Enable IBM Secure Execution on ocpvirt

Author: SNiemann15

_topic_maps/_topic_map.yml

@@ -4820,6 +4820,8 @@ Topics:
     File: virt-creating-vms-from-instance-types
   - Name: Creating VMs from templates
     File: virt-creating-vms-from-templates
+  - Name: Configuring IBM Secure Execution virtual machines on IBM Z and IBM LinuxONE
+    File: virt-configuring-ibm-secure-execution-vms-ibm-z
 - Name: Advanced VM creation
   Dir: creating_vms_advanced
   Topics:

modules/virt-enabling-vms-ibm-secure-execution-ibm-z.adoc

@@ -0,0 +1,70 @@
+// Module included in the following assemblies:
+//
+// * virt/virtual_machines/creating_vm/virt-configuring-ibm-secure-execution-vms-ibm-z.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="virt-enabling-vms-ibm-secure-execution-ibm-z_{context}"]
+= Enabling VMs to run {ibm-name} Secure Execution on {ibm-z-name} and {ibm-linuxone-name}
+
+To enable {ibm-name} Secure Execution virtual machines (VMs) on {ibm-z-name} and {ibm-linuxone-name} on the compute nodes of your cluster, you must ensure that you meet the prerequisites and complete the following steps.
+
+.Prerequisites
+
+* Your cluster has logical partition (LPAR) nodes running on {ibm-name} z15 or later, or {ibm-linuxone-name} III or later.
+* You have {ibm-name} Secure Execution workloads available to run on the cluster.
+* You have installed the {oc-first}.
+
+.Procedure
+
+. To run {ibm-name} Secure Execution VMs, you must add the `prot_virt=1` kernel parameter for each compute node. To enable all compute nodes, create a file named `secure-execution.yaml` that contains the following machine config manifest:
++
+[source,yaml]
+----
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+metadata:
+  name: secure-execution
+  labels:
+    machineconfiguration.openshift.io/role: worker
+spec:
+  kernelArguments:
+    - prot_virt=1
+----
++
+where:
++
+`prot_virt=1`:: Specifies that the ultravisor can store memory security information.
+
+. Apply the changes by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f secure-execution.yaml
+----
++
+The Machine Config Operator (MCO) applies the changes and reboots the nodes in a controlled rollout.
+
+. Edit the `HyperConverged` custom resource (CR) by running the following command:
++
+[source,terminal]
+----
+$ oc edit -n openshift-cnv HyperConverged kubevirt-hyperconverged
+----
+
+. Enable the feature gate for {ibm-name} Secure Execution by applying the following annotations:
++
+[source,yaml,subs="attributes+"]
+----
+apiVersion: hco.kubevirt.io/v1beta1
+kind: HyperConverged
+metadata:
+  annotations:
+    kubevirt.kubevirt.io/jsonpatch: |-
+     [
+      {
+       "op":"add",
+       "path":"/spec/configuration/developerConfiguration/featureGates/-",
+       "value":"SecureExecution"
+      }
+     ]
+----

modules/virt-launching-ibm-secure-execution-vm-ibm-z.adoc

@@ -0,0 +1,63 @@
+// Module included in the following assemblies:
+//
+// * virt/virtual_machines/creating_vm/virt-configuring-ibm-secure-execution-vms-ibm-z.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="virt-launching-ibm-secure-execution-vm-ibm-z_{context}"]
+= Launching an {ibm-title} Secure Execution VM on {ibm-z-title} and {ibm-linuxone-title}
+
+Before launching an {ibm-name} Secure Execution VM on {ibm-z-name} and {ibm-linuxone-name}, you must add the `launchSecurity` parameter to the VM manifest. Otherwise, the VM does not boot correctly because it does not have access to the devices.
+
+.Procedure
+
+* Apply the following `VirtualMachine` manifest to the cluster:
++
+[source,yaml]
+----
+apiVersion: kubevirt.io/v1
+kind: VirtualMachine
+metadata:
+  labels:
+    kubevirt.io/vm: f41-se
+  name: f41-se
+spec:
+  runStrategy: Always
+  template:
+    metadata:
+      labels:
+        kubevirt.io/vm: f41-se
+    spec:
+      domain:
+        launchSecurity: {}
+        devices:
+          disks:
+          - disk:
+              bus: virtio
+            name: rootfs
+        machine:
+          type: ""
+        resources:
+          requests:
+            memory: 4Gi
+      terminationGracePeriodSeconds: 0
+      volumes:
+        - name: rootfs
+          dataVolume:
+            name: f41-se
+----
++
+To launch {ibm-name} Secure Execution VMs, you must include the following YAML in the manifest:
++
+[source,yaml]
+----
+spec:
+   domain:
+     launchSecurity: {}
+----
++
+The rest of the VM manifest is variable depending on your setup.
++
+[NOTE]
+====
+Because the memory of the VM is protected, {ibm-name} Secure Execution VMs are not live migratable. The VMs can only be migrated offline.
+====

virt/creating_vm/virt-configuring-ibm-secure-execution-vms-ibm-z.adoc

@@ -0,0 +1,23 @@
+:_mod-docs-content-type: ASSEMBLY
+include::_attributes/common-attributes.adoc[]
+
+[id="virt-configuring-ibm-secure-execution-vms-ibm-z"]
+= Configuring {ibm-title} Secure Execution virtual machines on {ibm-z-title} and {ibm-linuxone-title}
+
+:context: virt-configuring-ibm-secure-execution-vms-ibm-z
+
+toc::[]
+
+You can configure {ibm-name} Secure Execution virtual machines (VMs) on {ibm-z-name} and {ibm-linuxone-name}.
+
+{ibm-name} Secure Execution for Linux is a s390x security technology that is introduced with {ibm-name} z15 and {ibm-linuxone-name} III. It protects data of workloads that run in a KVM guest from being inspected or modified by the server environment.
+
+In particular, no hardware administrator, no KVM code, and no KVM administrator can access the data in a guest that was started as an IBM Secure Execution guest.
+
+[role="_additional-resources"]
+.Additional resources
+* link:https://www.ibm.com/docs/en/linux-on-systems?topic=execution-introduction[What is IBM Secure Execution?]
+
+include::modules/virt-enabling-vms-ibm-secure-execution-ibm-z.adoc[leveloffset=+1]
+
+include::modules/virt-launching-ibm-secure-execution-vm-ibm-z.adoc[leveloffset=+1]