From 01cdda98b96024d6cbb500e1ce521456bf8cff54 Mon Sep 17 00:00:00 2001
From: SNiemann15 <sniemann@redhat.com>
Date: Fri, 26 Sep 2025 12:41:50 +0200
Subject: [PATCH] Enable IBM Secure Execution on ocpvirt

---
 _topic_maps/_topic_map.yml                    |  2 +
 ...abling-vms-ibm-secure-execution-ibm-z.adoc | 70 +++++++++++++++++++
 ...unching-ibm-secure-execution-vm-ibm-z.adoc | 63 +++++++++++++++++
 ...guring-ibm-secure-execution-vms-ibm-z.adoc | 23 ++++++
 4 files changed, 158 insertions(+)
 create mode 100644 modules/virt-enabling-vms-ibm-secure-execution-ibm-z.adoc
 create mode 100644 modules/virt-launching-ibm-secure-execution-vm-ibm-z.adoc
 create mode 100644 virt/creating_vm/virt-configuring-ibm-secure-execution-vms-ibm-z.adoc

diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml
index 185d94d1c58b..8034d3202e4e 100644
--- a/_topic_maps/_topic_map.yml
+++ b/_topic_maps/_topic_map.yml
@@ -4820,6 +4820,8 @@ Topics:
     File: virt-creating-vms-from-instance-types
   - Name: Creating VMs from templates
     File: virt-creating-vms-from-templates
+  - Name: Configuring IBM Secure Execution virtual machines on IBM Z and IBM LinuxONE
+    File: virt-configuring-ibm-secure-execution-vms-ibm-z
 - Name: Advanced VM creation
   Dir: creating_vms_advanced
   Topics:
diff --git a/modules/virt-enabling-vms-ibm-secure-execution-ibm-z.adoc b/modules/virt-enabling-vms-ibm-secure-execution-ibm-z.adoc
new file mode 100644
index 000000000000..9d0fd26546b2
--- /dev/null
+++ b/modules/virt-enabling-vms-ibm-secure-execution-ibm-z.adoc
@@ -0,0 +1,70 @@
+// Module included in the following assemblies:
+//
+// * virt/virtual_machines/creating_vm/virt-configuring-ibm-secure-execution-vms-ibm-z.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="virt-enabling-vms-ibm-secure-execution-ibm-z_{context}"]
+= Enabling VMs to run {ibm-name} Secure Execution on {ibm-z-name} and {ibm-linuxone-name}
+
+To enable {ibm-name} Secure Execution virtual machines (VMs) on {ibm-z-name} and {ibm-linuxone-name} on the compute nodes of your cluster, you must ensure that you meet the prerequisites and complete the following steps.
+
+.Prerequisites
+
+* Your cluster has logical partition (LPAR) nodes running on {ibm-name} z15 or later, or {ibm-linuxone-name} III or later.
+* You have {ibm-name} Secure Execution workloads available to run on the cluster.
+* You have installed the {oc-first}.
+
+.Procedure
+
+. To run {ibm-name} Secure Execution VMs, you must add the `prot_virt=1` kernel parameter for each compute node. To enable all compute nodes, create a file named `secure-execution.yaml` that contains the following machine config manifest:
++
+[source,yaml]
+----
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+metadata:
+  name: secure-execution
+  labels:
+    machineconfiguration.openshift.io/role: worker
+spec:
+  kernelArguments:
+    - prot_virt=1
+----
++
+where:
++
+`prot_virt=1`:: Specifies that the ultravisor can store memory security information.
+
+. Apply the changes by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f secure-execution.yaml
+----
++
+The Machine Config Operator (MCO) applies the changes and reboots the nodes in a controlled rollout.
