IBM Support

VM65993: NEW FUNCTION : ENCRYPTED PAGING FOR Z/VM

A fix is available

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as new function.

Error description

  • Provide support for encryption of data as it is moved between
    active memory and a paging volume owned by z/VM.
    Encrypted paging is exclusive to the IBM z14.
    

Local fix

  • N/A
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All users of z/VM running on IBM z14         *
    *                 hardware.                                    *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    ****************************************************************
    * RECOMMENDATION: APPLY PTF                                    *
    ****************************************************************
    This PTF implements New Function in the z/VM Control Program to
    allow for the encryption and decryption of guest data as it
    moves to and from paging volumes owned by CP.
    

Problem conclusion

Temporary fix

Comments

  • This APAR allows z/VM 6.4 to enable encryption of guest page
    data when running on the IBM z14 (D/T3906).  This APAR
    improves system security by making customer data defensible
    from attack or breach of volumes, even in cases where a system
    administrator has unintended access to those volumes. When
    enabled, guest data will be ciphered as it moves from active
    memory onto a paging volume owned by CP (ECKD, SCSI, or native
    FBA). This support will be limited to guest pages (in primary
    host address spaces and VM data spaces) and VDISK pages written
    by the CP Paging subsystem to paging extents (or when paging
    space has been exhausted, to spool extents).
    
    A new configuration statement and command has been added to
    allow the user to manipulate the way this new support functions
    on the system. The ENCRYPT PAGING configuration statement allows
    the encryption capability to be toggled (ON, OFF, or REQUIRED).
    This setting may be adjusted later through the new CP SET
    ENCRYPT command.  NOTE: If REQUIRED is specified for a system
    missing IBM z14 Feature 3863 (CPACF), the system will enter a
    disabled wait-state.  The REQUIRED option is provided for
    regulatory compliance and should be used cautiously, as there
    is no work-around for it.  It is recommended that the ON option
    be used when testing workloads with this new capability.
    Additionally, it is recommended that back-up system
    configuration files be kept locally to boot such systems during
    emergencies or in DR scenarios. For information about managing a
    system with encryption, refer to z/VM CP Planning And
    Administration, section entitled "Pervasive Encryption for
    z/VM".
    
    The encryption algorithm may be selected the first time
    encryption is enabled for PAGING. This may happen during system
    IPL or via the CP SET ENCRYPT command. Once set, the encryption
    algorithm may not be changed without a system IPL.  (If
    encrypted paging is disabled and re-enabled, the same algorithm
    will be in effect.) The available algorithms are AES128, AES192,
    and AES256 (default) in Cipher Block Chaining (CBC) mode. The
    strength of the algorithm may have implications on the
    performance of guest workload.  Refer to z/VM Performance,
    section entitled "Major Factors Affecting Performance" for more
    information.
    
    For more information about the CP SET ENCRYPT and CP QUERY
    ENCRYPT commands introduced in this APAR, refer to "z/VM CP
    Commands and Utilities Reference".
    

APAR Information

  • APAR number

    VM65993

  • Reported component name

    VM CP

  • Reported component ID

    568411202

  • Reported release

    640

  • Status

    CLOSED UR1

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    YesSpecatt / New Function / Xsystem

  • Submitted date

    2017-02-07

  • Closed date

    2017-12-05

  • Last modified date

    2018-12-14

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UM35256 UM35257

Modules/Macros

  • CBITABLE CPLOAD   CPQUERY  CPSET    ENCRYPT  HCPALG   HCPASATE
    HCPBSC   HCPBSI   HCPBSM   HCPCBI   HCPCLD   HCPCLS   HCPENC
    HCPENCBK HCPFRMTE HCPFST   HCPHAM   HCPHPC   HCPHSU   HCPHTU
    HCPHTV   HCPIIO   HCPKRY   HCPKRYPT HCPKYM   HCPKYMGR HCPKYSBK
    HCPMDLAT HCPMES   HCPMESA  HCPMESB  HCPMOM   HCPMONEQ HCPMOT
    HCPMPS   HCPMSM   HCPMXF   HCPMXRBK HCPOM1   HCPOM2   HCPPAF
    HCPPAG   HCPPAH   HCPPAI   HCPPAU   HCPPFR   HCPPGT   HCPPGV
    HCPPLP   HCPPLSBK HCPPPI   HCPPPR   HCPPTA   HCPQUY   HCPRLB
    HCPRLT   HCPRP    HCPSCFBK HCPSET   HCPSYC   HCPSYS   HCPSYSCM
    HCPSZK   HCPSZL   HCPVMDBK HCPVPGBK HCPZSC   HCP1137E HCP1139I
    HCP1390E HCP1391E HCP1392E HCP1393W HCP1394I HCP1395W HCP2768E
    HCP6706E HCWAI8   HCWA12   IPLPARMS MRMTRENC MRMTRSYS MRSTORSP
    

Publications Referenced
SC24617511 SC24617812 GC24617710 SC24623303 SC24620809
GC24620112        

Fix information

  • Fixed component name

    VM CP

  • Fixed component ID

    568411202

Applicable component levels

  • RA64 PSY UM34768

       UP18/12/14 P 1802

  • R640 PSY UM35257

       UP17/12/11 P 1802

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.



Document information

More support for: z/VM family

Software version: 640

Operating system(s): z/VM

Reference #: VM65993

Modified date: 14 December 2018