IBM Support

VM66434: NEW FUNCTION Guest ECKD and SCSI secure IPL support

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • Provide support to allow guest secure IPL (load and dump)
    for both ECKD and SCSI devices.
    A z/VM user can request that the machine loader validate the
    signed IPL code by using the security keys that were
    previously loaded by the customer on the HMC certificate
    store.  The validation ensures that the IPL code is intact,
    unaltered, and originates from a trusted build-time source.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: Users with Linux z/VM guests                 *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    ****************************************************************
    * RECOMMENDATION: APPLY PTF                                    *
    ****************************************************************
    A way is needed to have the machine loader on a D/T3931 or
    D/T3932 validate that the code being IPLed in a guest is intact,
    unaltered, and originates from a trusted build-time source.
    

Problem conclusion

Temporary fix

Comments

  • Guest secure IPL is supported fromm both ECKD and SCSI devices.
    With the PTF for APARs VM66434 (CP), VM66424 (DirMaint), and
    VM66650 (SMAPI), z/VM V7.3 supports guest secure IPL (load and
    dump) for both ECKD and SCSI devices on an IBM z16 machine
    with driver D51C bundle 19.  A z/VM user can request that the
    machine loader validate the signed IPL code by using the
    verification keys that were previously loaded by the customer
    into the HMC certificate store.  The validation ensures that
    the IPL code is intact, unaltered, and originates from a trusted
    build-time source.
    
    List-directed IPL is changed to allow IPL of ECKD as well as
    SCSI devices.  To do a secure list-directed IPL, use the new
    SECURE option on SET LOADDEV or DUMPDEV, along with the new
    LOADDEV or DUMPDEV operands on the IPL command.  Alternatively,
    use the SECURE option on the LOADDEV directory statement and the
    LOADDEV operand on the IPL directory statement.
    
    The SET LOADDEV and SET DUMPDEV commands are changed to allow
    specification of a device number, ECKD-specific operands,
    and the new SECURE option.  Similar changes are made to the
    LOADDEV directory statement.  The output of the QUERY LOADDEV
    and QUERY DUMPDEV commands now reflect the changes to the
    respective SET commands.
    
    A new option (SECUREIPLREQUIRED) has been added to the
    directory OPTION statement.  A virtual machine that has this
    option specified in its directory entry can only IPL using
    the new SECURE IPL method.
    
    The INDICATE USER command with the EXPANDED option has been
    modified to include an indication of whether the most recent
    IPL was a secure IPL.
    
    The following monitor records are updated:
    *  Domain 1 record 4:  Flags are added to indicate whether the
       secure IPL facility is available and the VM support is
       installed.
    *  Domain 1 record 15:  A flag is added to indicate whether the
       user's most recent IPL was a secure IPL.
    *  Domain 4 record 2:  A flag is added to indicate whether the
       user's most recent IPL was a secure IPL.
    *  Domain 4 record 3:  A flag is added to indicate whether the
       user's most recent IPL was a secure IPL.
    
    The following HELP files have changed:
       IPL      HELPDIRE
       LOADDEV  HELPDIRE
       OPTION   HELPDIRE
       DEFSYS   HELPCP
       USER     HELPINDI
       IPL      HELPCP
       LOGON    HELPCP
       DUMPDEV  HELPCPQU
       LOADDEV  HELPCPQU
       DUMPDEV  HELPCPSE
       LOADDEV  HELPCPSE
       VMRELOCA HELPCP
       HCP1612E HELPMSG
       HCP1613E HELPMSG
       HCP1614E HELPMSG
       HCP1615E HELPMSG
       HCP1616E HELPMSG
       HCP1617E HELPMSG
       HCP1822E HELPMSG
       HCP1944I HELPMSG
       HCP2768E HELPMSG
       HCP2813E HELPMSG
       HCP2815E HELPMSG
       HCP6706E HELPMSG
       DIRECTXA HELPCP
       TRACERED HELPCP
       HCP6758W HELPMSG
    
    What is supported and what is not:
    * This support provides the ability for a Linux guest at the
      appropriate code level to exploit hardware to validate the
      code being booted, helping to ensure it is signed by the
      client administrator or the supplier of the code.
    * z/OS is supported in audit or non-secure mode only.  For
      secure mode, z/OS requires Virtual Flash Memory support, which
      is not available to a guest.  In audit mode, the IPL code is
      checked but the IPL continues even if the code is not valid.
    * Secure IPL of the z/VM host and z/VM Stand-alone Dump are not
      supported.  z/VM and z/VM Stand-alone Dump do not support
      performing host IPL via List-Directed IPL (LD-IPL) from ECKD.
    
