VM66434: NEW FUNCTION Guest ECKD and SCSI secure IPL support

Obtain the fix for this APAR.

APAR status

• Closed as new function.

Error description

• Provide support to allow guest secure IPL (load and dump)
  for both ECKD and SCSI devices.
  A z/VM user can request that the machine loader validate the
  signed IPL code by using the security keys that were
  previously loaded by the customer on the HMC certificate
  store.  The validation ensures that the IPL code is intact,
  unaltered, and originates from a trusted build-time source.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: Users with Linux z/VM guests                 *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  ****************************************************************
  * RECOMMENDATION: APPLY PTF                                    *
  ****************************************************************
  A way is needed to have the machine loader on a D/T3931 or
  D/T3932 validate that the code being IPLed in a guest is intact,
  unaltered, and originates from a trusted build-time source.
  

Problem conclusion

Temporary fix

• FOR RELEASE VM/ESA CP/ESA R730 :
  PREREQ: VM66423 VM66452 VM66627
  CO-REQ: NONE
  IF-REQ: NONE
  

Comments

• Guest secure IPL is supported fromm both ECKD and SCSI devices.
  With the PTF for APARs VM66434 (CP), VM66424 (DirMaint), and
  VM66650 (SMAPI), z/VM V7.3 supports guest secure IPL (load and
  dump) for both ECKD and SCSI devices on an IBM z16 machine
  with driver D51C bundle 19.  A z/VM user can request that the
  machine loader validate the signed IPL code by using the
  verification keys that were previously loaded by the customer
  into the HMC certificate store.  The validation ensures that
  the IPL code is intact, unaltered, and originates from a trusted
  build-time source.
  
  List-directed IPL is changed to allow IPL of ECKD as well as
  SCSI devices.  To do a secure list-directed IPL, use the new
  SECURE option on SET LOADDEV or DUMPDEV, along with the new
  LOADDEV or DUMPDEV operands on the IPL command.  Alternatively,
  use the SECURE option on the LOADDEV directory statement and the
  LOADDEV operand on the IPL directory statement.
  
  The SET LOADDEV and SET DUMPDEV commands are changed to allow
  specification of a device number, ECKD-specific operands,
  and the new SECURE option.  Similar changes are made to the
  LOADDEV directory statement.  The output of the QUERY LOADDEV
  and QUERY DUMPDEV commands now reflect the changes to the
  respective SET commands.
  
  A new option (SECUREIPLREQUIRED) has been added to the
  directory OPTION statement.  A virtual machine that has this
  option specified in its directory entry can only IPL using
  the new SECURE IPL method.
  
  The INDICATE USER command with the EXPANDED option has been
  modified to include an indication of whether the most recent
  IPL was a secure IPL.
  
  The following monitor records are updated:
  *  Domain 1 record 4:  Flags are added to indicate whether the
     secure IPL facility is available and the VM support is
     installed.
  *  Domain 1 record 15:  A flag is added to indicate whether the
     user's most recent IPL was a secure IPL.
  *  Domain 4 record 2:  A flag is added to indicate whether the
     user's most recent IPL was a secure IPL.
  *  Domain 4 record 3:  A flag is added to indicate whether the
     user's most recent IPL was a secure IPL.
  
  The following HELP files have changed:
     IPL      HELPDIRE
     LOADDEV  HELPDIRE
     OPTION   HELPDIRE
     DEFSYS   HELPCP
     USER     HELPINDI
     IPL      HELPCP
     LOGON    HELPCP
     DUMPDEV  HELPCPQU
     LOADDEV  HELPCPQU
     DUMPDEV  HELPCPSE
     LOADDEV  HELPCPSE
     VMRELOCA HELPCP
     HCP1612E HELPMSG
     HCP1613E HELPMSG
     HCP1614E HELPMSG
     HCP1615E HELPMSG
     HCP1616E HELPMSG
     HCP1617E HELPMSG
     HCP1822E HELPMSG
     HCP1944I HELPMSG
     HCP2768E HELPMSG
     HCP2813E HELPMSG
     HCP2815E HELPMSG
     HCP6706E HELPMSG
     DIRECTXA HELPCP
     TRACERED HELPCP
     HCP6758W HELPMSG
  
