Administrator > Security

Understanding z/VM Integrity and Security

IBM's zSeries* OS z/VM* and its predecessors (VM/ESA, VM/XA and VM/SP) have been used for decades by IBM mainframe customers in all industry sectors, as well as by IBM, as a trusted, reliable, secure and robust platform for multiuser computing and for hosting virtual S/390* and zSeries servers. "Ah, virtualization," you may be saying to yourself. "It sounds good, but how do I know I can trust it?"

IBM's years of investment in both hardware and software technologies have created a virtual-computing environment that maintains virtual-server separation, while providing flexible virtual-server administration. In the simplest terms, z/VM takes the principles of partitioning-which at the hardware level are implemented by the processor microcode-and enriches them through virtualization.

System Integrity
The z/VM control program (CP) virtualizes hardware resources, either by sharing or partitioning real hardware resources, or by emulating their behavior. CP maintains a separate execution stream for each virtual server. In this way, CP operates without interference or harm, intentional or unintentional, from the virtual servers it hosts. The virtual servers also are protected from interfering with or harming each other. This separation is called system integrity. Access to memory and CPU is mediated by the cooperative efforts of CP and the hardware in order to maintain system integrity.

Interpretive Execution Facility
The IBM ESA/390 architecture and z/Architecture* provide the foundation for CP's ability to maintain system integrity. At the core of the architecture is the interpretive execution facility. It's an element of Processor Resource/Systems Manager* (PR/SM) that permits a virtual server instruction stream to be run on the processor using a single instruction-Start Interpretive Execution (SIE). The SIE instruction is used by the server's logical partitioning (LPAR) support to divide a zSeries or S/390 processor complex into proven secure logical partitions. (Note: The IBM S/390 CMOS G6 family of processors PR/SM facility received certification at the ITSEC E4 level of security. Evaluation of IBM zSeries processors is currently underway. Click here for the latest security evaluation information on IBM products.)

When CP dispatches a virtual server, details about its execution environment are provided to the hardware. The SIE instruction runs the virtual server until the server's time slice has been consumed or until the server wants to perform an operation that the hardware can't virtualize or for which CP must regain control. At that point, the SIE instruction ends and control is returned to CP, which either simulates the instruction or places the virtual server in an involuntary wait state. When complete, CP again schedules the virtual server to run, and the cycle starts again. In this way, the full capabilities and speed of the CPU are available to the virtual server. Only those privileged instructions that require assistance from or validation by CP are intercepted. These "SIE intercepts," as they are known as, also are used by CP to impose limits on the operations a virtual server may perform on a real device.

This mechanism also enables CP to limit the scope of many kinds of hardware or software failures. If the error can be isolated to a particular virtual server, only that virtual server fails and the operation can be retried or the virtual server can be reinitialized (rebooted) without affecting any testing or production work running in other virtual servers. CP is designed so that failures occurring in virtual servers don't affect CP or other virtual servers.

 

Next page: >>