×

You can configure IBM® Secure Execution virtual machines (VMs) on IBM Z® and IBM® LinuxONE.

IBM® Secure Execution for Linux is a s390x security technology that is introduced with IBM® z15 and IBM® LinuxONE III. It protects data of workloads that run in a KVM guest from being inspected or modified by the server environment.

In particular, no hardware administrator, no KVM code, and no KVM administrator can access the data in a guest that was started as an IBM Secure Execution guest.

Additional resources

Enabling VMs to run IBM® Secure Execution on IBM Z® and IBM® LinuxONE

To enable IBM® Secure Execution virtual machines (VMs) on IBM Z® and IBM® LinuxONE on the compute nodes of your cluster, you must ensure that you meet the prerequisites and complete the following steps.

Prerequisites
  • Your cluster has logical partition (LPAR) nodes running on IBM® z15 or later, or IBM® LinuxONE III or later.

  • You have IBM® Secure Execution workloads available to run on the cluster.

  • You have installed the OpenShift CLI (oc).

Procedure
  1. To run IBM® Secure Execution VMs, you must add the prot_virt=1 kernel parameter for each compute node. To enable all compute nodes, create a file named secure-execution.yaml that contains the following machine config manifest:

    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    metadata:
      name: secure-execution
      labels:
        machineconfiguration.openshift.io/role: worker
    spec:
      kernelArguments:
        - prot_virt=1

    where:

    prot_virt=1

    Specifies that the ultravisor can store memory security information.

  2. Apply the changes by running the following command:

    $ oc apply -f secure-execution.yaml

    The Machine Config Operator (MCO) applies the changes and reboots the nodes in a controlled rollout.

  3. Edit the HyperConverged custom resource (CR) by running the following command:

    $ oc edit -n openshift-cnv HyperConverged kubevirt-hyperconverged
  4. Enable the feature gate for IBM® Secure Execution by applying the following annotations:

    apiVersion: hco.kubevirt.io/v1beta1
    kind: HyperConverged
    metadata:
      annotations:
        kubevirt.kubevirt.io/jsonpatch: |-
         [
          {
           "op":"add",
           "path":"/spec/configuration/developerConfiguration/featureGates/-",
           "value":"SecureExecution"
          }
         ]

Launching an IBM Secure Execution VM on IBM Z and IBM LinuxONE

Before launching an IBM® Secure Execution VM on IBM Z® and IBM® LinuxONE, you must add the launchSecurity parameter to the VM manifest. Otherwise, the VM does not boot correctly because it does not have access to the devices.

Procedure
  • Apply the following VirtualMachine manifest to the cluster:

    apiVersion: kubevirt.io/v1
    kind: VirtualMachine
    metadata:
      labels:
        kubevirt.io/vm: f41-se
      name: f41-se
    spec:
      runStrategy: Always
      template:
        metadata:
          labels:
            kubevirt.io/vm: f41-se
        spec:
          domain:
            launchSecurity: {}
            devices:
              disks:
              - disk:
                  bus: virtio
                name: rootfs
            machine:
              type: ""
            resources:
              requests:
                memory: 4Gi
          terminationGracePeriodSeconds: 0
          volumes:
            - name: rootfs
              dataVolume:
                name: f41-se

    To launch IBM® Secure Execution VMs, you must include the following YAML in the manifest:

    spec:
       domain:
         launchSecurity: {}

    The rest of the VM manifest is variable depending on your setup.

    Because the memory of the VM is protected, IBM® Secure Execution VMs are not live migratable. The VMs can only be migrated offline.