What's new in Linux information for IBM systems
Check here for the latest updates to Linux® information for IBM® systems, as of April, 2024.
IBM Secure Execution for Linux
A KVM guest running in secure execution mode can now use Crypto Express adapters in Enterprise PKCS #11 coprocessor mode or accelerator mode. To protect EP11 secure keys, these keys can be associated with an association secret that is maintained by the ultravisor on behalf of the secure guest. To facilitate this protection, you can now submit secrets to the ultravisor. Learn more...
Important note on verifying Secure Execution host key documents
- April 24, 2024 for IBM z15® and IBM LinuxONE III
- March 29, 2024 for IBM z16™ and IBM LinuxONE 4.
Due to a requirement from the Certificate Authority (DigiCert), the renewed certificates are equipped with a new Locality value (“Armonk” instead of “Poughkeepsie”). These renewed certificates cause the current versions of the genprotimg, pvattest, and pvsecret tools to fail the verification of host key documents.
The IBM Z® team is preparing updates of the genprotimg, pvattest, and pvsecret tools to accept the new certificates and is working with Linux distribution partners to release the updated tools.
To build new Secure Execution images, attestation requests, or add-secret requests before the updated tools are available in Linux distributions, follow these steps:
Step 1:
Obtain the host key document, the host key signing key certificate, the intermediate certificate from the Certificate Authority, and the list of revoked host keys (CRL):
- For IBM z15 and IBM LinuxONE III, see:
https://www.ibm.com/support/resourcelink/api/content/public/secure-execution-gen1.html
- For IBM z16 and IBM LinuxONE 4, see:
https://www.ibm.com/support/resourcelink/api/content/public/secure-execution-gen2.html
Step 2:
Download the script check_hostkeydoc from
https://github.com/ibm-s390-linux/s390-tools/blob/master/genprotimg/samples/check_hostkeydoc
Step 3:
# ./check_hostkeydoc HKD1234.crt ibm-z-host-key-signing.crt \
-c DigiCertCA.crt -r ibm-z-host-key.crl
This example verifies the host key document HKD1234.crt using the host key signing key certificate ibm-z-host-key-signing.crt, and the intermediate certificate of the Certificate Authority DigiCertCA.crt, as well as the list of revoked host keys ibm-z-host-key.crl.
After the host key documents are verified using the check_hostkeydoc script, you can safely call genprotimg, pvattest, or pvsecret with the –-no-verify option.
For a description about how to manually verify host key documents, see:
https://www.ibm.com/docs/en/linux-on-z?topic=execution-verify-host-key-document
You can view and print a PDF of this information.
libica 4.3
libica version 4.3 provides a new FIPS mode function to allow an external GCM initialization vector in FIPS mode. Learn more...
Linux kernel 6.6 - Using the Dump Tools
You can now use ECKD DASDs for list-directed dumps of the memory of an LPAR. The standalone DASD dump tool now automatically compresses a CCW-type DASD dump. Learn more...
libzpc - A Protected-Key Cryptographic Library
libzpc version 1.2 provides new function APIs for supporting multi-part operations for AES XTS and AES CBC operations and a new function API for creating an internal initialization vector for AES GCM operations. Learn more...Linux kernel 6.6 - Device Drivers, Features, and Commands
With the new lspai command, you can now display PAI cryptographic counters. The zipl command has a new option that suppresses the automatic compression of CCW-type DASD dumps. You can now control the DASD autoquiesce feature with new sysfs attributes. The lszcrypt and chzcrypt commands have been updated to improve handling of KVM guests running in secure-execution mode. Learn more...How to set up IBM Event Streams with MongoDB on IBM Z
This guide provides detailed information on how to set up IBM Event Streams by using IBM Cloud® pak for integration, and it also explains a real-time scenario on how to transfer data between two databases (MongoDB) using Kafka Connect and Connectors.
Learn more...SMC-D via ISM pass-through performance evaluation for KVM guests on IBM Z
This study compares two network interconnect solutions for KVM guests within a CPC running on IBM Z® and IBM® LinuxONE. The conventional HiperSockets technology via MacVTap is compared with a new approach that utilizes pass-through of Internal Shared Memory (ISM) devices exploiting the Shared Memory Communications – Direct Memory Access (SMC-D) protocol. Learn more...Secure Key Solution with the Common Cryptographic Architecture: Application Programmer's Guide 8.1
With release 8.1, CCA supports SHA-3 hash algorithms with the possibility to forward SHA-3 requests to the CPACF on IBM z14® or later systems. CCA 8.1 also offers enhancements for the use of TR-31 key blocks. In addition, a new combined key storage (CMB) is available which is designed to store all available key types. Learn more...Secure boot
A new publication describes the use of secure boot on Linux on IBM Z and IBM LinuxONE. Learn about benefits of secure boot, how to set up a Linux instance to use secure boot, how to manage certificates, and how to sign boot files and modules with your private signing keys. Learn more...openCryptoki - An Open Source Implementation of PKCS #11, version 3.18 - 3.22
Multiple enhancements are provided in versions 3.18 to 3.22 of openCryptoki, including support of quantum-safe algorithms for Dilithium Round 2 and 3 variants and Kyber Round 2, a new utility, pkcshsm_mk_change to support the changing (rolling) of master keys while applications using the CCA token or the EP11 token are running, and a possibility to restrict usage of mechanisms and keys via a global policy. Learn more...Using the Dump Tools on Red Hat Enterprise Linux 9.2 on IBM Z
The zgetdump command can now handle the encrypted dumps of KVM guests in IBM® Secure Execution mode. Learn more...
Device Drivers, Features, and Commands on SUSE Linux Enterprise Server 15 SP5 on IBM Z
IBM specific documentation for SUSE Linux Enterprise Server 15 SP5 is available. Enhancements for KVM on IBM Z® include persistent configurations for VFIO mediated devices and sharing of host file system branches with KVM guests. Hotplug support is now available for AP queues in KVM guests. For SCSI boot devices, new sections describe how use the HMC Web Services API to boot Linux in LPAR mode and in a DPM partition, and how to boot Linux in a DPM partition using the HMC GUI. Learn more...Using the Dump Tools on SUSE Linux Enterprise Server 15 SP5 on IBM Z
You can now use NVMe disks as dump devices. This edition describes DPM partition dump and using the HMC API through the zhmc command for SCSI dump devices. The zgetdump command can now handle the encrypted dumps of KVM guests in IBM® Secure Execution mode. Learn more...
Device Drivers, Features, and Commands on Red Hat Enterprise Linux 9.2 on IBM Z
IBM specific documentation for Red Hat® Enterprise Linux 9.2 is available. You can now use the CPU Processor Activity Instrumentation Facility that was introduced with IBM z16 and IBM LinuxONE 4 to obtain counter data for specific cryptographic and analytic instructions. Linux boot and device configurations now support site-specific extensions and overrides that are selected when initiating the IPL process. The DASD device driver can now handle devices with copy-pair relations. Automatic recovery and an enhanced zpcictl command help you to manage malfunctioning PCI devices. Learn more...