Signed kernel modules for UEFI secure boot on x86_64 and secure boot Linux on Z

Starting with IBM Storage Scale 5.1.9.0, the secure boot that is defined by the Unified Extensible Firmware Interface (UEFI) is supported on x86_64; 5.2.1.0 onward, secure boot is supported on Linux® on Z. The secure boot is a verification mechanism that ensures the code that is launched by a computer firmware can be trusted.

For IBM Storage Scale, using the secure boot means that the kernel modules are cryptographically signed by IBM so that their integrity can be verified when the system starts.

The signed kernel modules and the public key for verification are provided by IBM at Fix Central.

The correct RPM package with signed kernel modules for your system can be determined from the name of the RPM because the name incorporates the necessary information.

On x86_64, for example, if the name of the RPM package is gpfs.gplbin-5.14.0-284.25.1.el9_2.x86_64-5.2.3.0.x86_64.rpm:
  • "5.14.0-284.25.1" is the kernel for which the modules in the RPM are built.
  • "el9_4.x86_64" stands for RHEL 9.2 on x86_64.
  • "5.2.3.0" refers to the IBM Storage Scale release.
On Linux on Z, for example, if the name of the RPM package is gpfs.gplbin-5.14.0-427.18.1.el9_4.s390x-5.2.3-0.s390x.rpm:
  • "5.14.0-427.18.1" is the kernel for which the modules in the RPM are built.
  • "el9_4.s390x " stands for RHEL 9.4 on s390x (Linux on Z).
  • "5.2.3-0" refers to the IBM Storage Scale release.

The following information of the RPM package must be an exact match with the information of the system where the RPM is to be installed:

  • Kernel level
  • RHEL operating system level
  • Architecture
  • All four digits of the IBM Storage Scale release
If the match is not exact, the signed modules in the RPM package are not accepted and IBM Storage Scale does not start. This remains true if you upgrade the kernel level, which means that you must upgrade to a new version of the IBM Storage Scale RPM with the signed kernel modules.
Notes:
  • It is sufficient to upgrade just the gpl.bin RPM rather than all IBM Storage Scale RPMs. You need to upgrade all IBM Storage Scale RPMs only if a gpl.bin RPM is unavailable for the needed level.
  • If you installed the gpfs.gplbin and the gpfs.gpl, which contain the source of the kernel modules, do not run the mmbuildgpl command. Because the mmbuildgpl command overwrites the signed kernel modules with unsigned kernel modules; and IBM Storage Scale does not work anymore until you install the gpfs.gplbin RPM again.

IBM Storage Scale 5.1.9.0 supports kernel modules for RHEL 9.2 on the x86_64 platform; 5.2.1.0 onward, kernel modules for RHEL 9.4 on the s390x platform are supported. New signed modules will be available for all succeeding kernel updates and IBM Storage Scale PTFs in these cases:

  • If a new IBM Storage Scale package is installed, make sure that you have the matching RPM for the signed kernel modules.
  • If the kernel on a node that runs IBM Storage Scale is updated, make sure that you also upgrade the signed kernel modules with a matching version.