Secure Execution for Linux feature

With the IBM® Secure Execution for Linux® feature, you can deploy multiple secure, isolated virtual environments on a single system. Secure Execution isolates and protects any guests that run on a hypervisor by restricting host access to guest workloads and data. It protects the confidentiality and integrity of guest data from both internal and external attacks, but does not protect against a denial of service.

When you order the IBM Secure Execution for Linux feature, IBM either installs the required global and host key bundles on a new machine before delivery, or electronically sends them to your company for the service representative to import to an already installed system. For a new machine with the feature and keys installed, Secure Execution is enabled on the system, and hypervisors that are configured to use the feature can successfully do so. For an existing system at your site, however, you first need to complete the following steps before Secure Execution is enabled and ready for use.
  1. Order the feature.
  2. Install the feature, using the Perform Model Conversion task.
  3. Import the key bundles.

Importing the key bundles requires logging in to the Support Element using the SERVICE user ID or an ID with equivalent permissions, and opening the System Details task to the General section. In that section, Manage Keys opens the Manage Secure Execution Keys task, through which you can import the keys. On either the HMC or SE, you can view details about each key, including the hashes for the existing global or host key. If your user ID has the System Programmer Tasks role, you can clear the global or host key, which immediately prevents further usage by any partition on the system, and deletes the corresponding key bundle file from the system.

For more information about the IBM Secure Execution for Linux feature, see Introducing IBM Secure Execution for Linux 1.1.0, SC34-7721, which is available in IBM Documentation at: https://www.ibm.com/docs/en/linux-on-systems?topic=overview-introducing-secure-execution-linux.

  • To determine whether a system has this feature installed, open the System Details task to the General section, and check the Secure Execution indicator. This indicator is also available on the Systems tab on the HMC Systems Management view, but the Secure Execution column on that tab is not displayed in the predefined default table view. To display the Secure Execution column, select the Manage Views icon in the work pane table toolbar to customize the table view.
  • To configure Linux for secure execution, see the product documentation for the Linux distribution that you are using as a hypervisor. This feature supports Linux (KVM) hypervisors.
  • To determine whether the Linux hypervisor that runs on a partition is configured for secure execution, go to the General section of the Partition Details task and check the value displayed for the Secure Execution field.