When I first heard of this I thought it imperative that installations define clear procedures. So that in the middle of the night – which IPLs often are – or in dire straits – which they sometimes are – people would know how to decide and wouldn’t panic.
Cheers, Martin From: IBM Mainframe Discussion List <[email protected]> on behalf of Tom Mathias <[email protected]> Date: Wednesday, 2 July 2025 at 20:52 To: [email protected] <[email protected]> Subject: [EXTERNAL] Re: IPL data signing When you IPL via validated boot, you have two choices related to the validation. One "enforces" the validation, which means that the IPL stops and fails if the validation is not successful and it stops on the first module that fails to validate properly. The other is to just "audit", which means the IPL will succeed even if the validation fails and you will be told which module(s) failed to validate successfully. When you first set things up, it is probably a good idea to perform one validated boot to just audit to see if you did everything correctly. Once you know things are properly set up, then you can switch to enforcing validation; it is a simply change to a Load option. But, if you go straight from setup to an "enforced" validated boot, then you will know at least the first module that is wrong. You also always have the option (from the HMC or SE) to disable enforcement of the validated boot as part of the IPL if you have a later validation failure and really need to IPL. But, if you were successfully IPLing via validated boot and then suddenly there is an error with validation, you really should figure out what changed and why before you just IPL without enforcing validation since it means something has changed. Unfortunately one or more of the modules could have been changed as a result of malicious actions and you would want to rule that out. Otherwise, why do a validated boot in the first place? ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN Unless otherwise stated above: IBM United Kingdom Limited Registered in England and Wales with number 741598 Registered office: Building C, IBM Hursley Office, Hursley Park Road, Winchester, Hampshire SO21 2JN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
