Skip to Main Content
IBM Power Ideas Portal

Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Post your ideas

Start by posting ideas and requests to this portal to enhance a Power product or service. Take a look at ideas others have posted and upvote them if they matter to you,

  1. Post an idea

  2. Upvote ideas and add comments to ideas that matter most to you

  3. Get feedback from the IBM team to refine your idea

Help IBM prioritize your ideas and requests

The IBM team may need your help to refine the ideas so they may ask for more information or feedback. The Power teams will then decide if they can begin working on your idea. If they can start during the next development cycle, they will put the idea on the priority list. Each team at IBM works on a different schedule, where some ideas can be implemented right away, others may be placed on a different schedule.

Receive notification on the decision

Some ideas can be implemented at IBM, while others may not fit within the development plans for the product. In either case, the team will let you know as soon as possible. In some cases, we may be able to find alternatives for ideas which cannot be implemented in a reasonable time.


Specific link you will want to bookmark for future use

IBM Unified Ideas Portal - https://ideas.ibm.com/ - Use this site to create or search for existing Ideas across all IBM products that are outside of Power, and track all of your personal interactions with all Ideas.

Status Future consideration
Workspace PowerVM VIOS
Created by Guest
Created on May 9, 2022

Support for Trusted Execution in VIOS

Many IT organizations require antivirus or similar protections, such as File Integrity Monitoring, on critical infrastructure as a matter of routine Security and Compliance policy. In the AIX space, IBM's recommended solution (as stated many times by security experts representing IBM at TechU, etc) is Trusted Execution, ideally in tandem with PowerSC for additional configuration compliance checking and realtime alerting. While VIOS by design is more of a black box, it is nonetheless built on AIX and subject to similar risks as other AIX servers, and is of course highly critical to the proper function of a PowerVM environment.

It is our opinion - and the recommendation of IBM Lab Services security experts we've spoken to - that VIO servers absolutely should be monitored with Trusted execution, with at least as much urgency as AIX. The filesets and Trusted Signature Database already come as part of the VIOS image (albeit with a number of mismatched signatures that require cleanup). However, we have been told that, per VIOS Architects, Trusted Execution is not supported, i.e. the "trustchk" command that is the heart of this tool is not in the list of supported administrative commands (https://urldefense.com/v3/__https://www.ibm.com/docs/en/power9?topic=server-alphabetical-list-commands) and that Support will not provide assistance with it. They did indicate that this is "being evaluated" and that an RFE would assist, so we are logging this to encourage that they do, indeed, add Trusted Execution support.


At the very least, please:

  1. Allow use of the trustchk command for validation and monitoring of critical files (with enforcement disabled). Add this command to the supported list and allow customers to obtain assistance with the command from VIOS Support.

  2. Correct entries in the TSD that do not currently match the fingerprint of existing files provided in the VIOS image (i.e. "trustchk -n all" should report no errors on a clean fresh install of VIOS from IBM-provided media).

  3. Require future development to apply the same discipline as with AIX to ensure the TSD is updated whenever changes are made that affect critical file fingerprints in future fixpacks, so that a VIO Server patched through supported means continues to report no trustchk mismatches.

Ideally, provide full support for Trusted Execution (including with all enforcement options enabled). As the VIOS build is generally locked down and rarely if ever should have 3rd party software installed, it should be much easier to enable blocking of untrusted binaries, scripts, libraries, and kernel extensions in VIOS than in a typical customer AIX system, which would greatly enhance VIOS security against any possible intrusion - so long as the TSD is kept current whenever fixes are delivered.

Idea priority High