Technical overview of Secure Execution for Linux on IBM Z
Protect and isolate workloads from both internal and external threats
Today IBM announced the availability of Secure Execution for IBM Z. Secure Execution is an IBM LinuxONE and Linux on IBM Z exclusive trusted execution environment (TEE) technology that is designed to protect and isolate workloads better than a standard software environment, from both internal and external threats.
As an infrastructure developer, I was interested to learn more about the technology behind this new feature, so I sat down with Jonathan Bradbury, Senior Technical Staff Member at IBM working on Secure Execution, to go through the basics of what Secure Execution actually provides on a technical level.
At its core, a Secure Execution provides a KVM-based virtual machine that is fully isolated and protected from the hypervisor with encryption keys that only the IBM Z hardware and firmware have access to.
In practice, an encrypted Linux image is created using the host public key and a customer-specific key. Since the encryption keys are stored on the IBM Z hardware and firmware, the encrypted image can only be executed in a virtual machine on the host(s) it has been prepared for, and the image can’t be decrypted or tampered with outside of the designated host(s). In addition, your unencrypted virtual machine memory cannot be accessed by the host operating system either.
Applications are then run inside of that virtual machine, allowing the owner of the application to focus on just disk and network data encryption, both of which can be easily handled in userland.
Beyond an on-premises model, the door is also open for integration into your hybrid cloud solution. In an environment where you’re running Kubernetes across platforms, you can also imagine the benefits of exploiting Secure Execution to protect individual containers. This would enable you to protect individual containerized applications, such as sensitive databases and blockchain services, from an off-platform Kubernetes master. In this model, Kubernetes still manages the orchestration of containers, both on x86 and IBM Z, but it has no access to the data inside the Secure Execution environment container.
To learn more about the value that Secure Execution can bring, check out this solution brief.