    To use the Guest Secure IPL support the following are required;
    * Machine required:  IBM z16 (D/T3931 or D/T3932) with
      driver D51C bundle 19 or later
    * DirMaint support requires APAR VM66424.
    * SMAPI support requires APAR VM66650.
    * Linux on IBM zSystems instances which previously were able to
      perform secure boot first level on an IBM z15 or IBM LinuxONE
      III prior to Driver D41C Bundle S73a, or an IBM z16 or IBM
      LinuxONE 4 prior to Driver D51C Bundle S18, will no longer be
      able to use secure boot until appropriate additional support
      is applied to the Linux image.  See the corresponding Machine
      Field Alert for details on the required service level of Linux
      to properly IPL securely first or second level after driver
      D41C Bundle S73a or Driver D51C Bundle S18 has been applied.
      The Machine Field Alert can be found at the following URL:
      https://www-40.ibm.com/servers/resourcelink/lib03020.nsf/pages
      ByDocid/272B3DD994A65B538525899F005FA0E6?OpenDocument
    

APAR Information

  • APAR number

    VM66434

  • Reported component name

    VM CP CP

  • Reported component ID

    568411202

  • Reported release

    730

  • Status

    CLOSED UR1

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    YesSpecatt / New Function / Xsystem

  • Submitted date

    2022-10-20

  • Closed date

    2023-05-16

  • Last modified date

    2023-10-11

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UM90281

Modules/Macros

  • CBITABLE CPLOAD   DEFSYS   DIRECTXA DUMPDEV  HCPARD   HCPBVM
    HCPCBI   HCPCLS   HCPCLT   HCPCTS   HCPDGFBK HCPDGNDF HCPDIR
    HCPDVMD  HCPEQUAT HCPFCD   HCPFCL   HCPFCLBK HCPFCS   HCPFCSPL
    HCPFRG   HCPGETST HCPHRP   HCPHRU   HCPHTU   HCPHVB   HCPIOD
    HCPIPLBK HCPISU   HCPLDI   HCPLGN   HCPMDLAT HCPMES   HCPMESB
    HCPMNU   HCPMOD   HCPMOM   HCPMTS   HCPMXL   HCPMXRBK HCPPAV
    HCPPCB   HCPPCS   HCPPCT   HCPPMP   HCPPPD   HCPPTE   HCPRFI
    HCPRLE   HCPRLG   HCPRLJ   HCPRLP   HCPRLU   HCPRST   HCPSAS
    HCPSDT   HCPSXP   HCPSYS   HCPSYSCM HCPSZK   HCPSZL   HCPTHL
    HCPTHU   HCPUDM   HCPUSP   HCPUWKPG HCPVINOP HCPVMDBK HCPVOP
    HCPVOPBK HCP1612E HCP1613E HCP1614E HCP1615E HCP1616E HCP1617E
    HCP1822E HCP1944I HCP2768E HCP2813E HCP2815E HCP6706E HCP6758W
    HCWAI8   HCWA12   IPL      LGRFCLBK LGRVMDBK LOADDEV  LOGON
    MRMTRSYS MRMTRUSR MRSYTCUP MRUSEACT MRUSELOF OPTION   TRACERED
    USER     VMRELOCA
    

Publications Referenced
SC24626073GC24629473SC24627173SC24630173GC24628673
SC24632173GC24627073   

Fix information

  • Fixed component name

    VM CP CP

  • Fixed component ID

    568411202

Applicable component levels

  • R730 PSY UM90281

       UP23/05/18 P 2302  

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU011","label":"Systems - zSystems software"},"Product":{"code":"SG27M"},"Platform":[{"code":"PF054","label":"z Systems"}],"Version":"730"}]

Document Information

Modified date:
12 October 2023