IBM Secure Execution for Linux

Edit online
IBM® Secure Execution for Linux® is a z/Architecture® security technology that is introduced with IBM z15™ and LinuxONE III.

It protects data of workloads that run in a KVM guest from being inspected or modified by the server environment. For more information, see Introducing IBM Secure Execution for Linux, SC34-7721.

The IBM Secure Execution for Linux feature must be enabled on your IBM Z® or IBM LinuxONE hardware (see IBM Dynamic Partition Manager (DPM) Guide, SB10-7170).

Host setup

  • The KVM host must run in logical partition (LPAR) mode. On DPM-enabled systems, the host must run directly in a partition.
  • The KVM host distribution must support IBM Secure Execution for Linux. This support became available with kernel 5.7.
  • The kernel parameters for the KVM host must include prot_virt=1.

KVM hosts that successfully start with support for IBM Secure Execution for Linux issue a kernel message like this: prot_virt: Reserving <amount>MB as ultravisor base storage.

Tip: Issue the virt-host-validate command on the host. The command output includes a line that starts with
QEMU: Checking for secure guest support     :
An OK after the colon confirms that you can run guests in IBM Secure Execution mode on this host. Otherwise, the colon is followed with information about unfulfilled requirements.

IBM Secure Execution for Linux does not automatically protect data that your workload writes to persistent storage. Depending on your requirements, you might have to set up encrypted devices to back your virtual block devices and storage pools.

Virtual server configuration

The virtual server must configure all virtio devices to use a bounce buffer in the guest, and must not include items that are incompatible with IBM Secure Execution for Linux, see Configuring for IBM Secure Execution for Linux.

Guest preparation

Linux instances that are to run in IBM Secure Execution mode must be prepared as described in Introducing IBM Secure Execution for Linux, SC34-7721.

Guest migration

KVM guests that are prepared for IBM Secure Execution for Linux are configured to run only on specific IBM Z or LinuxONE hardware systems.

Offline migration of a virtual server to another KVM host is supported if the following conditions are fulfilled:
  • The target host supports guests in IBM Secure Execution mode.
  • The target host runs on the same hardware system or on a hardware system for which the KVM guest has also been configured.

You cannot perform live migration of a KVM guest in IBM Secure Execution mode.

Constraints that result from memory and state protection

IBM Secure Execution for Linux is designed to protect the guest memory and state from the hypervisor.

As a result, you intentionally cannot perform the following actions:
  • Host-initiated dumps
  • Save and restore with the virsh save and virsh restore command.
  • Live migration.