z/VM Statement of Integrity
Last Updated: 21 September 2018
This excerpt is published here for your convenience.
System Integrity Statement for z/VM
System integrity is an important characteristic of z/VM. IBM statements on system integrity extend to the z/VM environment. IBM has implemented specific design and coding guidelines for maintaining system integrity in the development of z/VM. IBM product development, including z/VM, follows the IBM Secure Engineering Framework for the secure design, development, coding, testing, service, and certification of its deliverables. For more information, see IBM Secure Engineering.
Because it is not possible to certify that any system has perfect integrity, IBM will accept APARs that describe exposures to the system integrity of z/VM or that describe problems encountered when a program running in a virtual machine not authorized by a mechanism under the customer's control introduces an exposure to the system integrity of z/VM, as defined in "Integrity and security" on page 24. IBM will continue its efforts to enhance the integrity of z/VM and to respond promptly when exposures are identified in the specified operating environment on releases of z/VM that have not reached their End of Support Date, which can be found at IBM Support - Software lifecycle.
Note: IBM reserves the right to change, modify or withdraw its offerings, policies and practices at any time. All products and support obligations are subject to the terms of the applicable license and services agreements.
z/VM system integrity definition
Unless authorized by a z/VM control program (CP) mechanism under the customer's control or a guest operating system mechanism under the customer's control, a program running in a virtual machine cannot:
- Circumvent or disable the control program real or auxiliary storage protection.
- Access a resource protected by an external security manager (ESM), such as RACF. Some of the protected resources are virtual machines, minidisks, and terminals.
- Access a control program password-protected resource.
- Obtain control in real supervisor state or with privilege class authority or directory capabilities greater than those it was assigned.
- Circumvent the system integrity of any guest operating system that itself has system integrity as the result of an operation by any z/VM control program facility.
Real storage protection refers to the isolation of one virtual machine from another. CP accomplishes this by hardware dynamic address translation, start interpretive-execution guest storage extent limitation, and the Set Address Limit facility.
Auxiliary storage protection refers to the disk extent isolation implemented for minidisks and virtual disks through channel program translation.
Password-protected resource refers to a resource protected by CP logon passwords and minidisk passwords.
Privilege class authority refers to the authorization of a virtual machine to use specific IBM-defined or customer-defined classes of CP system functions.
Directory capabilities refer to those directory options that control functions intended to be restricted by specific assignment, such as those that permit system integrity controls to be bypassed or those not intended to be generally granted to users.
Guest operating system refers to a control program that operates under the z/VM control program.
While protection of the customer's data remains the customer's responsibility, data security continues to be an area of vital importance to IBM. IBM is committed to continually improving the system integrity of the z/VM environment to help customers protect their data.
Product documentation, subject to change, describes the actions that must be taken and the facilities that must be restricted to complement the system integrity support provided by z/VM. Such actions and restrictions might vary depending on the system, configuration or environment. The customer is responsible for the selection, application, adequacy, and implementation of these actions and restrictions, and for appropriate application controls.