When you IPL via validated boot, you have two choices related to the validation. One "enforces" the validation, which means that the IPL stops and fails if the validation is not successful and it stops on the first module that fails to validate properly. The other is to just "audit", which means the IPL will succeed even if the validation fails and you will be told which module(s) failed to validate successfully.
When you first set things up, it is probably a good idea to perform one validated boot to just audit to see if you did everything correctly. Once you know things are properly set up, then you can switch to enforcing validation; it is a simply change to a Load option. But, if you go straight from setup to an "enforced" validated boot, then you will know at least the first module that is wrong. You also always have the option (from the HMC or SE) to disable enforcement of the validated boot as part of the IPL if you have a later validation failure and really need to IPL. But, if you were successfully IPLing via validated boot and then suddenly there is an error with validation, you really should figure out what changed and why before you just IPL without enforcing validation since it means something has changed. Unfortunately one or more of the modules could have been changed as a result of malicious actions and you would want to rule that out. Otherwise, why do a validated boot in the first place? ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
