Merge pull request #52661 from SNiemann15/ibmz_secure_execution

jldohmann · web-flow · commit 1ad25ec8d81c · 2022-12-21T10:52:55.000-06:00
[MULTIARCH-1424] Add new IBM Secure Execution feature
diff --git a/installing/installing_ibm_z/installing-ibm-z-kvm.adoc b/installing/installing_ibm_z/installing-ibm-z-kvm.adoc
@@ -85,6 +85,16 @@ include::modules/installation-user-infra-generate-k8s-manifest-ignition.adoc[lev
 
 include::modules/installation-ibm-z-kvm-user-infra-installing-rhcos.adoc[leveloffset=+1]
 
+include::modules/ibm-z-secure-execution.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+[id="additional-resources_Linux-as-an-IBM-Secure-Execution-host-or-guest"]
+.Additional resources
+
+* link:https://www.ibm.com/docs/en/linux-on-systems?topic=virtualization-secure-execution[Introducing IBM Secure Execution for Linux]
+
+* link:https://www.ibm.com/docs/en/linux-on-systems?topic=ibmz-secure-execution[Linux as an IBM Secure Execution host or guest]
+
 include::modules/installation-ibm-z-kvm-user-infra-machines-iso.adoc[leveloffset=+2]
 
 include::modules/installation-full-ibm-z-kvm-user-infra-machines-iso.adoc[leveloffset=+2]
diff --git a/installing/installing_ibm_z/installing-restricted-networks-ibm-z-kvm.adoc b/installing/installing_ibm_z/installing-restricted-networks-ibm-z-kvm.adoc
@@ -92,6 +92,16 @@ include::modules/installation-user-infra-generate-k8s-manifest-ignition.adoc[lev
 
 include::modules/installation-ibm-z-kvm-user-infra-installing-rhcos.adoc[leveloffset=+1]
 
+include::modules/ibm-z-secure-execution.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+[id="additional-resources_Linux-as-an-IBM-Secure-Execution-host-or-guest-restricted"]
+.Additional resources
+
+* link:https://www.ibm.com/docs/en/linux-on-systems?topic=virtualization-secure-execution[Introducing IBM Secure Execution for Linux]
+
+* link:https://www.ibm.com/docs/en/linux-on-systems?topic=ibmz-secure-execution[Linux as an IBM Secure Execution host or guest]
+
 include::modules/installation-ibm-z-kvm-user-infra-machines-iso.adoc[leveloffset=+2]
 
 include::modules/installation-full-ibm-z-kvm-user-infra-machines-iso.adoc[leveloffset=+2]
diff --git a/modules/ibm-z-secure-execution.adoc b/modules/ibm-z-secure-execution.adoc
@@ -0,0 +1,104 @@
+// Module included in the following assemblies:
+//
+// * installing/installing_ibm_z/installing-ibm-z-kvm.adoc
+// * installing/installing_ibm_z/installing-restricted-networks-ibm-z-kvm.adoc
+
+:_content-type: PROCEDURE
+[id="installing-rhcos-using-ibm-secure-execution_{context}"]
+= Installing {op-system} using IBM Secure Execution
+
+Before you install {op-system} using IBM Secure Execution, you must prepare the underlying infrastructure.
+
+:FeatureName: Installing {op-system} using IBM Secure Execution
+include::snippets/technology-preview.adoc[]
+
+.Prerequisites
+
+* IBM z15 or later, or IBM LinuxONE III or later.
+* {op-system-base-full} 8 or later.
+* You have a bootstrap Ignition file. The file is not protected, enabling others to view and edit it.
+* You have verified that the boot image has not been altered after installation.
+* You must run all your nodes as IBM Secure Execution guests.
+
+.Procedure
+
+. Prepare your {op-system-base} KVM host to support IBM Secure Execution.
+
+** By default, KVM hosts do not support guests in IBM Secure Execution mode. To support guests in IBM Secure Execution mode, KVM hosts must boot in LPAR mode with the kernel parameter specification `prot_virt=1`. To enable `prot_virt=1` on {op-system-base} 8, follow these steps:
+
+.. Navigate to `/boot/loader/entries/` to modify your bootloader configuration file `*.conf`.
+.. Add the kernel command line parameter `prot_virt=1`.
+.. Run the `zipl` command and reboot your system.
++
+KVM hosts that successfully start with support for IBM Secure Execution for Linux issue the following kernel message: 
++
+[source,terminal]
+----
+prot_virt: Reserving <amount>MB as ultravisor base storage.
+----
+.. To verify that the KVM host now supports IBM Secure Execution, run the following command:
++
+[source,terminal]
+----
+# cat /sys/firmware/uv/prot_virt_host
+----
++
+.Example output
++
+[source,terminal]
+----
+1
+----
+The value of this attribute is 1 for Linux instances that detect their environment as consistent with that of a secure host. For other instances, the value is 0.
+
+. Add your host keys to the KVM guest via Ignition.
++
+During the first boot, {op-system} looks for your host keys to re-encrypt itself with them. {op-system} searches for files starting with `ibm-z-hostkey-` in the `/etc/se-hostkeys` directory. All host keys, for each machine the cluster is running on, must be loaded into the directory by the administrator. After first boot, you cannot run the VM on any other machines.
++
+[NOTE]
+====
+You need to prepare your Ignition file on a safe system. For example, another IBM Secure Execution guest.
+====
++
+For example:
++
+[source,terminal]
+----
+{
+  "ignition": { "version": "3.0.0" },
+  "storage": {
+    "files": [
+      {
+        "path": "/etc/se-hostkeys/ibm-z-hostkey-<your-hostkey>.crt",
+        "contents": {
+          "source": "data:;base64,<base64 encoded hostkey document>"
+        },
+        "mode": 420
+      },
+      {
+        "path": "/etc/se-hostkeys/ibm-z-hostkey-<your-hostkey>.crt",
+        "contents": {
+          "source": "data:;base64,<base64 encoded hostkey document>"
+        },
+        "mode": 420
+      }
+    ]
+  }
+}
+```
+----
++
+[NOTE]
+====
+You can add as many host keys as required if you want your node to be able to run on multiple {ibmzProductName} machines.
+====
+. To generate the Base64 encoded string, run the following command:
++
+[source,terminal]
+----
+base64 <your-hostkey>.crt
+----
++
+Compared to guests not running IBM Secure Execution, the first boot of the machine is longer because the entire image is encrypted with a randomly generated LUKS passphrase before the Ignition phase.
+
+. Follow the fast-track installation procedure to install nodes using the IBM Secure Exection QCOW image.  
diff --git a/modules/installation-ibm-z-kvm-user-infra-installing-rhcos.adoc b/modules/installation-ibm-z-kvm-user-infra-installing-rhcos.adoc
@@ -10,3 +10,5 @@
 To install {product-title} on IBM Z infrastructure that you provision, you must install {op-system-first} as {op-system-base-full} guest virtual machines. When you install {op-system}, you must provide the Ignition config file that was generated by the {product-title} installation program for the type of machine you are installing. If you have configured suitable networking, DNS, and load balancing infrastructure, the {product-title} bootstrap process begins automatically after the {op-system} machines have rebooted.
 
 You can perform a fast-track installation of {op-system} that uses a prepackaged QEMU copy-on-write (QCOW2) disk image. Alternatively, you can perform a full installation on a new QCOW2 disk image.
+
+To add further security to your system, you can optionally install {op-system} using IBM Secure Execution before proceeding to the fast-track installation. 
