Preventing SEL guest dumps

Use pvsecret create with the --disable-dump option to prevent the hypervisor from creating guest kernel dumps.

Dump prevention can also be configured during SEL image creation by using pvimg create --disable-dump. Disabling dumps is the default when creating guest images.

About this task

If a secure execution image vendor creates a guest image with dumps enabled, any dumps are encrypted with the vendor's keys. However, a tenant who takes ownership of such a guest might prefer to prevent the hypervisor from dumping that guest by using the --disable-dump option.

You can use the pvsecret create command to only disable dumping, or add the disablement to an add-secret request.

You can enhance the security of the disable-dump request with methods that are described in Preventing the misuse of add-secret requests.

Procedure

  • To prevent dumping, use pvsecret create with a meta secret to pass the --disable-dump flag to the guest. Issue a command of the form:
    # pvsecret create meta -k <host_key_document> --hdr <SEL_header> -o <request_file> \
    --crt <CA_certificate> --crt <IBM_signing_certificate> \
    --flags disable-dump
    where:
    • meta creates an add-secret request that contains a meta secret. Use a meta secret to carry flags to the ultravisor without having to provide an actual secret value. Meta secrets do not appear in the list of secrets.
    • -k <host_key_document> specifies the host key document.
    • --hdr <SEL_header> specifies the header of the KVM guest.
    • -o <request_file> specifies the file that contains the generated add-secret request.
    • -C <CA_certificate> specifies the certificate that is used to establish a chain of trust for the verification of the host key documents. Specify this option twice to specify the IBM Z signing-key certificate and the intermediate CA certificate (signed by the root CA).
    • --flags disable-dump This flag disables host-initiated dumping for the target guest instance.
    For example, to use:
    • a host-key document z16.crt
    • a guest header se.hdr
    • a CA certificate DigiCert.crt
    • an IBM signing key ibm-sign.crt
    and disable dump for this guest, issue the following command on a trusted system on one line:
    # pvsecret create meta -k z16.crt --hdr se.hdr -o addNoDumpReq \
    --crt DigiCertCA.crt --crt ibm-sign.crt \
    --flags disable-dump 
    The command prevents any memory dumps from being taken from this Linux instance. The command creates an add-secret request and writes it to addNoDumpReq.
  • To prevent dumping and also create an association secret, issue a command of the form on one line:
    # pvsecret create association -k <host_key_document> --hdr <SEL_header> -o <request_file> \
    --crt <CA_certificate> --crt <IBM_signing_certificate> \
    --flags disable-dump <name> 
    where the options are the same as explained in the previous example, except:
    • association specifies that the add-secret request is for an association secret.
    • <name> A string that identifies the new secret. Strings are hashed with SHA-256 to form the ID that is used by the ultravisor. The ID is saved in <name>.yaml with white-spaces mapped to underscores ( _ ).
    For example, to use the same input as before, but also create an association secret, issue the following command on a trusted system:
    # pvsecret create association -k z16.crt --hdr se.hdr -o addSecretReq \
    --crt DigiCertCA.crt --crt ibm-sign.crt \
    --flags disable-dump "myConfidentialSecret"
    The command prevents any dumps from being taken from this Linux® instance. The command creates an add-secret request and writes it to addSecretReq. It also creates an identifier for the request, consisting of a SHA-256 hash of the association string myConfidentialSecret. The ID is saved in myConfidentialSecret.yaml