Skip to content

Commit

Permalink
Add hardware prerequisites for IBM Secure Execution
Browse files Browse the repository at this point in the history
This commit completes the previously empty page for enabling IBM Secure Execution
by detailing the hardware requirements (software requirements additionally)

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
  • Loading branch information
BbolroC committed Dec 19, 2024
1 parent 83e293e commit 72e3358
Showing 1 changed file with 66 additions and 1 deletion.
67 changes: 66 additions & 1 deletion content/en/docs/getting-started/prerequisites/hardware/se.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,70 @@ tags:
- SE
---

TODO
## Platform Setup

This document outlines the steps to configure a host machine to support IBM Secure Execution on IBM s390x architecture. This capability enables enhanced security for workloads by leveraging protected virtualization. Ensure the host meets the necessary hardware and software requirements before proceeding.

### Hardware Requirements

Supported hardware includes the following systems:

- IBM z15 or newer models
- IBM LinuxONE III or newer models

### Software Requirements

Additionally, the system must meet specific CPU and kernel configuration requirements. Follow the steps below to verify and enable the Secure Execution capability.

1. Verify Protected Virtualization Support in the Kernel

Run the following command to ensure the kernel supports protected virtualization:
```bash
cat /sys/firmware/uv/prot_virt_host
```
A value of 1 indicates support.

2. Check Ultravisor Memory Reservation

Check failure on line 34 in content/en/docs/getting-started/prerequisites/hardware/se.md

View workflow job for this annotation

GitHub Actions / Lint documentation

[vale] reported by reviewdog 🐶 [Vale.Spelling] Did you really mean 'Ultravisor'? Raw Output: {"message": "[Vale.Spelling] Did you really mean 'Ultravisor'?", "location": {"path": "content/en/docs/getting-started/prerequisites/hardware/se.md", "range": {"start": {"line": 34, "column": 10}}}, "severity": "ERROR"}

Confirm that the ultravisor has reserved memory during the current boot:

Check failure on line 36 in content/en/docs/getting-started/prerequisites/hardware/se.md

View workflow job for this annotation

GitHub Actions / Lint documentation

[vale] reported by reviewdog 🐶 [Vale.Spelling] Did you really mean 'ultravisor'? Raw Output: {"message": "[Vale.Spelling] Did you really mean 'ultravisor'?", "location": {"path": "content/en/docs/getting-started/prerequisites/hardware/se.md", "range": {"start": {"line": 36, "column": 22}}}, "severity": "ERROR"}
```bash
sudo dmesg | grep -i ultravisor
```
Example output:
```
[ 0.063630] prot_virt.f9efb6: Reserving 98MB as ultravisor base storage
```

3. Validate the Secure Execution Facility Bit

Ensure the required facility bit (158) is present:
```bash
cat /proc/cpuinfo | grep 158
```
The facilities field should include 158.

If any required configuration is missing, contact your cloud provider to enable the Secure Execution capability for a machine itself. Alternatively, if you have administrative privileges and the facility bit (158) is set, you can enable it by modifying kernel parameters and rebooting the system:

1. Modify Kernel Parameters

Update the kernel configuration to include the prot_virt=1 parameter:
```bash
sudo sed -i 's/^\(parameters.*\)/\1 prot_virt=1/g' /etc/zipl.conf
```

2. Update the Bootloader and Reboot the System

Check failure on line 62 in content/en/docs/getting-started/prerequisites/hardware/se.md

View workflow job for this annotation

GitHub Actions / Lint documentation

[vale] reported by reviewdog 🐶 [Vale.Spelling] Did you really mean 'Bootloader'? Raw Output: {"message": "[Vale.Spelling] Did you really mean 'Bootloader'?", "location": {"path": "content/en/docs/getting-started/prerequisites/hardware/se.md", "range": {"start": {"line": 62, "column": 15}}}, "severity": "ERROR"}

Apply the changes to the bootloader and reboot the system:

Check failure on line 64 in content/en/docs/getting-started/prerequisites/hardware/se.md

View workflow job for this annotation

GitHub Actions / Lint documentation

[vale] reported by reviewdog 🐶 [Vale.Spelling] Did you really mean 'bootloader'? Raw Output: {"message": "[Vale.Spelling] Did you really mean 'bootloader'?", "location": {"path": "content/en/docs/getting-started/prerequisites/hardware/se.md", "range": {"start": {"line": 64, "column": 30}}}, "severity": "ERROR"}
```bash
sudo zipl -V
sudo systemctl reboot
```

3. Repeat the Verification Steps

After rebooting, repeat the verification steps above to ensure Secure Execution is properly enabled.

### Additional Notes

- The steps to enable Secure Execution may vary depending on the Linux distribution. Consult your distribution’s documentation if necessary.
- For more detailed information about IBM Secure Execution for Linux, refer to the official documentation at [IBM Secure Execution for Linux](https://www.ibm.com/docs/en/linux-on-systems?topic=security-secure-execution-linux).

0 comments on commit 72e3358

Please sign in to comment.