This blog begins to describe how IBM PowerVM systems use strong encryption to ensure that only IBM firmware can be loaded onto PowerVM Systems. This ensures that only firmware written by and cryptographically signed by IBM can ever reside and run on PowerVM Systems. This blog also describes the international certifications and independent security audits which attest that the methods used to protect the firmware meet the established evaluation assurance levels.
Introduction
Power Systems firmware load protection prevents malicious non-IBM firmware from being installed and loaded onto Power hardware. All PowerVM firmware, including hypervisor code is built solely by IBM and cryptographically hashed and signed by IBM.Prior to installing or updating firmware code, the Power Flexible Service Processor (FSP) firmware cryptographically confirms the hash and digital signature of each code image as it is loaded into flash. An additional data integrity check (CRC) is performed against known values in headers on every system Initial Program Load for both the Power hypervisor and Power FSP firmware. This integrity check must successfully match before the load completes and the system begins normal operations.The flash update process provides cryptographic protection that every byte and bit of the Power firmware and hypervisor is known and trusted when stored in flash. If a single bit is altered, the load or update is prevented. The Power firmware signing and verification process are compliant with NIST
SP800-131A [i]. Power security features have a Common Criteria certification. In addition, the firmware update process is tested as a part of Common Criteria evaluations.
Additional evaluations, such as evaluations against Operating System Protection Profiles, are performed over time. For example, Red Hat Enterprise Linux (RHEL) 7.1 is in Common Criteria evaluation to the Operating System Protection Profile at an EAL4+ level for Power 8 processors with PowerVM and PowerKVM execution environments [iii].
Common Criteria Certified
The Common Criteria for IT Security Evaluation define standardized sets of IT product security requirements and provide assurance that the security measures the products implement actually meet the stated requirements [iv]. Independent auditors evaluate product design, code, and life cycle and test security claims. The Common Criteria Recognition Arrangement (CCRA) is an international agreement that codifies mutual recognition of evaluations among its signatories, with an ever-expanding list of participating countries [v]. ISO/IEC 15408 is the international Common Criteria standard.
The Common Criteria are used as the basis for government certification and accreditation programs and typically evaluations are conducted for the use of government agencies. However, other security-sensitive industries such as the financial and healthcare sectors rely on the Common Criteria to provide the only objective security assessments that most IT products ever receive.
Virtual Trusted Platform Module
Beyond the firmware and hypervisor, Power systems also use cryptographic measures to protect guest OS boot images. Power Systems running PowerVM support a vTPM (virtual Trusted Platform Module), which is a virtualized implementation of the Trusted Platform Module (TPM), an industry standardized security technology from the Trusted Computing Group [vi]. The vTPM attests that the guest Operating System (AIX) boots from a trusted, unaltered boot image. This technology is based on strong cryptography, which attests that the AIX kernel and OS components are all known and trusted. The Linux kernel also includes support for the PowerVM vTPM.
Additional virtualization security services have been implemented for Power environments [vii]
References
[vii] Mission-Critical Virtualization Security for Today's Workloads
Contacting the PowerVM Team
Have questions for the PowerVM team or want to learn more? Follow our discussion group on LinkedIn IBM PowerVM or IBM Community Discussions
#PowerVM#powervmblog#powervmsecurity