A fix is available
APAR status
Closed as new function.
Error description
Provide DirMaint support to allow guest secure IPL (load and dump) for both ECKD and SCSI devices. A z/VM user can request that the machine loader validate the signed IPL code by using the security keys that were previously loaded by the customer into the HMC certificate store. The validation ensures that the IPL code is intact, unaltered, and originates from a trusted build-time source.
Local fix
N/A
Problem summary
**************************************************************** * USERS AFFECTED: All users of DirMaint needing the new * * support for guest secure IPL. * **************************************************************** * PROBLEM DESCRIPTION: * **************************************************************** * RECOMMENDATION: APPLY PTF * **************************************************************** With the PTF for APARs VM66424 (DirMaint), VM66434 (CP), and VM66650 (SMAPI), z/VM V7.3 supports guest secure IPL (load and dump) for both ECKD and SCSI devices. A z/VM guest can request that the zBootLoader validate the signed IPL code by using the security keys that were previously loaded by the customer onto the HMC certificate store. The validation ensures that the IPL code is intact, unaltered, and originates from a trusted build-time source. Support is provided for the following guest operating systems: -Linux is fully supported. If the IPL code does not validate, the IPL stops. - z/OS is supported in audit mode only. Full exploitation requires Virtual Flash Memory support, which is not available to a guest. In audit mode, the IPL code is checked but the IPL continues even if the code is not valid. Additional Keywords: D/T3931 D/T3932 The following DirMaint commands are updated for this support: IPL The DirMaint IPL Command is updated to support the LOADDEV keyword and optionally allow the LOADPARM operand. The LOADDEV keyword specifies a list-directed IPL operation from an FCP-attached or ECKD device will be initiated. This feature requires that all necessary parameters, including the device number have previously been defined with LOADDEV directory statements. LOADDEV Use the LOADDEV operand of the DIRMAINT command to query, delete, add, or change a LOADDEV user directory statement. The LOADDEV operand sets parameters for a guest IPL from SCSI or ECKD disk. Parameters can identify the location of a boot program and data to pass to the program. The parameters can identify the virtual device number and specify whether the IPL is a secure IPL. The following are new operands added by this support. SCSI Specifies that this statement is setting up for an IPL of a SCSI device and that only SCSI operands or general operands are acceptable on this statement or LOADDEV statements that follow for for this user. SCSI is the default. ECKD Specifies that this statement is setting up for an IPL of a ECKD device and that only ECKD operands or general operands are acceptable on this statement or LOADDEV statements that follow for for this user. DEVice vdev The virtual device number of the device that is to be IPLed. BOOTprog nn BOOTprog AUTOmatic A decimal value between 0 and 30 representing the program table entry to use for IPLing from the SCSI or ECKD device. AUTOmatic indicates that the first operating system program (not a dump program) listed in the program table is to be loaded. BOOTREC cyl head rec BOOTREC LABEL The hexadecimal numbers of the cylinder (cyl), head (head), and record (rec) where the boot record is located. The three values are delimted by blanks. Leading zeroes are not required. BOOTREC is optional. If it was not specified, the boot record is identified in the volume label. A value of LABEL can also be specified on this operand to indicate the boot record in the volume label is to be used. The cylinder range allowed is 0 to FFFFFFFF. The head (or track) range allowed is 0 to F. The record range allowed is 1 to FF. The BOOTREC operand is specified for ECKD devices only. SECURE|NOSECURE Indicates whether or not the IPL should be done via secure IP SETOPTN The DirMaint SETOPTN command is updated for the new SECUREIPLREQuired option. The SECUREIPLREQuired option specifies that the virtual machine can be IPLed only with list-directed secure boot using the SECURE option on the IPL command. Updated DirMaint menus and help files are provided for the updated IPL, LOADDEV, and SETOPTN commands along with help files for the updated DVH1210 and DVH1400 messages. The following z/VM 7.3 publications are updated to reflect this GC24-6282-73: Directory Maintenance Facility Messages SC24-6281-73: Directory Maintenance Facility Commands Reference
Problem conclusion
Temporary fix
Comments
N/A
APAR Information
APAR number
VM66424
Reported component name
IBM DIRMAINT-VM
Reported component ID
5749DVH00
Reported release
730
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
YesSpecatt / New Function / Xsystem
Submitted date
2022-10-06
Closed date
2023-05-15
Last modified date
2023-10-11
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UV99435
Modules/Macros
DVHADZ DVHAEZ DVHBBIUP DVHBBXED DVHBBXIA DVHBBXSR DVHGSTWO DVHMENUS DVHMNU DVHQUEUE DVH1210 DVH1400 IPL LOADDEV OPTION OPTIONS SETOPTN 150AUSER
GC24628273 | SC24628173 |
Fix information
Fixed component name
IBM DIRMAINT-VM
Fixed component ID
5749DVH00
Applicable component levels
R730 PSY UV99435
UP23/05/18 P 2302
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU011","label":"Systems - zSystems software"},"Product":{"code":"SG27M"},"Platform":[{"code":"PF054","label":"z Systems"}],"Version":"730"}]
Document Information
Modified date:
12 October 2023