IBM i Global

 View Only

New IBM i 7.4 and 7.5 and support for self-encrypting drives (SED) for some NVMe in Power10 machine

  • 1.  New IBM i 7.4 and 7.5 and support for self-encrypting drives (SED) for some NVMe in Power10 machine

    IBM Champion
    Posted Mon March 27, 2023 04:18 AM

    Dear all

    I just stumbled on a new and potentially useful IBM i functional enhancement for self-encrypting drives (SED) for some NVMe in Power10 server which was delivered at the end of last year.  I guess this function uses the new cryptographic co-procoessor on Power10 chip. This means you have no need to use IBM i ASP Encryption on Power10 machine with the supported NVMe types.  You can find all its details under the section named "Password protection for data on NVMe devices - IBM i 7.5 and 7.4 "  at  https://www.ibm.com/support/pages/ibm-i-functional-enhancements-details.    

    December 2022 - IBM i 7.5 Technology Refresh 1 and IBM i 7.4 Technology Refresh 7

    Password protection for data on NVMe devices - IBM i 7.5 and 7.4

    All NVMe devices that IBM i currently supports are self-encrypting drives (SED), meaning that the data is encrypted at rest.  However, the key used to encrypt and decrypt the data is not protected, so any "bad actor", once in possession of the device, can access all the data.

    IBM i 7.5 TR 1 and IBM i 7.4 TR 7 add support for password protection of the data on selected NVMe devices on systems with Power10 processor technology.  This support protects the data upon loss of power to the device by implementing the Trusted Computer Group (TCG) Opal Security Subsystem Class (SSC) specification for storage. By supporting this Opal Storage specification, the device can protect the confidentiality of stored user data against unauthorized access once it leaves the owner's control.

    The system administrator creates a locking policy, and then adds each supported NVMe device to it.  The policy password is stored in the PKS (Platform Keystore), which is managed by PowerVM.  The NVMe device locks itself when there is a main power loss or if PCIe cold resets occur.  IBM i code also locks the device in these scenarios:

    • A DLPAR Remove operation is performed on the device
    • Concurrent Maintenance Power Off is performed on the device
    • The partition is IPLed
    • The NVMe device is reset

    While the NVMe device remains in the partition, restoring power to the device or IPLing the device causes it to automatically unlock itself by using the policy password stored in the PKS.

    The system administrator has a set of IBM i Services and equivalent macros to use to manage the password protection.

    See IBM Documentation Storage Services for more information about these new services:
    1. CREATE_LOCKING_POLICY - Creates a password policy for the LPAR
    2. DELETE_LOCKING_POLICY - Deletes the current password policy, and removes the password protection on all NVMe devices under the policy
    3. ADD_DEVICE_LOCKING_POLICY - Adds an NVMe device to the current password policy
    4. REMOVE_DEVICE_LOCKING_POLICY - Removes password protection from an NVMe device
    5. CHANGE_DEVICE_LOCKING_POLICY - Changes the policy password
    6. UNLOCK_DEVICE - Attempts to unlock an NVMe device
    7. LOCKING_POLICY_INFO - Displays a list of all the NVMe devices in the LPAR with their locking capabilities and state
    8. FACTORY_RESET_DEVICE - Clears all data from the NVMe device, perhaps because the password is not known, so it can be used in an LPAR

    See IBM Documentation NVMe password protection for more information about the equivalent macros.

    The locking policy is partition-wide, so there is one password for the entire LPAR.  That single password is used for all NVMe devices that are added to the policy.  Once a locking policy is established for an LPAR, any device whose namespace is added to an ASP is also added to the locking policy automatically. 

    A system administrator has a limit of 10 unsuccessful attempts to unlock a device before the device must be power-cycled.  After a power cycle, 10 more attempts are granted.

    Supported NVMe feature codes include these disk devices:

    • #ES3A - Enterprise 800 GB SSD PCIe4 NVMe U.2 module for IBM i
    • #ES3C - Enterprise 1.6 TB SSD PCIe4 NVMe U.2 module for IBM i
    • #ES3E - Enterprise 3.2 TB SSD PCIe4 NVMe U.2 module for IBM i
    • #ES3G - Enterprise 6.4 TB SSD PCIe4 NVMe U.2 module for IBM i

    Additional code levels required:

    • FW1030


    ------------------------------
    Education is not the learning of facts but the training of the mind to think. -- Albert Einstein.
    ------------------------------
    Satid S.
    ------------------------------