VM66424: DirMaint support for Guest Secure IPL

Obtain the fix for this APAR.

APAR status

• Closed as new function.

Error description

• Provide DirMaint support to allow guest secure IPL (load and
  dump) for both ECKD and SCSI devices.
  
  A z/VM user can request that the machine loader validate the
  signed IPL code by using the security keys that were previously
  loaded by the customer into the HMC certificate store. The
  validation ensures that the IPL code is intact, unaltered, and
  originates from a trusted build-time source.
  

Local fix

• N/A
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: All users of DirMaint needing the new        *
  *                 support for guest secure IPL.                *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  ****************************************************************
  * RECOMMENDATION: APPLY PTF                                    *
  ****************************************************************
  With the PTF for APARs VM66424 (DirMaint), VM66434 (CP), and
  VM66650 (SMAPI), z/VM V7.3 supports guest secure IPL (load
  and dump) for both ECKD and SCSI devices. A z/VM guest can
  request that the zBootLoader validate the signed IPL code by
  using the security keys that were previously loaded by the
  customer onto the HMC certificate store. The validation
  ensures that the IPL code is intact, unaltered, and originates
  from a trusted build-time source. Support is provided for
  the following guest operating systems:
  
  -Linux is fully supported. If the IPL code does not validate,
   the IPL stops.
  - z/OS is supported in audit mode only. Full exploitation
    requires Virtual Flash Memory support, which is not
    available to a guest. In audit mode, the IPL code is
    checked but the IPL continues even if the code is not valid.
  
  Additional Keywords: D/T3931 D/T3932
  
  The following DirMaint commands are updated for this support:
  
   IPL
   The DirMaint IPL Command is updated to support the LOADDEV
   keyword and optionally allow the LOADPARM operand. The LOADDEV
   keyword specifies a list-directed IPL operation from an
   FCP-attached or ECKD device will be initiated. This feature
   requires that all necessary parameters, including the device
   number have previously been defined with LOADDEV directory
   statements.
  
   LOADDEV
   Use the LOADDEV operand of the DIRMAINT command to query,
   delete, add, or change a LOADDEV user directory statement.
   The LOADDEV operand sets parameters for a guest IPL from SCSI
   or ECKD disk. Parameters can identify the location of a boot
   program and data to pass to the program. The parameters can
   identify the virtual device number and specify whether the IPL
   is a secure IPL.
  
   The following are new operands added by this support.
  
     SCSI
     Specifies that this statement is setting up for an IPL of a
     SCSI device and that only SCSI operands or general operands
     are acceptable on this statement or LOADDEV statements that
     follow for for this user. SCSI is the default.
  
     ECKD
     Specifies that this statement is setting up for an IPL of a
     ECKD device and that only ECKD operands or general operands
     are acceptable on this statement or LOADDEV statements that
     follow for for this user.
  
     DEVice vdev
     The virtual device number of the device that is to be IPLed.
  
     BOOTprog nn
     BOOTprog AUTOmatic
     A decimal value between 0 and 30 representing the program
     table entry to use for IPLing from the SCSI or ECKD device.
     AUTOmatic indicates that the first operating system program
     (not a dump program) listed in the program table is to be
     loaded.
  
     BOOTREC cyl head rec
     BOOTREC LABEL
     The hexadecimal numbers of the cylinder (cyl), head (head),
     and record (rec) where the boot record is located. The three
     values are delimted by blanks. Leading zeroes are not
     required. BOOTREC is optional. If it was not specified, the
     boot record is identified in the volume label. A value of
     LABEL can also be specified on this operand to indicate the
     boot record in the volume label is to be used. The cylinder
     range allowed is 0 to FFFFFFFF. The head (or track) range
     allowed is 0 to F. The record range allowed is 1 to FF. The
     BOOTREC operand is specified for ECKD devices only.
  
     SECURE|NOSECURE
     Indicates whether or not the IPL should be done via secure IP
  
   SETOPTN
   The DirMaint SETOPTN command is updated for the new
   SECUREIPLREQuired option. The SECUREIPLREQuired option
   specifies that the virtual machine can be IPLed only with
   list-directed secure boot using the SECURE option on the IPL
   command.
  
  Updated DirMaint menus and help files are provided for the
  updated IPL, LOADDEV, and SETOPTN commands along with help
  files for the updated DVH1210 and DVH1400 messages.
  
  The following z/VM 7.3 publications are updated to reflect this
  GC24-6282-73: Directory Maintenance Facility Messages
  SC24-6281-73: Directory Maintenance Facility Commands Reference
  

Problem conclusion

Temporary fix

Comments

• N/A
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UV99435

Modules/Macros

• DVHADZ   DVHAEZ   DVHBBIUP DVHBBXED DVHBBXIA DVHBBXSR DVHGSTWO
  DVHMENUS DVHMNU   DVHQUEUE DVH1210  DVH1400  IPL      LOADDEV
  OPTION   OPTIONS  SETOPTN  150AUSER
  

Fix information

• Fixed component name

  IBM DIRMAINT-VM

• Fixed component ID

  5749DVH00

Applicable component levels

• R730 PSY UV99435

     UP23/05/18 P 2302  

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.