Secure boot

Red Hat Enterprise Linux 9.2 LPAR mode

As of z15® and LinuxONE III, the operating system loader verifies that components that are loaded from SCSI disks or NVMe devices come from a trusted source. You can cancel loading for components that cannot be verified.

With secure boot enabled, an IPL fails if a component containing code is not signed or cannot be verified.

For details about how to prepare a device for secure boot, see zipl modes and syntax overview.

To check if a Linux® instance was IPLed with secure boot see Displaying current IPL parameters.

Kernel interfaces are restricted in a kernel that is prepared for secure boot. In particular, in a kernel prepared for secure boot, all kernel modules must be signed by Red Hat. You cannot load modules that are not signed by Red Hat, like lin_tape.

KVM: You can IPL a KVM guest from a device with the secure boot format, but signatures are not verified.