Starting the IBM SELguest as a secure virtual server

Edit online

On the KVM host, create a domain configuration-XML for the virtual machines that are to run in IBM SEL mode.

Before you begin

You need a bootable disk image that is encrypted with the public host key of the mainframe on which you want to run it. See Preparing the boot image.

On an IBM z17 and using a Linux kernel that supports the sysfs entries, you can check that a system is able to run the guest before you start the virtual server and the guest. The following sysfs files are provided under /sys/firmware/uv/keys:
  • host_key - the SHA256 hash of the current host key of the system
  • backup_host_key - the SHA256 hash of the backup host key of the system
  • all - the complete payload (480 bytes = up to 15 hashes) of the corresponding UVC
Read one of the files to, for example, inspect the current host-key hash:
# cat /sys/firmware/uv/keys/host_key
577888117d6c5ca6eb7e296388cde63084533f20f98668e2165c5909daa9d2dd
Note: The host keys and therefore the hashes can change at any time during the runtime of the system.

Procedure

  1. Place the bootable disk image on the KVM host file system in /var/lib/libvirt/images
    For example, assuming that the image is called secguest1.img: 
    # ls /var/lib/libvirt/images
...
secguest1.img
...
  2. Modify the domain configuration-XML you received from your customer.
    Add the launchSecurity element with type s390-pv to set defaults that simplify configuring the virtual server for IBM® SEL.
    1. Optional: Confirm that this setting is available in your environment
      Look for the following line in the output of the virsh domcapabilities command:
      <s390-pv supported="yes">
    2. Add the launchSecurity element.
      For example:
      <domain type="kvm">
    ...
    <launchSecurity type="s390-pv"/>
    ...
</domain>

      For example, this setting makes the required bounce buffer for virtio devices the default and you do not have to specify it explicitly for each device. This setting also leads to warning messages if the CPU model of the virtual server does not include all features that are required by IBM SEL.

    Manual domain-XML configuration

    If the output of the virsh domcapabilities command shows that you do not have support for the launchSecurity element, you must configure the domain XML manually:

    1. Ensure that the XML has iommu="on" set to allow the use of bounce buffers on every element that represents a virtio device, for example, the <disk>, <serial>, and <interface> elements.
    2. Do not define a memory balloon device for secure guests. Use the following definition in the guest XML:
      <memballoon model='none'/>
    For example, the following domain configuration-XML, called secguest1.xml, configures a virtual machine called secguest1 that allows bounce buffers: 
    <domain type="kvm">
   <name>secguest1</name>
   ...
   <devices>
      <disk type="file" device="disk">
         <driver name="qemu" type="raw" cache="none" io="native" iommu="on"/>
         <source file="/var/lib/libvirt/images/secguest1.img"/>
         <target dev="vda" bus="virtio"/>
         <address type="ccw" cssid="0xfe" ssid="0x0" devno="0x1108"/>
         <boot order="1"/>
      </disk>
      ...
      <memballoon model='none'/>
   </devices>
    For details about the domain configuration-XML and how to configure virtual servers, see KVM Virtual Server Management, SC34-2752.
    Tip: Use virt-manager to work with the XML.
  3. Optional: Configure for direct kernel boot.
    If you received the secure boot image as a separate bootable kernel image file, modify the domain XML for a direct kernel boot.

    For example, this domain XML configures a guest that is booted from a kernel image:

    <os>
      ...
     <kernel>/var/lib/images/secure_img</kernel> 
</os>

    The <kernel> entry must contain the fully qualified path and file name of the secure boot image file.

  4. On the KVM host console, define the virtual machine with the virsh define command.
    For example, to define secguest1 defined by the secguest1.xml:
    # virsh define secguest1.xml
  5. From the KVM host console, verify that the guest can be started with the virsh start command.
    For example, to start secguest1:
    # virsh start secguest1

Results

The KVM guest defined by secguest1.img starts running in IBM SEL mode. For information about troubleshooting, see Starting the KVM guest with virsh start fails.
Figure 1. A KVM guest is created from a bootable image to run in IBM SEL mode

KVM files are created on the host to define the KVM guest