Over the years, security has become an essential requirement for information technology. Security consists of many measures, including:
Preventing unauthorized access to information (read and/or write)
Preventing unauthorized withholding of information or resources (for example, denial-of- service attacks)
Providing accurate user identification
IT managers need to know if the security of the system they are using, or intend to purchase, meets the security needs of their organization. To answer these questions, first, you need to define a set of criteria. Then, you need to have an appropriate organization certify that your IT system has been adequately tested and meets the designated criteria. The organization that usually performs this certfication is the appropriately qualified and recognized national certification body for each country. See, for example, http://www.bsi.de/zertifiz/itkrit/itsec-en.pdf.
Different sets of criteria exist:
Common Criteria are proposed at an international level for the United States, Canada, and the European Community.
ITSEC Information Technology Security Evaluation Criteria. ITSEC is the certification standard traditionally used in the European Community.
TCSEC Trusted Computer Security Evaluation Criteria (also called Orange Book). TCSEC is traditionally used in the United States and Canada.
For the future, it is anticipated that Common Criteria will become the de facto criteria. All future IBM certification will be to Common Criteria standards. For current information about Common Criteria for Linux on eServer platforms, see http://www.ibm.com/servers/eserver/zseries/security/certification.html.
For more information about Common Criteria, see http://www.commoncriteria.org/.
Common Criteria are designated by Evaluation Assurance Levels (EALs). Table 23-1 summarizes the different levels that have been defined. For a comprehensive definition, see http://www.commoncriteria.org/docs/EALs.html.
Table 23-1. Evaluation assurance levels
Methodically tested and checked
Methodically designed, tested, and reviewed
Semiformally designed and tested
Semiformally verified design and tested
Formally verified design and tested
Table 23-2 compares different criteria levels for ITSEC and TCSEC.
Table 23-2. ITSEC and TCSEC criteria
23.1.1 LPAR certification
Logical partitioning on the mainframe, in the form of the underlying Processor Resource/Systems Manager (PR/SM) microcode, received the EAL5 certification level in March 2003. The certification was conducted with the PR/SM for the IBM eServer zSeries 900. Because the certification process is an extremely time-consuming and costly process, it cannot be performed for every single model and product on the mainframe.
EAL5 certification means that an independent body assessed the isolation of workload from one mainframe logical partition to another and determined that the isolation is equivalent to that of separate physical servers. You can be assured that one logical partition running a Web environment and another logical partition running production work, are truly separate and isolated while sharing common hardware resources on a single physical server.
23.1.2 VM integrity
VM integrity can be captured in the following short form:
VM integrity statement, short form
If you find any way for one guest machine to influence another, we will accept that as an integrity APAR.
There is no official certification of VM/ESA or z/VM comparable to the certification of PR/SM. However, the z/VM guest machine separation uses the same machine facilities that were created for, and are used by, PR/SM. Because of this, the same level of confidence can be placed in the z/VM and VM/ESA guest machine separation as in the PR/SM microcode. To this end, IBM makes an unequivocal system integrity statement for z/VM (in the publication z/VM General Information, GC24-5991), which is as follows:
VM integrity statement
System integrity is an important characteristic of z/VM. This statement extends IBM's previous statements on system integrity to the z/VM environment.
IBM has implemented specific design and coding guidelines for maintaining system integrity in the development of z/VM. Procedures have also been established to make the application of these design and coding guidelines a formal part of the design and development process.
However, because it is not possible to certify that any system has perfect integrity, IBM will accept APARs that describe exposures to the system integrity of z/VM or that describe problems encountered when a program, running in a virtual machine not authorized by a mechanism under the customer's control, introduces an exposure to the system integrity of z/VM, as defined in the following "z/VM System Integrity Definition" section.
IBM will continue its efforts to enhance the integrity of z/VM and to respond promptly when exposures are identified.
In the VM integrity statement, cited below, IBM promises that it will fix every exposure of the system integrity of z/VM.
z/VM system integrity definition
The z/VM control program system integrity is the inability of any program, running in a virtual machine not authorized by a z/VM control program mechanism under the customer's control or a guest operating system mechanism under the customer's control, to:
Circumvent or disable the control program real or auxiliary storage protection.
Access a resource protected by RACF. Resources protected by RACF include virtual machines, minidisks, and terminals.
Access a control program password-protected resource.
Obtain control in real supervisor state or with privilege class authority or directory capabilities greater than those it was assigned.
Circumvent the system integrity of any guest operating system that itself has system integrity as the result of an operation by any z/VM control program facility.
Real storage protection refers to the isolation of one virtual machine from another. CP accomplishes this by hardware dynamic address translation, start interpretive-execution guest storage extent limitation, and the Set Address Limit facility.
Auxiliary storage protection refers to the disk extent isolation implemented for minidisks/virtual disks through channel program translation.
Password-protected resource refers to a resource protected by CP logon passwords and minidisk passwords.
Guest operating system refers to a control program that operates under the z/VM control program.
Directory capabilities refer to those directory options that control functions intended to be restricted by specific assignment, such as those that permit system integrity controls to be bypassed or those not intended to be generally granted to users.
In short, since z/VM uses the same instructions as previous systems to isolate the different guests, IBM warrants the integrity of the virtual machine interface and will accept integrity APARs and will fix any problem that is exposed.