From 72e3358f18acb1ee9eae2aff5611dd65ec88efc4 Mon Sep 17 00:00:00 2001 From: Hyounggyu Choi Date: Thu, 19 Dec 2024 10:45:16 +0100 Subject: [PATCH] Add hardware prerequisites for IBM Secure Execution This commit completes the previously empty page for enabling IBM Secure Execution by detailing the hardware requirements (software requirements additionally) Signed-off-by: Hyounggyu Choi --- .../prerequisites/hardware/se.md | 67 ++++++++++++++++++- 1 file changed, 66 insertions(+), 1 deletion(-) diff --git a/content/en/docs/getting-started/prerequisites/hardware/se.md b/content/en/docs/getting-started/prerequisites/hardware/se.md index e999cd4..4d268bd 100644 --- a/content/en/docs/getting-started/prerequisites/hardware/se.md +++ b/content/en/docs/getting-started/prerequisites/hardware/se.md @@ -8,5 +8,70 @@ tags: - SE --- -TODO +## Platform Setup +This document outlines the steps to configure a host machine to support IBM Secure Execution on IBM s390x architecture. This capability enables enhanced security for workloads by leveraging protected virtualization. Ensure the host meets the necessary hardware and software requirements before proceeding. + +### Hardware Requirements + +Supported hardware includes the following systems: + +- IBM z15 or newer models +- IBM LinuxONE III or newer models + +### Software Requirements + +Additionally, the system must meet specific CPU and kernel configuration requirements. Follow the steps below to verify and enable the Secure Execution capability. + +1. Verify Protected Virtualization Support in the Kernel + + Run the following command to ensure the kernel supports protected virtualization: + ```bash + cat /sys/firmware/uv/prot_virt_host + ``` + A value of 1 indicates support. + +2. Check Ultravisor Memory Reservation + + Confirm that the ultravisor has reserved memory during the current boot: + ```bash + sudo dmesg | grep -i ultravisor + ``` + Example output: + ``` + [ 0.063630] prot_virt.f9efb6: Reserving 98MB as ultravisor base storage + ``` + +3. Validate the Secure Execution Facility Bit + + Ensure the required facility bit (158) is present: + ```bash + cat /proc/cpuinfo | grep 158 + ``` + The facilities field should include 158. + +If any required configuration is missing, contact your cloud provider to enable the Secure Execution capability for a machine itself. Alternatively, if you have administrative privileges and the facility bit (158) is set, you can enable it by modifying kernel parameters and rebooting the system: + +1. Modify Kernel Parameters + + Update the kernel configuration to include the prot_virt=1 parameter: + ```bash + sudo sed -i 's/^\(parameters.*\)/\1 prot_virt=1/g' /etc/zipl.conf + ``` + +2. Update the Bootloader and Reboot the System + + Apply the changes to the bootloader and reboot the system: + ```bash + sudo zipl -V + sudo systemctl reboot + ``` + +3. Repeat the Verification Steps + + After rebooting, repeat the verification steps above to ensure Secure Execution is properly enabled. + +### Additional Notes + +- The steps to enable Secure Execution may vary depending on the Linux distribution. Consult your distribution’s documentation if necessary. +- For more detailed information about IBM Secure Execution for Linux, refer to the official documentation at [IBM Secure Execution for Linux](https://www.ibm.com/docs/en/linux-on-systems?topic=security-secure-execution-linux).