Howto: Configuring your Linux LPAR for Secure Boot

Secure Boot is a feature of a system bootloader that is intended to restrict a system to only boot trustworthy operating systems. In the case of Linux this means the Linux kernel must be signed by a trusted party (e.g., a distributor) of which the certificates to verify the kernel are installed in the system. Once securely booted, a Linux kernel runs in lock-down mode which means that only signed modules can be loaded and certain “dangerous” kernel functions are disabled.

Since May 2023, IBM z16 and LinuxONE 4 servers have extended support for Secure Boot: operators now have the option to securely boot Linux into a logical partition from SCSI, NVMe and ECKD devices. In addition, a system operator can configure for each logical partition which certificates shall be used to verify a signed Linux kernel upon secure boot.

This can be done on the Hardware Management Console (HMC) with the HMC “Secure Boot Certificate Management” task.

Once secure boot certificates are configured for a logical partition, the initial (RHEL, SLES and Ubuntu) certificates baked into the system firmware will no longer be used by the secure boot process.

There are many advantages to the configurability of secure boot certificates. Among others, this feature allows operators

  • to react to secure boot certificate revocation according to the policies of their company (i.e., without being forced to wait for a new firmware update),

  • restrict the securely bootable kernels to specific Linux distributors, and

  • to configure the system to securely boot Linux with kernels signed by the customer or a trusted vendor of the customer’s choice.

Operators who want to configure logical partitions with certificates of their own choice (e.g., with a new certificate after a Linux distributor has revoked its previous certificate) must fetch the according certificates from the distributors:

The operator then must verify the validity of the fetched certificates (e.g . using openSSL tools), upload the certificates to the HMC, and assign them to the target logical partition.

For an in depth documentation of Secure Boot for IBM Z and LinuxONE see https://www.ibm.com/docs/en/linux-on-systems?topic=security-secure-boot-linux-onibm-z-linuxone.


No comments:

Post a Comment

Popular Posts