IBM Logical Partition Architecture for Power7 operating on IBM Power Systems hardware with AH730_087 or AM740_088

 
PROJECT ID
C043
ASSURANCE LEVEL
EAL4+ ALC_FLR.2
Security Target (ST)
 
Certification Report (CR)
 
PRODUCT NAME AND VERSION
IBM Logical Partition Architecture for Power7 operating on IBM Power Systems hardware with AH730_087 or AM740_088
PRODUCT TYPE
Set of hardware and firmware designed to abstract and virtualise physical hardware resources to provide secure access to the underlying platform for one or more concurrent operating systems.
PRODUCT SPONSOR / DEVELOPER

International Business Machine (IBM) Corporation

PRODUCT SPONSOR / DEVELOPER CONTACT DETAILS

International Business Machine (IBM) Corporation
3605 Hwy 52 North
Rochester, MM 55901
UNITED STATES

URL:http://www.ibm.com/systems/power/
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
Tel: 507 253 7051
Fax: 507 253 2870

The Target of Evaluation (TOE), IBM Logical Partition Architecture for Power7 operating on IBM Power Systems hardware with AH730_087 or AM740_088 (hereafter referred as LPAR), has been evaluated in the context of hardware models 770 (AM740_088 firmware) and 795 (AH730_087 firmware). The TOE firmware is designed to abstract and virtualise physical hardware resources to provide secure access to the underlying platform for one or more concurrent operating systems. Each virtual platform is known as a partition. The operating systems executing in the available partitions are treated as subjects of the TOE, where the TOE not only provides the necessary operational support for the hosted operating systems, but also serves to separate them from each other to ensure mutual non-interference.

While not included as part of the TOE, the TOE is configured using a connected Hardware Management Console (HMC) that provides access to the functions necessary to enable administrative personnel to effectively manage the allocation of resources (i.e., processors, memory, and I/O devices) to the configured partitions. Once the TOE is configured, the HMC must be disconnected so that it offers no interfaces while the TOE is operating in its evaluated configuration.

The TOE consists of the PowerVM Hypervisor which provides the virtualisation. The other components of the LPAR such as the Hardware Management Console (HMC), Flexible Service Processor (FSP), Bulk Power Assembly (BPA) and operating systems are outside the TOE scope. The underlying resources of the IBM Power 770 and Power 795 server platforms, including Disks, CPU, RAM, or networking, including the internal virtual switch are considered to be part of the TOE environment.

In the context of the evaluation, the TOE provides the following major security features:

  • User data protection – the TOE is designed to instantiate multiple partitions for the purpose of supporting and isolating simultaneous operating systems. As such, it implements a policy where each partition can access only those resources explicitly assigned to it. In terms of access control, the CPU, memory, and I/O devices can be assigned to a given partition and a partition can access those resources only when they are assigned to it.
  • Identification and authentication – the active entity or user of the TOE is partition, which it instantiates. Partitions are implicitly identified and authenticated by internal numerical identifiers associated with partitions (using internal data structures) as they are defined. Being implicitly identified by the TOE, partitions have no need, nor means, to identify themselves. Furthermore, the identification of a partition is guaranteed by the TOE and as such each partition is also continuously authenticated.
  • Security management – the TOE supports several management functions to configure the TOE via the dedicated physical HMC interface (out of scope for this evaluation). Once the TOE is operational (in evaluated configuration), the TOE effectively doesn’t offer any security management functions. However, the TOE serves to restrict the ability to change its own configuration nonetheless.
  • Protection of the TOE Security Function (TSF) – the components of the TOE that protect themselves using the domains provided by Power7 processors. The TOE operates in the privileged domain and the partitions operate in the unprivileged domain. This allows the TOE to protect itself as well as the resources it makes selectively available to the applicable partitions. Beyond protecting itself and its resources, the TOE is also designed such that when the hardware that supports a partition fails, the other partitions will continue uninterrupted.