To verify the host key document, the IBM Z signing-key certificate, and the
DigiCert intermediate certificate.
The output file name of the resulting bootable image.
You must obtain the public host key
document from
your cloud provider. It must be available where you are preparing the guest.
Procedure
The pvimg command is part of
the s390-tools package. If it is not already installed, download the package into the file system on
your Linux instance and install it.
For example, on an Ubuntu system, use the
following command to install the s390-tools
package:
# apt install s390-tools
Generate the secure image.
Run the pvimg create command. Issue a command of the following form
on one
line:
-k</path/to/host-key-doc>.crt specifies the host key
document.
-C <ibm_signkey> specifies the the IBM Z signing-key certificate.
-C <digicert_intermediate> specifies the Digicert
intermediate certificate.
-o <output_image> specifies the resulting image name.
The host key
document must match the host system for which
the image is prepared. Specify multiple host key
documents to
enable the image to run on more than one host.
For example, to use:
a guest kernel located in /boot/vmlinuz.
an initial RAM disk /boot/initrd.img.
a parameter file parmfile.
a host key
documentHKD-8651-000201C048.crt.
an IBM Z signing-key certificate ibm_signkey.crt.
a Digicert intermediate certificate digicert_intermediate.crt.
In
this example, the certificate revocation lists are downloaded automatically through an internet
connection. If no internet connection is available, you can download the lists manually
Update your boot configuration.
Edit zipl.conf
For examples of boot configurations for different Linux distributions, see
Boot configurations.
Add a new section for the IBM SEL boot image and save. For example:
# vi zipl.conf
...
[secure]
target=/boot
image=/boot/secure-linux
...
Specify the location of the mounted kernel, the initramfs and the kernel parameter file
directories.
Make the new entry the default entry. In zipl.conf
make the [secure] entry the default.
For
example:
[defaultboot]
default=secure
Run zipl -V.
The zipl command prepares a boot device.
Results
The kernel, initial RAM file system, and parameter file are encrypted. An integrity-protectedIBM SEL header is created that contains all
information required for booting. The IBM SEL
header contains the image encryption key. The header is encrypted with the
public host key.
Figure 1. Boot data is consolidated and encrypted by IBM SEL
What to do next
Extract the IBM SEL
header for later use with attestation. See Attesting a KVM guest.