  What is supported and what is not:
  * This support provides the ability for a Linux guest at the
    appropriate code level to exploit hardware to validate the
    code being booted, helping to ensure it is signed by the
    client administrator or the supplier of the code.
  * z/OS is supported in audit or non-secure mode only.  For
    secure mode, z/OS requires Virtual Flash Memory support, which
    is not available to a guest.  In audit mode, the IPL code is
    checked but the IPL continues even if the code is not valid.
  * Secure IPL of the z/VM host and z/VM Stand-alone Dump are not
    supported.  z/VM and z/VM Stand-alone Dump do not support
    performing host IPL via List-Directed IPL (LD-IPL) from ECKD.
  
  To use the Guest Secure IPL support the following are required;
  * Machine required:  IBM z16 (D/T3931 or D/T3932) with
    driver D51C bundle 19 or later
  * DirMaint support requires APAR VM66424.
  * SMAPI support requires APAR VM66650.
  * Linux on IBM zSystems instances which previously were able to
    perform secure boot first level on an IBM z15 or IBM LinuxONE
    III prior to Driver D41C Bundle S73a, or an IBM z16 or IBM
    LinuxONE 4 prior to Driver D51C Bundle S18, will no longer be
    able to use secure boot until appropriate additional support
    is applied to the Linux image.  See the corresponding Machine
    Field Alert for details on the required service level of Linux
    to properly IPL securely first or second level after driver
    D41C Bundle S73a or Driver D51C Bundle S18 has been applied.
    The Machine Field Alert can be found at the following URL:
    https://www-40.ibm.com/servers/resourcelink/lib03020.nsf/pages
    ByDocid/272B3DD994A65B538525899F005FA0E6?OpenDocument
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UM90281

Modules/Macros

• CBITABLE CPLOAD   DEFSYS   DIRECTXA DUMPDEV  HCPARD   HCPBVM
  HCPCBI   HCPCLS   HCPCLT   HCPCTS   HCPDGFBK HCPDGNDF HCPDIR
  HCPDVMD  HCPEQUAT HCPFCD   HCPFCL   HCPFCLBK HCPFCS   HCPFCSPL
  HCPFRG   HCPGETST HCPHRP   HCPHRU   HCPHTU   HCPHVB   HCPIOD
  HCPIPLBK HCPISU   HCPLDI   HCPLGN   HCPMDLAT HCPMES   HCPMESB
  HCPMNU   HCPMOD   HCPMOM   HCPMTS   HCPMXL   HCPMXRBK HCPPAV
  HCPPCB   HCPPCS   HCPPCT   HCPPMP   HCPPPD   HCPPTE   HCPRFI
  HCPRLE   HCPRLG   HCPRLJ   HCPRLP   HCPRLU   HCPRST   HCPSAS
  HCPSDT   HCPSXP   HCPSYS   HCPSYSCM HCPSZK   HCPSZL   HCPTHL
  HCPTHU   HCPUDM   HCPUSP   HCPUWKPG HCPVINOP HCPVMDBK HCPVOP
  HCPVOPBK HCP1612E HCP1613E HCP1614E HCP1615E HCP1616E HCP1617E
  HCP1822E HCP1944I HCP2768E HCP2813E HCP2815E HCP6706E HCP6758W
  HCWAI8   HCWA12   IPL      LGRFCLBK LGRVMDBK LOADDEV  LOGON
  MRMTRSYS MRMTRUSR MRSYTCUP MRUSEACT MRUSELOF OPTION   TRACERED
  USER     VMRELOCA
  

Fix information

• Fixed component name

  VM CP CP

• Fixed component ID

  568411202

Applicable component levels

• R730 PSY UM90281

     UP23/05/18 P 2302  

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.