Preventing kernel dumps

Edit online

Use pvsecret create with the --disable-dump option to prevent the hypervisor from creating guest kernel dumps.

About this task

If a secure execution image vendor creates a guest image with dumps enabled, any dumps are encrypted with the vendor's keys. However, a tenant who takes ownership of such a guest might prefer to prevent the hypervisor from dumping that guest by using the --disable-dump option.

You can use the pvsecret create command to only disable dumping, or add the disablement to an add-secret request.

You can enhance the security of the disable-dump request with methods that are described in Preventing the misuse of add-secret requests.

Procedure

  • To prevent dumping, use pvsecret create with a meta secret to pass the --disable-dump flag to the guest. Issue a command of the form: 
    # pvsecret create -k <host_key_document> --hdr <secure_execution_header> -o <request_file> \
--crt <CA_certificate> --crt <IBM_signing_certificate> \
--flags disable-dump meta
    For example, to use a host-key document z16.crt, a guest header se.hdr, a CA certificate DigiCert.crt, and an IBM signing key ibm-sign.crt, issue the following command on a trusted system:
    pvsecret create -k z16.crt --hdr se.hdr -o addNoDumpReq \
--crt DigiCertCA.crt --crt ibm-sign.crt \
--flags disable-dump meta
    The command prevents any memory dumps from being taken from this Linux instance. The command creates an add-secret request and writes it to addNoDumpReq.
  • To prevent dumping and also create an association secret, issue a command of the form: 
    # pvsecret create -k <host_key_document> --hdr <secure_execution_header> -o <request_file> \
--crt <CA_certificate> --crt <IBM_signing_certificate> \
--flags disable-dump association <string>
    For example, to use a host-key document z16.crt, a guest header se.hdr, a CA certificate DigiCert.crt, and an IBM signing key ibm-sign.crt, issue the following command on a trusted system:
    pvsecret create -k z16.crt --hdr se.hdr -o addSecretReq \
--crt DigiCertCA.crt --crt ibm-sign.crt \
--flags disable-dump association "myConfidentialSecret"
    The command prevents any dumps from being taken from this Linux® instance. The command creates an add-secret request and writes it to addSecretReq. It also creates an identifier for the request, consisting of a hash of the association string myConfidentialSecret.