Installing the signed kernel modules for secure boot on Linux on Z

Starting with 5.2.1.0, IBM Storage Scale supports the secure boot feature on Linux® on Z. For IBM Storage Scale, using the secure boot means that the kernel modules are cryptographically signed by IBM so that their integrity can be verified when the system starts.

Follow the next steps to install the signed kernel modules for IBM Storage Scale on Linux on Z.

  1. Verify that the virtual machine (VM) or logical partition (LPAR) of the Linux on Z system supports secure boot.

    Use the following command:

    cat /sys/firmware/ipl/has_secure
1
  2. Download from Fix Central the RPM package that holds the signed kernel modules. The public key is either part of the self-extracting package or it is included as part of the signed kernel stand-alone package.
  3. Import the public key by using the Linux on Z HMC.
  4. Assign the public key to the appropriate VM or LPAR.

    For more information, see Managing a secure boot certificate for an LPAR in Linux on IBM Systems documentation.

  5. Restart the VM or LPAR and verify that the system is in secure boot mode by issuing the next command: 
    cat /sys/firmware/ipl/secure
1

    For information about how to restart the VM or LPAR in secure boot mode, see Initiating secure boot in Linux on IBM Systems documentation.

  6. Check that the key import was successful by issuing the command: 
    keyctl list %:.platform
  7. Install the gpfs.gplbin RPM.