Monday, March 25, 2024

Important Note on Verifying Secure Execution Host Key Documents

The certificates of the host key signing keys that are needed to verify host key documents will expire on April 24, 2024 for IBM z15 and LinuxONE III and on March 29, 2024 for IBM z16 and LinuxONE 4. Due to a requirement from the Certificate Authority (DigiCert), the renewed certificates are equipped with a new Locality value (“Armonk” instead of “Poughkeepsie”). These renewed certificates cause the current versions of the genprotimg, pvattest, and pvsecret tools to fail the verification of host key documents.

The IBM Z team is preparing updates of the genprotimg, pvattest, and pvsecret tools to accept the new certificates and is working with Linux distribution partners to release the updated tools.

To build new Secure Execution images, attestation requests, or add-secret requests before the updated tools are available in Linux distributions, follow these steps:

Step 1:

Obtain the host key document, the host key signing key certificate, the intermediate certificate from the Certificate Authority, and the list of revoked host keys (CRL):

Step 2: 

Step 3:

Verify each host key document using the check_hostkeydoc script. For example, issue

# ./check_hostkeydoc HKD1234.crt ibm-z-host-key-signing.crt \ -c DigiCertCA.crt -r ibm-z-host-key.crl

This example verifies the host key document HKD1234.crt using the host key signing key certificate ibm-z-host-key-signing.crt, and the intermediate certificate of the Certificate Authority DigiCertCA.crt,as well as the list of revoked host keys ibm-z-host-key.crl.

After the host key documents are verified using the check_hostkeydoc script, you can safely call genprotimg, pvattest, or pvsecret with the –-no-verify option.

For a description about how to manually verify host key documents, see https://www.ibm.com/docs/en/linux-on-z?topic=execution-verify-host-key-document.

Friday, December 8, 2023

New Linux on IBM Z & LinuxONE Forum at Open Mainframe Project

The Open Mainframe Project has launched a new forum dedicated to Linux on Z. It can be found here, and is intended to complement existing facilities like the mailing lists hosted at Maris college. Any topic around Linux on Z, including virtualization as provided by z/VM and KVM, is fair game, and you may use it to ask quesitions, share useful hints and tips, or simply have a casual conversation about some aspect of the platform!

Wednesday, December 6, 2023

Red Hat Ansible Automation Platform available on IBM Z and LinuxONE

While Linux on IBM Z and LinuxONE could be used as a target for Ansible scripts ever since, the backend had to be run on other architectures. But no longer so: Starting today, the entire Red Hat Ansible Automation Platform is becoming available on IBM Z and LinuxONE!

See here for more details, and here for the formal announcement from Red Hat.

Friday, December 1, 2023

New Releases: RHEL 8.9 and RHEL 9.3 on IBM Z & LinuxONE

Both, Red Hat Enterprise Linux 8.9 and 9.1 are out! See the press release here, and Red Hat's blog entry here!

Both releases ship

  • s390-tools v2.27 (renamed to s390utils)
  • smc-tools v1.8.2
  • openCryptoki v3.21

Further information can be found in the release notes for RHEL 8.9 and see RHEL 9.3.

Friday, October 20, 2023

New Release: Ubuntu 23.10

Canonical released a new version of their Ubuntu server offering Ubuntu Server 23.10!

See the announcement on the mailing list here, and the blog entry at Canonical with Z-specific highlights here.

Thursday, August 10, 2023

2023 IBM TechXchange EMEA Client Workshop for Linux on IBM Z and LinuxONE

Interested in the latest news on Linux on IBM Z & LinuxONE? Come and meet us at the 2023 IBM TechXchange EMEA Client Workshop for Linux on IBM Z and LinuxONE on September 19-20 in Ehningen, Germany!

Register here.

Monday, July 10, 2023

KVM in Linux Distributions in 2Q 2023

Second quarter of 2023 was quite productive in terms of new Linux distribution releases and KVM related features shipped in there. Here they are, in chronological order.

Ubuntu 23.04 

The most recent Ubuntu release contains the following new KVM-related functionality:
  • Interpretive vfio-pci support for ISM: Allows pass-through of ISM devices to KVM guests, enabling high-bandwith and low-latency network communications using SMC-D.
  • Encrypted dump for Secure Execution: Enhances problem determination capabilities while not compromising the security of secure KVM guests.
  • Bus id for subchannels: Allows you to identify passthrough CCW devices by their device bus id in the host without going through hoops.
  • Driverctl now lists persisted overrides: Makes it easier to identify and manage passthrough devices.

RHEL 8.8 and 9.2

While being distinct releases, both share the same set of new functionality, which is:
  • Interpretive vfio-pci support for ISM: Which allows pass-through of ISM devices to KVM guests, enabling high-bandwith and low-latency network communication using SMC-D.
  • Encrypted dump for Secure Execution: Enhances problem determination capabilities while not compromising the security of secure KVM guests.
  • Bus id for subchannels: Allows you to identify passthrough CCW devices by their device bus id in the host without going through hoops.
  • Dynamic configuration updates  for vfio-ap: Allows you to hot plug and unplug Crypto domains of a Crypto passthrough configuration for running KVM guests.

SLES 15 SP5

Being a large service pack, there are numerous new features delivered:
  • Interpretive vfio-pci support for ISM: Which allows pass-through of ISM devices to KVM guests, enabling high-bandwith and low-latency network communication using SMC-D.
  • Encrypted dump for Secure Execution: Enhances problem determination capabilities while not compromising the security of secure KVM guests.
  • Bus id for subchannels: Allows you to identify passthrough CCW devices by their device bus id in the host without going through hoops.
  • Driverctl now lists persisted overrides: Makes it easier to identify and manage passthrough devices.
  • Persistent configuration for vfio-ap: The s390-tools command zdev can now be used to persist Crypto passthrough configurations.
  • Dynamic configuration updates  for vfio-ap: Allows you to hot plug and unplug Crypto domains of a Crypto passthrough configuration for running KVM guests.
  • Remote attestation for Secure Execution: Provides cryptographic evidence of workload authenticity and integrity facilitates integration into common Confidential Computing frameworks.
  • Support of long kernel command lines of up to 64 KB length, for example, allows you to specify plenty of I/O devices.
...and other minor improvements