VM65993: NEW FUNCTION : ENCRYPTED PAGING FOR Z/VM

Obtain the fix for this APAR.

APAR status

• Closed as new function.

Error description

• Provide support for encryption of data as it is moved between
  active memory and a paging volume owned by z/VM.
  Encrypted paging is exclusive to the IBM z14.
  

Local fix

• N/A
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: All users of z/VM running on IBM z14         *
  *                 hardware.                                    *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  ****************************************************************
  * RECOMMENDATION: APPLY PTF                                    *
  ****************************************************************
  This PTF implements New Function in the z/VM Control Program to
  allow for the encryption and decryption of guest data as it
  moves to and from paging volumes owned by CP.
  

Problem conclusion

Temporary fix

Comments

• This APAR allows z/VM 6.4 to enable encryption of guest page
  data when running on the IBM z14 (D/T3906).  This APAR
  improves system security by making customer data defensible
  from attack or breach of volumes, even in cases where a system
  administrator has unintended access to those volumes. When
  enabled, guest data will be ciphered as it moves from active
  memory onto a paging volume owned by CP (ECKD, SCSI, or native
  FBA). This support will be limited to guest pages (in primary
  host address spaces and VM data spaces) and VDISK pages written
  by the CP Paging subsystem to paging extents (or when paging
  space has been exhausted, to spool extents).
  
  A new configuration statement and command has been added to
  allow the user to manipulate the way this new support functions
  on the system. The ENCRYPT PAGING configuration statement allows
  the encryption capability to be toggled (ON, OFF, or REQUIRED).
  This setting may be adjusted later through the new CP SET
  ENCRYPT command.  NOTE: If REQUIRED is specified for a system
  missing IBM z14 Feature 3863 (CPACF), the system will enter a
  disabled wait-state.  The REQUIRED option is provided for
  regulatory compliance and should be used cautiously, as there
  is no work-around for it.  It is recommended that the ON option
  be used when testing workloads with this new capability.
  Additionally, it is recommended that back-up system
  configuration files be kept locally to boot such systems during
  emergencies or in DR scenarios. For information about managing a
  system with encryption, refer to z/VM CP Planning And
  Administration, section entitled "Pervasive Encryption for
  z/VM".
  
  The encryption algorithm may be selected the first time
  encryption is enabled for PAGING. This may happen during system
  IPL or via the CP SET ENCRYPT command. Once set, the encryption
  algorithm may not be changed without a system IPL.  (If
  encrypted paging is disabled and re-enabled, the same algorithm
  will be in effect.) The available algorithms are AES128, AES192,
  and AES256 (default) in Cipher Block Chaining (CBC) mode. The
  strength of the algorithm may have implications on the
  performance of guest workload.  Refer to z/VM Performance,
  section entitled "Major Factors Affecting Performance" for more
  information.
  
  For more information about the CP SET ENCRYPT and CP QUERY
  ENCRYPT commands introduced in this APAR, refer to "z/VM CP
  Commands and Utilities Reference".
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UM35256 UM35257

Modules/Macros

• CBITABLE CPLOAD   CPQUERY  CPSET    ENCRYPT  HCPALG   HCPASATE
  HCPBSC   HCPBSI   HCPBSM   HCPCBI   HCPCLD   HCPCLS   HCPENC
  HCPENCBK HCPFRMTE HCPFST   HCPHAM   HCPHPC   HCPHSU   HCPHTU
  HCPHTV   HCPIIO   HCPKRY   HCPKRYPT HCPKYM   HCPKYMGR HCPKYSBK
  HCPMDLAT HCPMES   HCPMESA  HCPMESB  HCPMOM   HCPMONEQ HCPMOT
  HCPMPS   HCPMSM   HCPMXF   HCPMXRBK HCPOM1   HCPOM2   HCPPAF
  HCPPAG   HCPPAH   HCPPAI   HCPPAU   HCPPFR   HCPPGT   HCPPGV
  HCPPLP   HCPPLSBK HCPPPI   HCPPPR   HCPPTA   HCPQUY   HCPRLB
  HCPRLT   HCPRP    HCPSCFBK HCPSET   HCPSYC   HCPSYS   HCPSYSCM
  HCPSZK   HCPSZL   HCPVMDBK HCPVPGBK HCPZSC   HCP1137E HCP1139I
  HCP1390E HCP1391E HCP1392E HCP1393W HCP1394I HCP1395W HCP2768E
  HCP6706E HCWAI8   HCWA12   IPLPARMS MRMTRENC MRMTRSYS MRSTORSP
  

Fix information

• Fixed component name

  VM CP

• Fixed component ID

  568411202

Applicable component levels

• RA64 PSY UM34768

     UP18/12/14 P 1802

• R640 PSY UM35257

     UP17/12/11 P 1802

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.