Introduction to secure boot on IBM Z and IBM LinuxONE

Edit online

Use secure boot to ensure the code that you boot is trustworthy.

Secure boot is a security standard that ensures that a Linux instance boots using only trusted software. Software is considered trusted if it is signed. When the instance starts, the signatures of boot components that contain code are checked. With secure boot enabled, booting fails if a component that contains code is not signed or cannot be verified.

Secure boot is a platform capability that verifies that code that is loaded during boot:
  • Originates from a trusted source
  • Was not modified.

An operating system whose code cannot be verified fails to boot when booted using secure boot.

For Linux on IBM Z, the trusted source of the boot code is typically a Linux distributor, such as Red Hat®, SUSE, or Canonical. However, you can also sign boot files of a custom Linux system, including a custom kernel, yourself for use with secure boot.

Signed code

Distributors sign their Linux kernel and boot loader binary files with a private key and ship the resulting code signature as part of the corresponding software package. Distributors also provide the corresponding public keys included in X.509 v3 certificates. These public keys are used by the platform bootloader firmware to verify the code signatures during boot.

NIAP GPOS certification

The secure boot capability is a requirement for a certification of Linux on IBM Z according to the National Information Assurance Partnership (NIAP) General Purpose Operating System (GPOS) protection profile. This certification is a mandatory prerequisite for deploying an operating system in certain industries and in particular for certain US specific government offices.

For more information about NIAP GPOS, see the references in NIAP GPOS certification and secure boot.

Who should read this information and secure boot roles

Most of the information in this document is intended for Linux administrators who want to configure Linux on IBM Z. Some information might also be of interest for IT architects, who need to understand the secure-boot related requirements for running Linux on IBM Z in an environment that requires a NIAP GPOS certification.

Several persons in an organization work with secure boot, the certificates, and signatures involved:

  • The person who signs Linux boot files and kernel modules; this is typically a Linux administrator. The signing person has access to the private key for which the public key is uploaded to the HMC.
  • The person who uploads the public-key certificate to the HMC; this can be a hardware administrator.