AIX

AIX

Connect with fellow AIX users and experts to gain knowledge, share insights, and solve problems.


#Power
#Power
 View Only

AIX 7.3 TL04: Deep Dive into Live Update, Security Enhancements, and Trusted Execution Advances

By Nawaf Alsabah posted 2 days ago

  

Introduction:

With the release of AIX 7.3 TL04, IBM continues to refine the platform’s commitment to high availability, security hardening, and operational resilience. This Technology Level introduces advancements in Live Kernel Update (LKU), officially launches Live Library Update (LLU) for production use, and expands the capabilities of Trusted Execution (TE). In this blog post, I will walk through the key enhancements delivered in TL04, highlight their practical implications, and revisit ongoing improvements around Trusted Execution integrity management.

-----------

1. Enhanced Availability Through Live Update Technologies

LKU (Live Kernel Update) Improvements

IBM’s documentation describes multiple refinements introduced in TL04 designed to minimize disruption during kernel updates:

  • Up to 70% reduction in blackout time
    Systems with several volume groups and many mounted filesystems will see significantly shorter suspension periods during LKU.

  • Up to 50% faster LKU completion times
    These gains build upon the improvements already observed in 7.3 TL03 SP1, where small LPARs experienced ~50% shorter update durations.

  • More accurate estimation of LKU timelines
    Improved algorithmic predictions provide more reliable expectations for both total update and blackout durations — valuable for teams required to schedule maintenance windows precisely.

  • Full compatibility with AIX Physical Volume Encryption
    This is a major security improvement, allowing encrypted systems to benefit from LKU without imposed downtime or special procedures.

These enhancements continue to position Live Update as a transformative capability for organizations that cannot tolerate service interruptions.

Source:
IBM AIX 7.3 Documentation

-----------

2. LLU (Live Library Update) — Now Ready for Production

After years of refinement and preview availability, AIX Live Library Update (LLU) is now officially supported in production environments.

LLU enables:

  • Replacing shared libraries while applications continue running

  • Reducing the need to restart long-running services

  • Automatically chaining LLU after an LKU cycle

This capability is particularly beneficial for environments implementing rolling patch strategies or stringent uptime requirements, and significantly reduces traditional post-update housekeeping.

Source:
IBM Live Update Technologies

-----------

3. Trusted Execution Enhancements — New Runtime Verification Policy

Security receives meaningful advancements in TL04 with a new Trusted Execution (TE) policy enabling runtime verification of shared object files.

This enhancement strengthens:

  • Integrity validation

  • Runtime protection from tampered libraries

  • Compliance reporting for secure environments

For organizations operating in regulated sectors, this new feature provides a higher degree of runtime assurance.

-----------

4. Revisiting IBM Idea AIX-I-778 — Progress on TSD Database Integrity

The Trusted Signature Database (tsd.dat) plays a central role in maintaining system integrity under TE. However, a long-standing issue involved efix and HIPER updates replacing verified entries with the type (VOLATILE),without restoring proper signatures or cert_tags.

Why this matters

After applying temporary fixes:

  • Replaced binaries/libraries cannot be cryptographically verified
  • Integrity checks become incomplete
  • Auditors cannot validate that patched components originated from IBM

This is especially problematic because efixes are typically security fixes, where integrity assurance is critical.

Progress made this year

IBM implemented partial improvements:

  • Correct hash values are now added to tsd.dat during efix installation

This is an important step toward restoring verification guarantees.

Remaining gaps

  • Missing TSD signatures
  • Missing cert_tag metadata

Until these are addressed, TE cannot offer complete trust validation after interim fixes. 

Call to action To help prioritize completion of this fix, please vote on the idea: 

https://ideas.ibm.com/ideas/AIX-I-778

Strengthening TE for efixes benefits the entire AIX community and helps ensure long-term security trust.

-----------

5. Related Reading

AIX Patch Management – Bullet Proof (Almost)
https://community.ibm.com/community/user/power/blogs/christian-sonnemans1/2025/01/09/aix-patch-management-bullet-proof-almost

-----------

Conclusion

AIX 7.3 TL04 delivers meaningful progress on multiple fronts:

  • Reduced downtime through improved LKU and LLU

  • Stronger runtime security with enhanced Trusted Execution

  • More consistent and predictable update processes

  • Greater integration of security with availability technologies

These enhancements reinforce AIX as a resilient enterprise platform designed for mission-critical workloads.

If you are experimenting with TL04 or benchmarking LKU/LLU under different workload profiles, I would be glad to exchange results and discuss findings.

0 comments
32 views

Permalink

https://community.ibm.com/community/user/blogs/nawaf-alsabah/2025/12/04/aix-73-tl04-live-update-security-enhancements