Updated: 16 Aug. 2007
System Integrity Statement for z/VM
System integrity is an important characteristic of z/VM. This statement
extends IBM's previous statements on system integrity to the z/VM
environment. IBM has implemented specific design and coding guidelines for
maintaining system integrity in the development of z/VM. Procedures have
also been established to make the application of these design and coding
guidelines a formal part of the design and development process. However,
because it is not possible to certify that any system has perfect
integrity, IBM will accept APARs that describe exposures to the system
integrity of z/VM or that describe problems encountered when a program
running in a virtual machine not authorized by a mechanism under the
customer's control introduces an exposure to the system integrity of
as defined in the following "z/VM System Integrity Definition" section.
IBM will continue its efforts to enhance the integrity of z/VM and to
respond promptly when exposures are identified.
z/VM System Integrity Definition
The z/VM control program system integrity is the inability of any program
running in a virtual machine not authorized by a z/VM control program
mechanism under the customer's control or a guest operating system
mechanism under the customer's control to:
Real storage protection refers to the isolation of one virtual machine from
another. CP accomplishes this by hardware dynamic address translation,
start interpretive-execution guest storage extent limitation, and the Set
Address Limit facility.
Circumvent or disable the control program real or auxiliary storage
Access a resource protected by RACF. Resources protected by RACF include
virtual machines, minidisks, and terminals.
Access a control program password-protected resource.
Obtain control in real supervisor state or with privilege class
authority or directory capabilities greater than those it was assigned.
Circumvent the system integrity of any guest operating system that
itself has system integrity as the result of an operation by any z/VM
control program facility.
Auxiliary storage protection refers to the disk extent isolation
implemented for minidisks and virtual disks through channel program
Password-protected resource refers to a resource protected by CP logon
passwords and minidisk passwords.
Guest operating system refers to a control program that operates under the
z/VM control program.
Directory capabilities refer to those directory options that control
functions intended to be restricted by specific assignment, such as those
that permit system integrity controls to be bypassed or those not intended
to be generally granted to users.
While protection of the customer's data remains the customer's
responsibility, data security continues to be an area of vital importance
to IBM. IBM's commitment to the system integrity of the z/VM environment,
as described in this statement, represents a further significant step to
help customers protect their data.
Product documentation, subject to change, describes the actions that must
be taken and the facilities that must be restricted to complement the
system integrity support provided by z/VM. Such actions and restrictions
may vary depending on the system, configuration, or environment. The
customer is responsible for the selection, application, adequacy, and
implementation of these actions and restrictions, and for appropriate
Return to z/VM Security resources.
z/OS Statement of Integrity.