VM66650: SMAPI SUPPORT FOR GUEST SECURE IPL

Obtain the fix for this APAR.

APAR status

• Closed as new function.

Error description

• Provide two new System Management API's to define and
  Query Guest Secure Image IPL Characteristics.
  
  A z/VM user can request that the machine loader validate the
  signed IPL code by using the security keys that were previously
  loaded by the customer into the HMC certificate store. The
  validation ensures that the IPL code is intact, unaltered, and
  originates from a trusted build-time source.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: All users of System Management APIs needing  *
  *                 support for guest secure IPL.                *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  ****************************************************************
  * RECOMMENDATION: APPLY PTF                                    *
  ****************************************************************
       Support is needed in SMAPI to allow guest secure IPL
  (load and dump) for both ECKD and SCSI devices.
  

Problem conclusion

Temporary fix

• FOR RELEASE ES-CMS-730-BASE :
  PREREQ: VM66646 VM66626
  CO-REQ: NONE
  IF-REQ: UM90281(VM66434-7VMCPR30) UV99435(VM66424-7VMDIR30)
  

Comments

• With the PTFs for APARs VM66424 (DirMaint), VM66434 (CP), and
  VM66650 (SMAPI), z/VM V7.3 supports guest secure IPL (load
  and dump) for both ECKD and SCSI devices.  A z/VM guest can
  request that the machine loader validate the signed IPL code by
  using the security keys that were previously loaded by the
  customer onto the HMC certificate store.  The validation
  ensures that the IPL code is intact, unaltered, and originates
  from a trusted build-time source.  Support is provided for
  the following guest operating systems:
  - Linux is fully supported.  If the IPL code does not validate,
    the IPL stops.
  - z/OS is supported in audit mode only.  Full exploitation
    requires Virtual Flash Memory support, which is not
    available to a guest.  In audit mode, the IPL code is
    checked but the IPL continues even if the code is not valid.
  
  The following new Systems Management API calls are added to
  define and query LOADDEV user directory statements:
  - Image_IPL_Characteristics_Define_DM
  - Image_IPL_Characteristics_Query_DM
  
  The following topics are updated :
  - "Image_IPL_Query_DM"
  - "Image_IPL_Set_DM"
  - "Image_SCSI_Characteristics_Define_DM"
  - "Image_SCSI_Characteristics_Query_DM"
  - "List-Directed IPL APIs"
  
  The following z/VM 7.3 publication is updated to reflect these
  changes:
  SC24-6327-73: System Management Application Programming
  This publication is available at the z/VM web site
  https://www.ibm.com/docs/en/zvm/7.3
  
  Additional Keywords: D/T3931 D/T3932
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UM90300

Modules/Macros

• DMSBL493 DMSSIDAT DMSSIPRM DMSSJBST DMSSJGRV DMSSJIPL DMSSJIPQ
  DMSSSRCX DVHCSLDQ DVHCSLDS IMIPLCDD IMIPLCQD IMIPLQRY IMIPLSET
  SMAPI    VSMWORK1
  

Fix information

• Fixed component name

  VM CMS

• Fixed component ID

  568411201

Applicable component levels

• R730 PSY UM90300

     UP23/07/03 P 2401  

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.