Skip to Main Content
IBM Power Ideas Portal


This portal is to open public enhancement requests against IBM Power Systems products, including IBM i. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Delivered
Workspace PowerVM VIOS
Created by Guest
Created on May 9, 2022

Support for Trusted Execution in VIOS

Many IT organizations require antivirus or similar protections, such as File Integrity Monitoring, on critical infrastructure as a matter of routine Security and Compliance policy. In the AIX space, IBM's recommended solution (as stated many times by security experts representing IBM at TechU, etc) is Trusted Execution, ideally in tandem with PowerSC for additional configuration compliance checking and realtime alerting. While VIOS by design is more of a black box, it is nonetheless built on AIX and subject to similar risks as other AIX servers, and is of course highly critical to the proper function of a PowerVM environment.

It is our opinion - and the recommendation of IBM Lab Services security experts we've spoken to - that VIO servers absolutely should be monitored with Trusted execution, with at least as much urgency as AIX. The filesets and Trusted Signature Database already come as part of the VIOS image (albeit with a number of mismatched signatures that require cleanup). However, we have been told that, per VIOS Architects, Trusted Execution is not supported, i.e. the "trustchk" command that is the heart of this tool is not in the list of supported administrative commands (https://urldefense.com/v3/__https://www.ibm.com/docs/en/power9?topic=server-alphabetical-list-commands) and that Support will not provide assistance with it. They did indicate that this is "being evaluated" and that an RFE would assist, so we are logging this to encourage that they do, indeed, add Trusted Execution support.


At the very least, please:

  1. Allow use of the trustchk command for validation and monitoring of critical files (with enforcement disabled). Add this command to the supported list and allow customers to obtain assistance with the command from VIOS Support.

  2. Correct entries in the TSD that do not currently match the fingerprint of existing files provided in the VIOS image (i.e. "trustchk -n all" should report no errors on a clean fresh install of VIOS from IBM-provided media).

  3. Require future development to apply the same discipline as with AIX to ensure the TSD is updated whenever changes are made that affect critical file fingerprints in future fixpacks, so that a VIO Server patched through supported means continues to report no trustchk mismatches.

Ideally, provide full support for Trusted Execution (including with all enforcement options enabled). As the VIOS build is generally locked down and rarely if ever should have 3rd party software installed, it should be much easier to enable blocking of untrusted binaries, scripts, libraries, and kernel extensions in VIOS than in a typical customer AIX system, which would greatly enhance VIOS security against any possible intrusion - so long as the TSD is kept current whenever fixes are delivered.

Idea priority High
  • Guest
    Reply
    |
    Jun 13, 2024
    .Trusted execution, trusted update and secure boot are part of VIOS 4.1.0.10 & above