Starting the secure virtual server

On the KVM host, create a domain configuration-XML for the virtual machines that are to run in IBM Secure Execution mode.

Before you begin

You need a bootable disk image that is encrypted with the public host key of the mainframe on which you want to run it. See Preparing the boot image.

Procedure

  1. Place the bootable disk image on the KVM host file system in /var/lib/libvirt/images
    For example, assuming that the image is called secguest1.img: 
    # ls /var/lib/libvirt/images
...
secguest1.img
...
  2. Modify the domain configuration-XML you received from your customer.
    Add the launchSecurity element with type s390-pv to set defaults that simplify configuring the virtual server for IBM Secure Execution for Linux.
    1. Optional: Confirm that this setting is available in your environment
      Look for the following line in the output of the virsh domcapabilities command:
      <s390-pv supported="yes">
    2. Add the launchSecurity element.
      For example:
      <domain type="kvm">
    ...
    <launchSecurity type="s390-pv"/>
    ...
</domain>

      For example, this setting makes the required bounce buffer for virtio devices the default and you do not have to specify it explicitly for each device. This setting also leads to warning messages if the CPU model of the virtual server does not include all features that are required by IBM Secure Execution for Linux.

    Manual domain-XML configuration

    If the output of the virsh domcapabilities command shows that you do not have support for the launchSecurity element, you must configure the domain XML manually:

    1. Ensure that the XML has iommu="on" set to allow the use of bounce buffers on every element that represents a virtio device, for example, the <disk>, <serial>, and <interface> elements.
    2. Do not define a memory balloon device for secure guests. Use the following definition in the guest XML:
      <memballoon model='none'/>
    For example, the following domain configuration-XML, called secguest1.xml, configures a virtual machine called secguest1 that allows bounce buffers: 
    <domain type="kvm">
   <name>secguest1</name>
   ...
   <devices>
      <disk type="file" device="disk">
         <driver name="qemu" type="raw" cache="none" io="native" iommu="on"/>
         <source file="/var/lib/libvirt/images/secguest1.img"/>
         <target dev="vda" bus="virtio"/>
         <address type="ccw" cssid="0xfe" ssid="0x0" devno="0x1108"/>
         <boot order="1"/>
      </disk>
      ...
      <memballoon model='none'/>
   </devices>
    For details about the domain configuration-XML and how to configure virtual servers, see KVM Virtual Server Management, SC34-2752.
    Tip: Use virt-manager to work with the XML.
  3. Optional: Configure for direct kernel boot.
    If you received the secure boot image as a separate bootable kernel image file, modify the domain XML for a direct kernel boot.

    For example, this domain XML configures a guest that is booted from a kernel image:

    <os>
      ...
     <kernel>/var/lib/images/secure_img</kernel> 
</os>

    The <kernel> entry must contain the fully qualified path and file name of the secure boot image file.

  4. On the KVM host console, define the virtual machine with the virsh define command.
    For example, to define secguest1 defined by the secguest1.xml:
    # virsh define secguest1.xml
  5. From the KVM host console, verify that the guest can be started with the virsh start command.
    For example, to start secguest1:
    # virsh start secguest1

Results

The KVM guest defined by secguest1.img starts running in IBM Secure Execution mode. For information about troubleshooting, see Starting virtual server fails.
Figure 1. A KVM guest is created from a bootable image to run in IBM Secure Execution mode
KVM files are created on the host to define the KVM guest