Secure your cloud workloads with IBM Secure Execution for Linux on IBM z15 and LinuxONE III

Abstract

With the growth of IBM Z and LinuxONE in the cloud, customers are expecting their workloads and data to have the same levels of security, isolation, and privacy as running on-premise. In order to achieve these levels of trust, the IBM z15 and LinuxONE III provide the IBM Secure Execution for Linux facility, which isolates customers’ data from each other, as well as from the cloud administrators. Unlike other solutions in the industry, IBM Secure Execution does not require remote attestation, thus simplifying the deployment of applications into the protected environment. Also, unlike some other solutions in the industry, the integrity of data is protected end-to-end, that is, from the boot image on disk to memory as it is paged by the hypervisor and throughout execution. The isolation and integrity are provided by hardware and trusted firmware known as the ultravisor. In this article, we describe the security model of IBM Secure Execution, the functionality of the hardware and ultravisor, as well as the required changes to the hypervisor in order to support protected virtual machines.