Support for Trusted Execution in VIOS

Many IT organizations require antivirus or similar protections, such as File Integrity Monitoring, on critical infrastructure as a matter of routine Security and Compliance policy. In the AIX space, IBM's recommended solution (as stated many times by security experts representing IBM at TechU, etc) is Trusted Execution, ideally in tandem with PowerSC for additional configuration compliance checking and realtime alerting. While VIOS by design is more of a black box, it is nonetheless built on AIX and subject to similar risks as other AIX servers, and is of course highly critical to the proper function of a PowerVM environment.

It is our opinion - and the recommendation of IBM Lab Services security experts we've spoken to - that VIO servers absolutely should be monitored with Trusted execution, with at least as much urgency as AIX. The filesets and Trusted Signature Database already come as part of the VIOS image (albeit with a number of mismatched signatures that require cleanup). However, we have been told that, per VIOS Architects, Trusted Execution is not supported, i.e. the "trustchk" command that is the heart of this tool is not in the list of supported administrative commands (https://urldefense.com/v3/__https://www.ibm.com/docs/en/power9?topic=server-alphabetical-list-commands) and that Support will not provide assistance with it. They did indicate that this is "being evaluated" and that an RFE would assist, so we are logging this to encourage that they do, indeed, add Trusted Execution support.

At the very least, please:

1. Allow use of the trustchk command for validation and monitoring of critical files (with enforcement disabled). Add this command to the supported list and allow customers to obtain assistance with the command from VIOS Support.

2. Correct entries in the TSD that do not currently match the fingerprint of existing files provided in the VIOS image (i.e. "trustchk -n all" should report no errors on a clean fresh install of VIOS from IBM-provided media).

3. Require future development to apply the same discipline as with AIX to ensure the TSD is updated whenever changes are made that affect critical file fingerprints in future fixpacks, so that a VIO Server patched through supported means continues to report no trustchk mismatches.

Ideally, provide full support for Trusted Execution (including with all enforcement options enabled). As the VIOS build is generally locked down and rarely if ever should have 3rd party software installed, it should be much easier to enable blocking of untrusted binaries, scripts, libraries, and kernel extensions in VIOS than in a typical customer AIX system, which would greatly enhance VIOS security against any possible intrusion - so long as the TSD is kept current whenever fixes are delivered.