Skip to Main Content
IBM Power Ideas Portal


This portal is to open public enhancement requests against IBM Power Systems products, including IBM i. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Future consideration
Workspace AIX
Created by Guest
Created on Jun 5, 2023

Improved method to securely verify AIX filesets and install images

Currently, the only way to securely verify AIX filesets is during an install operation with the chsignpolicy command set, but even this requires installing the bos.rte.install and bos.dsc filesets in order to obtain the fileset signatures.

AIX should provide a way to verify the integrity of install/update filesets and images that does not require first installing a fileset that has not been verified itself. Requiring the bos.dsc fileset to be installed first makes things particularly challenging when attempting to verify the integrity of files on a NIM server prior to install.

Something like Red Hat has documented could be ideal:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-updating_packages-verifying_signed_packages

https://www.redhat.com/sysadmin/rpm-gpg-verify-packages

Here, Red Hat signs rpm packages with a GPG private key and then distributes a GPG public key. Users can then verify rpm packages using just the GPG public key and the rpm command itself as the signature information is contained within the individual rpm packages.

Idea priority Medium
  • Guest
    Reply
    |
    Jun 6, 2023

    The process itself should be no more difficult than pulling down a fixpack. When installing the securityfixes LPP should be used, and we should not need to remove the fixes to install then next fixpack, LPP should know how to do this. We should not need to search for what is needed, the fixes should be released on a regular cadence and be and extension of the OS level command rather than the hack that is now.

  • Guest
    Reply
    |
    Jun 5, 2023

    This catch-22 way for downloading and verifying code is really awkward. It is already difficult to validate IBM downloads by checksum or signature for authenticity. Then we get a partial implementation of package signing requiring the installation of untrusted packages BEFORE installing trusted ones? That's as bad as the cksum.bff with VIO updates, advising us to RUN A DOWNLOADED SCRIPT AS ROOT to confirm our software.


    To stand up and be a beacon of best practices and security, IBM should:

    - Make every download come with SHA256/512 hashes and an attached text file of all the hashes, signed by a well known public IBM PGP key.


    - Update LPP to integrate signing into the inventory of each package. The LPP archive should contain it's own list of checksums and a signature against the certificates in /etc/security/cert for validation. If the certificate doesn't match when it should have come from IBM, it should HALT immediately instead of just logging a warning.


    Ultimately I should be able to download an entire service pack from IBM and either verify it on my PC via sha256sum and GPG, or place the files into an LPP_SOURCE on NIM and hit "confirm all packages are valid" without installing or trusting anything from that download.




    1 reply