests and secure boot mode
You can IPL a KVM guest from a device with the secure boot format, but signatures are not verified.
More information
For more information about using secure boot, including booting from z/VM and handling certificates, see Secure Boot for Linux on IBM Z and IBM LinuxONE, SC34-7755.