Use pvsecret create with the --disable-dump option to
prevent the hypervisor from creating guest kernel dumps.
About this task
If a secure execution image vendor creates a guest image with dumps enabled, any
dumps are encrypted with the vendor's keys. However, a tenant who takes ownership of such a guest
might prefer to prevent the hypervisor from dumping that guest by using the
--disable-dump option.
You can use the pvsecret create command to only disable dumping,
or add the disablement to an add-secret request.
You can enhance the security of the disable-dump request with methods that are
described in Preventing the misuse of add-secret requests.
Procedure
-
To prevent dumping, use pvsecret create with a meta secret to pass the
--disable-dump flag to the guest. Issue a command of the form:
# pvsecret create -k <host_key_document> --hdr <secure_execution_header> -o <request_file> \
--crt <CA_certificate> --crt <IBM_signing_certificate> \
--flags disable-dump meta
For example, to use a host-key document
z16.crt, a guest header
se.hdr, a CA certificate
DigiCert.crt, and an IBM signing
key
ibm-sign.crt, issue the following command on a trusted
system:
pvsecret create -k z16.crt --hdr se.hdr -o addNoDumpReq \
--crt DigiCertCA.crt --crt ibm-sign.crt \
--flags disable-dump meta
The command prevents any memory dumps from
being taken from this Linux instance. The command creates an add-secret request and writes it to
addNoDumpReq.
- To prevent dumping and also create an association secret, issue a command of the form:
# pvsecret create -k <host_key_document> --hdr <secure_execution_header> -o <request_file> \
--crt <CA_certificate> --crt <IBM_signing_certificate> \
--flags disable-dump association <string>
For example, to use a host-key document
z16.crt, a guest header
se.hdr, a CA certificate
DigiCert.crt, and an IBM signing
key
ibm-sign.crt, issue the following command on a trusted
system:
pvsecret create -k z16.crt --hdr se.hdr -o addSecretReq \
--crt DigiCertCA.crt --crt ibm-sign.crt \
--flags disable-dump association "myConfidentialSecret"
The command
prevents any dumps from being taken from this Linux®
instance. The command creates an add-secret request and writes it to
addSecretReq. It also creates an identifier for the request, consisting of a
hash of the association string myConfidentialSecret
.