From 82a743a6d739c762922af2c202977c657bc94b74 Mon Sep 17 00:00:00 2001 From: Hyounggyu Choi Date: Thu, 19 Dec 2024 10:45:16 +0100 Subject: [PATCH 1/2] Add hardware prerequisites for IBM Secure Execution This commit completes the previously empty page for enabling IBM Secure Execution by detailing the hardware requirements (software requirements additionally) Signed-off-by: Hyounggyu Choi --- .../prerequisites/hardware/se.md | 78 ++++++++++++++++++- 1 file changed, 77 insertions(+), 1 deletion(-) diff --git a/content/en/docs/getting-started/prerequisites/hardware/se.md b/content/en/docs/getting-started/prerequisites/hardware/se.md index e999cd4..304bc84 100644 --- a/content/en/docs/getting-started/prerequisites/hardware/se.md +++ b/content/en/docs/getting-started/prerequisites/hardware/se.md @@ -8,5 +8,81 @@ tags: - SE --- -TODO +## Platform Setup +This document outlines the steps to configure a host machine to support +IBM Secure Execution on IBM Z & LinuxONE platforms. This capability enables +enhanced security for workloads by taking advantage of protected +virtualization. Ensure the host meets the necessary hardware and software +requirements before proceeding. + +### Hardware Requirements + +Supported hardware includes these systems: + +- IBM z15 or newer models +- IBM LinuxONE III or newer models + +### Software Requirements + +Additionally, the system must meet specific CPU and kernel configuration +requirements. Follow the steps below to verify and enable the Secure Execution +capability. + +1. Verify Protected Virtualization Support in the Kernel + + Run the following command to ensure the kernel supports protected virtualization: + ```bash + cat /sys/firmware/uv/prot_virt_host + ``` + A value of 1 indicates support. + +2. Check Ultravisor Memory Reservation + + Confirm that the ultravisor has reserved memory during the current boot: + ```bash + sudo dmesg | grep -i ultravisor + ``` + Example output: + ``` + [ 0.063630] prot_virt.f9efb6: Reserving 98MB as ultravisor base storage + ``` + +3. Validate the Secure Execution Facility Bit + + Ensure the required facility bit (158) is present: + ```bash + cat /proc/cpuinfo | grep 158 + ``` + The facilities field should include 158. + +If any required configuration is missing, contact your cloud provider to +enable the Secure Execution capability for a machine. Alternatively, if +you have administrative privileges and the facility bit (158) is set, you can +enable it by modifying kernel parameters and rebooting the system: + +1. Modify Kernel Parameters + + Update the kernel configuration to include the prot_virt=1 parameter: + ```bash + sudo sed -i 's/^\(parameters.*\)/\1 prot_virt=1/g' /etc/zipl.conf + ``` + +2. Update the Bootloader and reboot the System + + Apply the changes to the bootloader and reboot the system: + ```bash + sudo zipl -V + sudo systemctl reboot + ``` + +3. Repeat the Verification Steps + + After rebooting, repeat the verification steps above to ensure Secure Execution is properly enabled. + +### Additional Notes + +- The steps to enable Secure Execution might vary depending on the Linux + distributions. Consult your distribution’s documentation if necessary. +- For more detailed information about IBM Secure Execution for Linux, see also + the official documentation at [IBM Secure Execution for Linux](https://www.ibm.com/docs/en/linux-on-systems?topic=security-secure-execution-linux). From 0e742b9fa7d82e35f572ee411fb7c6b371f024b0 Mon Sep 17 00:00:00 2001 From: Hyounggyu Choi Date: Thu, 19 Dec 2024 19:26:08 +0100 Subject: [PATCH 2/2] Fix prose linting error on ultravisor and bootloader This commit adds the following words to the whitelist: - [uU]ltravisor - [bB]ootloader to fix a prose linting error. Signed-off-by: Hyounggyu Choi --- styles/config/vocabularies/coco/accept.txt | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/styles/config/vocabularies/coco/accept.txt b/styles/config/vocabularies/coco/accept.txt index c3235b0..85eaa1a 100644 --- a/styles/config/vocabularies/coco/accept.txt +++ b/styles/config/vocabularies/coco/accept.txt @@ -92,4 +92,6 @@ KMSes grpc gRPC proto -protobuf \ No newline at end of file +protobuf +[uU]ltravisor +[bB]ootloader