Secure traditional virtual servers from data at rest, data in flight, and data in memory in a KVM environment
IBM’s current generation of IBM Z (z15) and IBM LinuxONE (LinuxONE III) servers have continued the push to secure workloads with new and enhanced security features. These security features cover a wide range of different environments and capabilities. Hyper Protect and Secure Service Containers, for example, provide a highly secure appliance-like environment to run your docker containers. Hyper Protect Data Controller allows you to protect data from other sources such as z/OS or other applications running on x86 or IBM Power anywhere in your data center and beyond by controlling access to that data even when it is not on the source platform any longer. The CPACF (Central Processor Assist for Cryptographic Function) and Crypto Express cards secure your data at rest and in flight and can help offload a lot of cryptographic processing, keeping more of the CPU processing power for your applications. Along with these features and products, the z15 and LinuxONE III introduced IBM Secure Execution for Linux, which is a free feature that can help protect your data while in use.
Filling a Need
IBM Z and LinuxONE have long had the ability to encrypt data at rest and data in flight. This is accomplished by encrypting volumes (data at rest) and encrypting communications to and from the platform (data in flight) by utilizing the CPACF coprocessor and Crypto Express Cards. IBM z/VM has provided multi tenancy for its guests for decades, but there has been a lack of this type of support in the KVM (Kernel-based Virtual Machine) hosting environment. (KVM is a virtualization module in the Linux kernel that allows the kernel to function as a hypervisor.)
IBM Secure Execution for Linux provides the ability to protect a KVM guest’s memory, boot image and state information (control blocks) from the KVM hypervisor, as well as from other guests sharing this KVM host. This capability enables you to populate large KVM hosts with different guests that could be from different departments or different clients, allowing a more robust multitenant environment, which helps to reduce costs and resource utilization. IBM Secure Execution for Linux helps you protect a virtual server, whereas for example, a Hyper Protect solution utilizing Secure Service Containers is designed to protect containerized workloads. This allows you to easily protect your existing workloads without having to containerize them and change your development and deployment process. Having said this though, you can still run a docker or other containerized solution in a KVM guest and get the protection provided by IBM Secure Execution for Linux.
How Does It Work?
IBM Secure Execution for Linux is provided by a feature code that you can order on a new or existing z15 or LinuxONE III. IBM Secure Execution for Linux works by protecting your guest’s boot image, memory, and state information. With IBM Secure Execution for Linux, each z15 or LinuxONE III has a private host key that is stored in microcode and is unique to this physical system. During the process of setting up this feature, you verify and download the public key needed to use this feature on your system. After you obtain the public key, you will run a utility that will transform the guest image into an encrypted secure image that can only be decrypted and brought up on this specific machine. In the case of a disaster recovery situation or multiple site scenario, multiple keys can be set up to allow the image to be brought up on any of these other systems if the primary is down.
While running the guest, the guest’s memory is protected by the Ultravisor maintained by the z15 and LinuxONE hardware and microcode, which intercepts and validates KVM host requests and returns needed information to the KVM host. The Ultravisor also maintains hashes for memory pages it needs to page out to prevent page manipulation when the pages are paged back into memory.
There are a few parameter modifications you need to make to the KVM host and to the KVM guest to utilize this new feature. These are simple and are fully explained in the links below. Other steps involved in setting up the image include using a secure remove utility (available with the Linux distribution) to remove sensitive information out of the boot directory to prevent anyone seeing unencrypted kernel or boot information used by this guest. The steps also document other modifications you should be making to the image in any case, such as restricting root access, etc. The steps are similar for each of the three supported distributions.
Requirements and Limitations
KVM hosts and KVM guests require current versions and releases of the three commercially supported Linux distributions, Red Hat, SUSE and Ubuntu. This feature is only available on z15 or LinuxONE III or later models with feature code 0115. This feature allows you to access the host key document that is available on IBM Resource Link, which is unique to your system. The genprotimg tool is required to convert the KVM guest image into an IBM Secure Execution for Linux image and is available with current releases of the supported distributions. There are a few changes you need to make to the kernel parameters and other parameters for both the KVM host and guest image and these are documented in the links below.
As of this writing, there is no live guest relocation support available. IBM is looking at providing this support in the future. You can move a guest from one KVM host to another while the guest is down if the guest has been configured to run on that host. This holds true for different z15 or LinuxONE in a disaster recovery situation as well. There are a few other limitations and they are documented in the links below.
With IBM Secure Execution for Linux, you now can secure traditional virtual servers from data at rest, data in flight, and data in memory in a KVM environment. Along with good security policies and procedures used to harden your Linux guests, you can develop and deploy highly secure environments to host your applications with no application modifications and minimal modifications to the KVM hosts and guests.
Get More Information
As an IBM Platinum Business Partner, Mainline has extensive experience with IBM mainframe systems and operating systems, and we can help you with Red Hat OpenShift, IBM Cloud Paks, z/OS, z/VM, Linux on IBM Z, and LinuxONE. To set up an in-depth discussion about how to get started using these technologies, please contact your Mainline Account Executive directly or click here to contact us with any questions.
You may be interested in:
Webcast: Register for the Secure Execution for Linux webcast, Oct 6, 2021
Links to using IBM Secure Execution for Linux on IBM z15 and LinuxONE III