z15 selfboot and secure boot

Abstract

The IBM Z central processor (CP) and storage controller (SC) chips contain hardware and firmware to serve selfboot and secure boot needs. Selfboot initializes the CP/SC chips from hardware and firmware, which reside in each chip module. This establishes a core root of trust and also guarantees a boot time that is independent of the system configuration, which is key for large enterprise class systems consisting of multiple drawers and chips. Secure boot is built on this core root of trust and is used to authenticate the firmware loaded from system memory prior to execution of that firmware. Selfboot and secure boot also guarantee the integrity of the CP and SC chips by restricting hardware and memory accesses through debug or service interfaces during boot, runtime, and code update phases. In this article, we describe the basic hardware and firmware concepts that are implemented and enabled for the z 15 CP and SC chips.