As part of meeting the NIAP OSPP 4.3 standard, you use signed code packages for all code package deliverables from IBM and other vendors, including portable software instances for z/OSMF Software Management, ServerPac deliverables, and PTFs for service updates.

Signed code packages are provided through GIMZIP and GIMUNZIP code package signing and validation.

They are validated using the software vendor's public key, and are then input for the build process for Validated Boot for z/OS.

The driving system requires software support on z/OS 2.5, as well as ServerPac and ICKDSF installation support to help build and format the IPL volume correctly to support Validated Boot for z/OS. This support is delivered as a set of continuous-delivery APARs. See these FIXCATs:

• New functional FIXCAT for Validated Boot for z/OS:

  Name: IBM.Function.ValidatedBoot

• If the driving system is a z16, FIXCAT for Exploitation support for z16:

  Name: IBM.Device.Server.z16-3931.Exploitation

  Note: “covers” BOTH the z16 A01 (3931) and z16 A02 (3932) machines.

• FIXCAT for Clean Room (Secure Build Environment) Driving System:

  Name: IBM.DrivingSystem-RequiredService

This “one-time” setup does not necessarily have to be done every time you build a system or sign load modules on a system.

To perform the setup, a RACF administrator creates or obtains a private key to use as the code-signing certificate, then sets up the RACF key ring with the code-signing certificate, and permits that key ring to the user whose job it is to do the signing.

Prepare for the Validated Boot for z/OS IPL by building the SYSRES that will be deployed. Build the SYSRES on your driving system, which will then be accessed by the target system, and validated, if requested, by an IPL.

Begin by formatting the IPL volume for the List-Directed and Channel Control Word IPL options. Then, build your system and sign all needed load module executables with your private key (including the IPL Text).

1. Format the IPL volume for the List-Directed or Channel Control Word IPL options, and build the system.

   You can use a ServerPac workflow to format the IPL volume and build the system.

   Using the workflow (coming soon)

   If you don’t use the workflow, see information at the following links:

   Formatting the IPL volume

   Build your system? (coming soon)

2. Sign the load module executables using the signing utility, IEWSIGN.

   Using the signing utility

The target system requires an IBM z16.

• IPL options are available on the SE/HMC and Dynamic Partition Manager (DPM) Load Panel. (See the “IPL a system” tab for more detail.)

  List-directed IPL (validation with the public keys that you provide), from ECKD DASD.

  Channel control word IPL (not validated). These capabilities are preserved for migration, compatibility, and fallback from the same IPL volume.

• Certificate store for z/OS Validated Boot:

  Comprised of SE/HMC and DPM certificate management support to import the certificates for use and validating the IPL as it happens, as well as assigning those certificates to particular LPARs for validation purposes, and making dynamic changes to certificates as they need to be deleted, changed, or rotated.

  In addition to the user interface provided by the SE/HMC, PR/SM provides support for taking the certificates to the CEC and making them available to Z Bootloader and to the z/OS images involved in the IPL. The certificate store provides the trusted validation keys needed for z/OS Validated Boot.

• CP Assist for Cryptographic Functions (CPACF) support for digital signatures using Elliptic Curve Digital Signature Algorithm (ECDSA) P-521 and the associated Secure Hash Algorithm (SHA) 512 hashing support.
• Virtual Flash Memory (VFM), also known as Storage Class Memory (SCM), for use in secure z/OS paging.

In addition, the target system requires support delivered as a set of continuous-delivery APARs. See these FIXCATs:

• New functional FIXCAT for Validated Boot for z/OS:

  Name: IBM.Function.ValidatedBoot APAR Tagging: VBOOT/K

• New functional FIXCAT for Exploitation support for z16:

  Name: IBM.Device.Server.z16-3931.Exploitation APAR Tagging: E3931/K

  Note: 'covers' BOTH the z16 A01 (3931) and z16 A02 (3932) machines. Provides z16 GA 1.5 firmware.

1. Ensure the requirements are met.
1. With the SE/HMC, import and assign validation certificates to the LPARs where they will be used for IPL-time validation.

   Import and assign validation certificates (coming soon)

Using the SE/HMC Load panel, you select either an IPL that is not validated, an IPL that audits validation by checking for problems with your z/OS Validated Boot environment but continuing even if problems are found, or an IPL that enforces validation by terminating if any problems with your z/OS Validated Boot environment are found.

A z/OS Validated Boot IPL must be a cold start (CLPA) IPL, and Virtual Flash Memory (VFM) must be used for LPA paging instead of disk paging. If these requirements are not met, the IPL fails when validation is enforced or logs errors when validation is being audited.

• Load IPL volume type: Select ECKD.
• IPL type and Validation. Use these fields together to define the desired IPL.
  • IPL not validated

    IPL type: Channel Control Word (CCW)

  • IPL validation audited only. The IPL continues even if validation encounters problems with the z/OS Validated Boot environment.

    IPL type: List-directed

    Validation: Unselect Enable Secure Boot

  • IPL validation enforced. The IPL is terminated if validation uncovers problems with the z/OS Validated Boot environment.

    IPL type: List-directed

    Validation: Select Enable Secure Boot

• Data sets and load modules processed
• Certificates used or not used
• Load module validation results
• Adherence or lack of adherence to system-level requirements.

Use the utility program, IEAVBPRT, while in audit mode. To view similar audit record data in a dump (such as a standalone dump following a failed IPL), use the program IEAVBIPC.

Using IEAVBPRT