Secure Boot is a feature of a system bootloader
that is intended to restrict a system to only boot trustworthy
operating systems. In the case of Linux this means the Linux kernel
must be signed by a trusted party (e.g., a distributor) of which the
certificates to verify the kernel are installed in the system. Once
securely booted, a Linux kernel runs in lock-down mode which means
that only signed modules can be loaded and certain “dangerous”
kernel functions are disabled.
Since
May 2023, IBM z16 and LinuxONE 4 servers have extended support for
Secure Boot: operators now have the option to securely boot Linux
into a logical partition from SCSI, NVMe and ECKD devices. In
addition, a system operator can configure for each logical partition
which certificates shall be used to verify a signed Linux kernel upon
secure boot.
This
can be done on the Hardware Management Console (HMC) with the HMC
“Secure Boot Certificate Management” task.
Once
secure boot certificates are configured for a logical partition, the
initial (RHEL, SLES and Ubuntu) certificates baked into the system
firmware will no longer be used by the secure boot process.
There
are many advantages to the configurability of secure boot
certificates. Among others, this feature allows operators
to
react to secure boot certificate revocation according to the
policies of their company (i.e., without being forced to wait for a
new firmware update),
restrict
the securely bootable kernels to specific Linux distributors, and
to
configure the system to securely boot Linux with kernels signed by
the customer or a trusted vendor of the customer’s choice.
Operators
who want to configure logical partitions with certificates of their
own choice (e.g., with a new certificate after a Linux distributor
has revoked its previous certificate) must fetch the according
certificates from the distributors:
The
operator then must verify the validity of the fetched certificates
(e.g . using openSSL tools), upload the certificates to the
HMC, and assign them to the target logical partition.
For an in depth documentation of Secure Boot for
IBM Z and LinuxONE see
https://www.ibm.com/docs/en/linux-on-systems?topic=security-secure-boot-linux-onibm-z-linuxone.