Secure Boot is a feature of a system bootloader that is intended to restrict a system to only boot trustworthy operating systems. In the case of Linux this means the Linux kernel must be signed by a trusted party (e.g., a distributor) of which the certificates to verify the kernel are installed in the system. Once securely booted, a Linux kernel runs in lock-down mode which means that only signed modules can be loaded and certain “dangerous” kernel functions are disabled.
Since May 2023, IBM z16 and LinuxONE 4 servers have extended support for Secure Boot: operators now have the option to securely boot Linux into a logical partition from SCSI, NVMe and ECKD devices. In addition, a system operator can configure for each logical partition which certificates shall be used to verify a signed Linux kernel upon secure boot.
This can be done on the Hardware Management Console (HMC) with the HMC “Secure Boot Certificate Management” task.
Once secure boot certificates are configured for a logical partition, the initial (RHEL, SLES and Ubuntu) certificates baked into the system firmware will no longer be used by the secure boot process.
There are many advantages to the configurability of secure boot certificates. Among others, this feature allows operators
to react to secure boot certificate revocation according to the policies of their company (i.e., without being forced to wait for a new firmware update),
restrict the securely bootable kernels to specific Linux distributors, and
to configure the system to securely boot Linux with kernels signed by the customer or a trusted vendor of the customer’s choice.
Operators who want to configure logical partitions with certificates of their own choice (e.g., with a new certificate after a Linux distributor has revoked its previous certificate) must fetch the according certificates from the distributors:
RHEL: Use the certificate labeled "Red Hat Secureboot 302" with Subject Common Name "Red Hat Secure Boot (signing key 2)" at https://access.redhat.com/security/team/key
SLES: "SUSE Secure Boot Signing Key" at https://www.suse.com/support/security/keys/
Ubuntu: File sipl.x509 at http://us.ports.ubuntu.com/ubuntu-ports/dists/<first_part _of_release_codename>/main/signed/linux-s390x/current/signed.tar.gz (e.g. Jammy for Ubuntu 22.04)
The operator then must verify the validity of the fetched certificates (e.g . using openSSL tools), upload the certificates to the HMC, and assign them to the target logical partition.
For an in depth documentation of Secure Boot for IBM Z and LinuxONE see https://www.ibm.com/docs/en/linux-on-systems?topic=security-secure-boot-linux-onibm-z-linuxone.