Securing the guest

To convert the standard KVM guest into an IBM SEL guest, run the pvimg command. Also create a domain configuration-XML.

Before you begin

You require the pvimg command from the s390-tools package. For more details about the pvimg command, see pvimg create - Generate an IBM SEL image.

The pvimg command requires the following input:
  • The original guest kernel.
  • The original initial RAM file system.
  • A file containing the kernel parameters.
  • The public host key document.
  • To verify the host key document, the IBM Z signing-key certificate, and the DigiCert intermediate certificate.
  • The output file name of the resulting bootable image.

You must obtain the public host key document from your cloud provider. It must be available where you are preparing the guest.

Procedure

  1. The pvimg command is part of the s390-tools package. If it is not already installed, download the package into the file system on your Linux instance and install it.
    For example, on an Ubuntu system, use the following command to install the s390-tools package:
    # apt install s390-tools 
  2. Generate the secure image.
    Run the pvimg create command. Issue a command of the following form on one line:
    # pvimg create -i <image> -r <ramdisk> -p <parm_file> 
     -k </path/to/host-key-doc>.crt -C <ibm_signkey> -C <digicert_intermediate> -o <output_image> 
    where:
    • -i <image> specifies the guest kernel.
    • -r <ramdisk> specifies the initial RAM disk.
    • -p <parm_file> specifies the parameter file.
    • -k </path/to/host-key-doc>.crt specifies the host key document.
    • -C <ibm_signkey> specifies the the IBM Z signing-key certificate.
    • -C <digicert_intermediate> specifies the Digicert intermediate certificate.
    • -o <output_image> specifies the resulting image name.
    The host key document must match the host system for which the image is prepared. Specify multiple host key documents to enable the image to run on more than one host.
    For example, to use:
    • a guest kernel located in /boot/vmlinuz.
    • an initial RAM disk /boot/initrd.img.
    • a parameter file parmfile.
    • a host key document HKD-8651-000201C048.crt.
    • an IBM Z signing-key certificate ibm_signkey.crt.
    • a Digicert intermediate certificate digicert_intermediate.crt.
    • a resulting image /boot/secure-linux.
    issue:
    # pvimg create -i /boot/vmlinuz -r /boot/initrd.img -p parmfile  
     -k HKD-8651-000201C048.crt -C ibm_signkey.crt -C digicert_intermediate.crt -o /boot/secure-linux 
    In this example, the certificate revocation lists are downloaded automatically through an internet connection. If no internet connection is available, you can download the lists manually
  3. Update your boot configuration.
    1. Edit zipl.conf
      For examples of boot configurations for different Linux distributions, see Boot configurations.
      Add a new section for the IBM SEL boot image and save. For example:
      # vi zipl.conf
      ...
      [secure]
      target=/boot
      image=/boot/secure-linux
      ...

      Specify the location of the mounted kernel, the initramfs and the kernel parameter file directories.

    2. Make the new entry the default entry. In zipl.conf make the [secure] entry the default.
      For example:
      [defaultboot]
      default=secure
    3. Run zipl -V.
      The zipl command prepares a boot device.

Results

The kernel, initial RAM file system, and parameter file are encrypted. An integrity-protected IBM SEL header is created that contains all information required for booting. The IBM SEL header contains the image encryption key. The header is encrypted with the public host key.

Figure 1. Boot data is consolidated and encrypted by IBM SEL

Boot files are encrypted and moved to the boot disk

What to do next

Extract the IBM SEL header for later use with attestation. See Attesting a KVM guest.