A fix is available
APAR status
Closed as new function.
Error description
Provide support to allow guest secure IPL (load and dump) for both ECKD and SCSI devices. A z/VM user can request that the machine loader validate the signed IPL code by using the security keys that were previously loaded by the customer on the HMC certificate store. The validation ensures that the IPL code is intact, unaltered, and originates from a trusted build-time source.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: Users with Linux z/VM guests * **************************************************************** * PROBLEM DESCRIPTION: * **************************************************************** * RECOMMENDATION: APPLY PTF * **************************************************************** A way is needed to have the machine loader on a D/T3931 or D/T3932 validate that the code being IPLed in a guest is intact, unaltered, and originates from a trusted build-time source.
Problem conclusion
Temporary fix
Comments
Guest secure IPL is supported fromm both ECKD and SCSI devices. With the PTF for APARs VM66434 (CP), VM66424 (DirMaint), and VM66650 (SMAPI), z/VM V7.3 supports guest secure IPL (load and dump) for both ECKD and SCSI devices on an IBM z16 machine with driver D51C bundle 19. A z/VM user can request that the machine loader validate the signed IPL code by using the verification keys that were previously loaded by the customer into the HMC certificate store. The validation ensures that the IPL code is intact, unaltered, and originates from a trusted build-time source. List-directed IPL is changed to allow IPL of ECKD as well as SCSI devices. To do a secure list-directed IPL, use the new SECURE option on SET LOADDEV or DUMPDEV, along with the new LOADDEV or DUMPDEV operands on the IPL command. Alternatively, use the SECURE option on the LOADDEV directory statement and the LOADDEV operand on the IPL directory statement. The SET LOADDEV and SET DUMPDEV commands are changed to allow specification of a device number, ECKD-specific operands, and the new SECURE option. Similar changes are made to the LOADDEV directory statement. The output of the QUERY LOADDEV and QUERY DUMPDEV commands now reflect the changes to the respective SET commands. A new option (SECUREIPLREQUIRED) has been added to the directory OPTION statement. A virtual machine that has this option specified in its directory entry can only IPL using the new SECURE IPL method. The INDICATE USER command with the EXPANDED option has been modified to include an indication of whether the most recent IPL was a secure IPL. The following monitor records are updated: * Domain 1 record 4: Flags are added to indicate whether the secure IPL facility is available and the VM support is installed. * Domain 1 record 15: A flag is added to indicate whether the user's most recent IPL was a secure IPL. * Domain 4 record 2: A flag is added to indicate whether the user's most recent IPL was a secure IPL. * Domain 4 record 3: A flag is added to indicate whether the user's most recent IPL was a secure IPL. The following HELP files have changed: IPL HELPDIRE LOADDEV HELPDIRE OPTION HELPDIRE DEFSYS HELPCP USER HELPINDI IPL HELPCP LOGON HELPCP DUMPDEV HELPCPQU LOADDEV HELPCPQU DUMPDEV HELPCPSE LOADDEV HELPCPSE VMRELOCA HELPCP HCP1612E HELPMSG HCP1613E HELPMSG HCP1614E HELPMSG HCP1615E HELPMSG HCP1616E HELPMSG HCP1617E HELPMSG HCP1822E HELPMSG HCP1944I HELPMSG HCP2768E HELPMSG HCP2813E HELPMSG HCP2815E HELPMSG HCP6706E HELPMSG DIRECTXA HELPCP TRACERED HELPCP HCP6758W HELPMSG What is supported and what is not: * This support provides the ability for a Linux guest at the appropriate code level to exploit hardware to validate the code being booted, helping to ensure it is signed by the client administrator or the supplier of the code. * z/OS is supported in audit or non-secure mode only. For secure mode, z/OS requires Virtual Flash Memory support, which is not available to a guest. In audit mode, the IPL code is checked but the IPL continues even if the code is not valid. * Secure IPL of the z/VM host and z/VM Stand-alone Dump are not supported. z/VM and z/VM Stand-alone Dump do not support performing host IPL via List-Directed IPL (LD-IPL) from ECKD. To use the Guest Secure IPL support the following are required; * Machine required: IBM z16 (D/T3931 or D/T3932) with driver D51C bundle 19 or later * DirMaint support requires APAR VM66424. * SMAPI support requires APAR VM66650. * Linux on IBM zSystems instances which previously were able to perform secure boot first level on an IBM z15 or IBM LinuxONE III prior to Driver D41C Bundle S73a, or an IBM z16 or IBM LinuxONE 4 prior to Driver D51C Bundle S18, will no longer be able to use secure boot until appropriate additional support is applied to the Linux image. See the corresponding Machine Field Alert for details on the required service level of Linux to properly IPL securely first or second level after driver D41C Bundle S73a or Driver D51C Bundle S18 has been applied. The Machine Field Alert can be found at the following URL: https://www-40.ibm.com/servers/resourcelink/lib03020.nsf/pages ByDocid/272B3DD994A65B538525899F005FA0E6?OpenDocument
APAR Information
APAR number
VM66434
Reported component name
VM CP CP
Reported component ID
568411202
Reported release
730
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
YesSpecatt / New Function / Xsystem
Submitted date
2022-10-20
Closed date
2023-05-16
Last modified date
2023-10-11
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UM90281
Modules/Macros
CBITABLE CPLOAD DEFSYS DIRECTXA DUMPDEV HCPARD HCPBVM HCPCBI HCPCLS HCPCLT HCPCTS HCPDGFBK HCPDGNDF HCPDIR HCPDVMD HCPEQUAT HCPFCD HCPFCL HCPFCLBK HCPFCS HCPFCSPL HCPFRG HCPGETST HCPHRP HCPHRU HCPHTU HCPHVB HCPIOD HCPIPLBK HCPISU HCPLDI HCPLGN HCPMDLAT HCPMES HCPMESB HCPMNU HCPMOD HCPMOM HCPMTS HCPMXL HCPMXRBK HCPPAV HCPPCB HCPPCS HCPPCT HCPPMP HCPPPD HCPPTE HCPRFI HCPRLE HCPRLG HCPRLJ HCPRLP HCPRLU HCPRST HCPSAS HCPSDT HCPSXP HCPSYS HCPSYSCM HCPSZK HCPSZL HCPTHL HCPTHU HCPUDM HCPUSP HCPUWKPG HCPVINOP HCPVMDBK HCPVOP HCPVOPBK HCP1612E HCP1613E HCP1614E HCP1615E HCP1616E HCP1617E HCP1822E HCP1944I HCP2768E HCP2813E HCP2815E HCP6706E HCP6758W HCWAI8 HCWA12 IPL LGRFCLBK LGRVMDBK LOADDEV LOGON MRMTRSYS MRMTRUSR MRSYTCUP MRUSEACT MRUSELOF OPTION TRACERED USER VMRELOCA
SC24626073 | GC24629473 | SC24627173 | SC24630173 | GC24628673 |
SC24632173 | GC24627073 |
Fix information
Fixed component name
VM CP CP
Fixed component ID
568411202
Applicable component levels
R730 PSY UM90281
UP23/05/18 P 2302
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU011","label":"Systems - zSystems software"},"Product":{"code":"SG27M"},"Platform":[{"code":"PF054","label":"z Systems"}],"Version":"730"}]
Document Information
Modified date:
12 October 2023