+
+. Edit the `HyperConverged` custom resource (CR) by running the following command:
++
+[source,terminal]
+----
+$ oc edit -n openshift-cnv HyperConverged kubevirt-hyperconverged
+----
+
+. Enable the feature gate for {ibm-name} Secure Execution by applying the following annotations:
++
+[source,yaml,subs="attributes+"]
+----
+apiVersion: hco.kubevirt.io/v1beta1
+kind: HyperConverged
+metadata:
+  annotations:
+    kubevirt.kubevirt.io/jsonpatch: |-
+     [
+      {
+       "op":"add",
+       "path":"/spec/configuration/developerConfiguration/featureGates/-",
+       "value":"SecureExecution"
+      }
+     ]
+----
diff --git a/modules/virt-launching-ibm-secure-execution-vm-ibm-z.adoc b/modules/virt-launching-ibm-secure-execution-vm-ibm-z.adoc
new file mode 100644
index 000000000000..1117427276b7
--- /dev/null
+++ b/modules/virt-launching-ibm-secure-execution-vm-ibm-z.adoc
@@ -0,0 +1,63 @@
+// Module included in the following assemblies:
+//
+// * virt/virtual_machines/creating_vm/virt-configuring-ibm-secure-execution-vms-ibm-z.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="virt-launching-ibm-secure-execution-vm-ibm-z_{context}"]
+= Launching an {ibm-title} Secure Execution VM on {ibm-z-title} and {ibm-linuxone-title}
+
+Before launching an {ibm-name} Secure Execution VM on {ibm-z-name} and {ibm-linuxone-name}, you must add the `launchSecurity` parameter to the VM manifest. Otherwise, the VM does not boot correctly because it does not have access to the devices.
+
+.Procedure
+
+* Apply the following `VirtualMachine` manifest to the cluster:
++
+[source,yaml]
+----
+apiVersion: kubevirt.io/v1
+kind: VirtualMachine
+metadata:
+  labels:
+    kubevirt.io/vm: f41-se
+  name: f41-se
+spec:
+  runStrategy: Always
+  template:
+    metadata:
+      labels:
+        kubevirt.io/vm: f41-se
+    spec:
+      domain:
+        launchSecurity: {}
+        devices:
+          disks:
+          - disk:
+              bus: virtio
+            name: rootfs
+        machine:
+          type: ""
+        resources:
+          requests:
+            memory: 4Gi
+      terminationGracePeriodSeconds: 0
+      volumes:
+        - name: rootfs
+          dataVolume:
+            name: f41-se
+----
++
+To launch {ibm-name} Secure Execution VMs, you must include the following YAML in the manifest:
++
+[source,yaml]
+----
+spec:
+   domain:
+     launchSecurity: {}
+----
++
+The rest of the VM manifest is variable depending on your setup.
++
+[NOTE]
+====
+Because the memory of the VM is protected, {ibm-name} Secure Execution VMs are not live migratable. The VMs can only be migrated offline.
+====
diff --git a/virt/creating_vm/virt-configuring-ibm-secure-execution-vms-ibm-z.adoc b/virt/creating_vm/virt-configuring-ibm-secure-execution-vms-ibm-z.adoc
new file mode 100644
index 000000000000..5e72a83b3ca9
--- /dev/null
+++ b/virt/creating_vm/virt-configuring-ibm-secure-execution-vms-ibm-z.adoc
@@ -0,0 +1,23 @@
+:_mod-docs-content-type: ASSEMBLY
+include::_attributes/common-attributes.adoc[]
+
+[id="virt-configuring-ibm-secure-execution-vms-ibm-z"]
+= Configuring {ibm-title} Secure Execution virtual machines on {ibm-z-title} and {ibm-linuxone-title}
+
+:context: virt-configuring-ibm-secure-execution-vms-ibm-z
+
+toc::[]
+
+You can configure {ibm-name} Secure Execution virtual machines (VMs) on {ibm-z-name} and {ibm-linuxone-name}.
+
+{ibm-name} Secure Execution for Linux is a s390x security technology that is introduced with {ibm-name} z15 and {ibm-linuxone-name} III. It protects data of workloads that run in a KVM guest from being inspected or modified by the server environment.
+
+In particular, no hardware administrator, no KVM code, and no KVM administrator can access the data in a guest that was started as an IBM Secure Execution guest.
+
+[role="_additional-resources"]
+.Additional resources
+* link:https://www.ibm.com/docs/en/linux-on-systems?topic=execution-introduction[What is IBM Secure Execution?]
+
+include::modules/virt-enabling-vms-ibm-secure-execution-ibm-z.adoc[leveloffset=+1]
+
+include::modules/virt-launching-ibm-secure-execution-vm-ibm-z.adoc[leveloffset=+1]
\ No newline at end of file