AIX 7.3 TL04 new enhancements:
IBM Published on 11 November 2025 the following document:
AIX and Availability Enhancements - IBM Documentation
In the description we can read: AIX 7.3 TL4 adds new capabilities designed to increase availability, contribute to workload performance, strengthen security, and leverage open technology for administration efficiency.
Some of those items we discussed during the last TechXchange 2025, LKU (Live Kernel Updates) improvements, LLU (Live Library Updates) and other improvements that came along with AIX 7.3 TL03 (breakout session 1194).
In this announcement we can read that LKU is again improved and LLU will be officially released with TL04. In this blog post I will focus on security related items and LKU / LLU improvements.
Maximize availability and reliability
LKU improvements:
· The LKU blackout time, where applications are suspended, is generally reduced for workload environments with multiple volume groups and 50 or more mounted filesystems. Depending on LPAR configurations, blackout time may be reduced by up to 70% compared to AIX 7.3 TL1.
Of course, I promise to test this again also for smaller LPARs, as soon as I can lay my hands on it.
· Overall, LKU update performance is improved for shorter LKU completion times. Reductions of up to 50% are possible compared to AIX 7.3 TL1.
Currently I tested this with 7.3 TL03 SP1 and for our relatively small LPARs this is already reduced by 50%, so maybe new tests with TL04 will deliver again an improvement, can’t wait to test this!
· The accuracy of LKU estimates for total LKU time and blackout is improved. This would be great, but also depending on the fluctuation of the cpu load I suppose.
· AIX physical volume encryption is now compatible with AIX Live Kernel Update. This would again be a big improvement for security. Same as IPSEC is now already compliant during LKU.
LLU no longer technical preview but officially released!
· With AIX 7.3 TL4, AIX Live Library Update is now supported for use in production environments. As some of you know, who followed our session, we embrace this technology that saves us work to restart programs and processes after an LKU. Short explanation: we can now replace shared libraries while programs are still running and using these shared libraries. And of course, an LLU can be automatically initiated after an LKU takes place.
TE new policy released
· AIX Trusted Execution has been enhanced with a new policy to perform runtime verification of shared object files.
This item is definitely on my test-list for TL04. And for people who followed my blog series about TE (Trusted Execution), this will be continued with this item (that’s a promise for 2026).
Review and progress of last year’s IBM Idea (TE efixes)
https://ideas.ibm.com/ideas/AIX-I-778
What was my mission / goal again?
Why is this so important?
Let me first reiterate what TE is and why, in my opinion, efixes and security patches should also be properly included in the TSD.dat database.
Every executable, script, library, that belongs to AIX is added in a trusted signature database the /etc/security/tsd/tsd.dat and for libraries /etc/security/tsd/lib/libtsd.dat
TE can be used in two modes passive and active, in passive mode you can verify your LPAR if no items (files executables libraries scripts) are not tampered with. In active mode you can even protect further, and can even block programs to start if they are tampered.
So if you LPAR servicing a secure environment TE is crucial to ensure the health of your system.
If you like to know more about TE can read my earlier posted blog about this subject.
What is / was weird:
With efixes we fix most of the time security issues and the same with HIPER (High Impact PERvasive) fixes. And therefore it weird that those fixes are not added with right properties to the databases (tsd.dat) and (libtsd.dat).
The problem
After applying an efix (for example security fixes), the TE (Trusted Execution) tsd.dat is modified and the stanza’s are replaced with the keyword “VOLATILE”. This happens for the replaced binaries (executables) and libraries, that were replaced via those efix(es). However: The replaced (temporary) fixed binaries and libraries are not added with the right certtag and/or signature and hash_value in the tsd database for trustchk, but all replaced with type VOLATILE.
Security risk: after replacing the tsd.dat stanza entries with type “VOLATILE”, the replaced binaries and / or libraries are now vulnerable. In other words after applying an efix, we can no longer proof that the replaced binaries / or libraries are created and approved by IBM. Also we cannot deliver evidence to our auditors that those binaries / libraries are saved and not modified after installation.
Desired solution: Provide for every efix / hiper the right updates into the tsd.dat database, similar to a normal lpp update.
Progress made this year:
Begin this year a part of my IBM Idea was honored, now the right hash values are added to the tsd.dat
See my commends below:
Hello developers, thank you for addressing the hash value for ifixes, this is already a big improvement.
Work in progress:
See my commends in the same IBM Idea below:
But we would like to see also that the right TSD signatures, and cert_tag are correctly used for those security and critical interim fixes. Only this way we prove to our auditors that the fixes were signed and built by IBM.
Trusted Execution is still a perfect way to show to our internal and external auditors that we applied our fixes in a secure and verified manner.
Answer we got was:
We are addressing the size and hash value issue and will ensure that upcoming iFixes are corrected. However, the signature generation and TSD database update changes are not yet committed.
So please VOTE on this IBM Idea: https://ideas.ibm.com/ideas/AIX-I-778
I like to keep this IBM Idea under attention of the developers, and therefore need your help.
Please vote to make this possible and building together the most secure platform!
See also earier blog this year:
https://community.ibm.com/community/user/power/blogs/christian-sonnemans1/2025/01/09/aix-patch-management-bullet-proof-almost
Thank you all for reading my blogs.
Any comments are welcome and appreciated!