Add module for CEX hw encryption

installing/installing_ibm_z/upi/installing-ibm-z-kvm.adoc

@@ -51,7 +51,9 @@ include::modules/installation-user-infra-generate-k8s-manifest-ignition.adoc[lev
 
 include::modules/installation-ibm-z-kvm-user-infra-installing-rhcos.adoc[leveloffset=+1]
 
-include::modules/ibm-z-secure-execution.adoc[leveloffset=+2]
+include::modules/ibm-z-configure-encryption-kvm.adoc[leveloffset=+2]
+
+include::modules/ibm-z-secure-execution.adoc[leveloffset=+3]
 
 [role="_additional-resources"]
 .Additional resources
@@ -62,7 +64,9 @@ include::modules/ibm-z-secure-execution.adoc[leveloffset=+2]
 
 * link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/configuring_and_managing_virtualization/securing-virtual-machines-in-rhel_configuring-and-managing-virtualization#setting-up-secure-execution-on-ibm-z_securing-virtual-machines-in-rhel[Setting up {ibm-name} Secure Execution on {ibm-z-title}]
 
-include::modules/ibm-z-configure-nbde-with-static-ip.adoc[leveloffset=+2]
+include::modules/ibm-z-configure-hw-based-cex-encryption.adoc[leveloffset=+3]
+
+include::modules/ibm-z-configure-nbde-with-static-ip.adoc[leveloffset=+3]
 
 [role="_additional-resources"]
 .Additional resources
@@ -100,10 +104,9 @@ include::modules/cluster-telemetry.adoc[leveloffset=+1]
 
 * link:https://access.redhat.com/solutions/4387261[How to generate SOSREPORT within {product-title} version 4 nodes without SSH]
 
+* xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[Opting out of remote health reporting]
+
 [id="next-steps_ibm-z-kvm"]
 == Next steps
 
-* xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
-
-* If necessary, you can
-xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].
+* xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster]

installing/installing_ibm_z/upi/installing-ibm-z-lpar.adoc

@@ -47,7 +47,11 @@ include::modules/nw-operator-cr.adoc[leveloffset=+1]
 
 include::modules/installation-user-infra-generate-k8s-manifest-ignition.adoc[leveloffset=+1]
 
-include::modules/ibm-z-configure-nbde-with-static-ip.adoc[leveloffset=+1]
+include::modules/ibm-z-configure-boot-volume-encryption.adoc[leveloffset=+1]
+
+include::modules/ibm-z-configure-hw-based-cex-encryption.adoc[leveloffset=+2]
+
+include::modules/ibm-z-configure-nbde-with-static-ip.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
 .Additional resources
@@ -83,12 +87,11 @@ include::modules/cluster-telemetry.adoc[leveloffset=+1]
 
 * link:https://access.redhat.com/solutions/4387261[How to generate SOSREPORT within {product-title} version 4 nodes without SSH]
 
-[id="next-steps_installing-ibm-z-lpar"]
+* xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[Opting out of remote health reporting]
+
+[id="next-steps_ibm-z-lpar"]
 == Next steps
 
-* xref:../../../machine_configuration/machine-configs-configure.adoc#rhcos-enabling-multipath-day-2_machine-configs-configure[Enabling multipathing with kernel arguments on {op-system}].
+* xref:../../../machine_configuration/machine-configs-configure.adoc#rhcos-enabling-multipath-day-2_machine-configs-configure[Enabling multipathing with kernel arguments on {op-system}]
 
-* xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
-
-* If necessary, you can
-xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].
+* xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster]

installing/installing_ibm_z/upi/installing-ibm-z.adoc

@@ -48,7 +48,11 @@ include::modules/nw-operator-cr.adoc[leveloffset=+1]
 
 include::modules/installation-user-infra-generate-k8s-manifest-ignition.adoc[leveloffset=+1]
 
-include::modules/ibm-z-configure-nbde-with-static-ip.adoc[leveloffset=+1]
+include::modules/ibm-z-configure-boot-volume-encryption.adoc[leveloffset=+1]
+
+include::modules/ibm-z-configure-hw-based-cex-encryption.adoc[leveloffset=+2]
+
+include::modules/ibm-z-configure-nbde-with-static-ip.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
 .Additional resources
@@ -84,12 +88,12 @@ include::modules/cluster-telemetry.adoc[leveloffset=+1]
 
 * link:https://access.redhat.com/solutions/4387261[How to generate SOSREPORT within {product-title} version 4 nodes without SSH]
 
+* xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[Opting out of remote health reporting]
+
 [id="next-steps_ibm-z-vm"]
 == Next steps
 
-* xref:../../../machine_configuration/machine-configs-configure.adoc#rhcos-enabling-multipath-day-2_machine-configs-configure[Enabling multipathing with kernel arguments on {op-system}].
+* xref:../../../machine_configuration/machine-configs-configure.adoc#rhcos-enabling-multipath-day-2_machine-configs-configure[Enabling multipathing with kernel arguments on {op-system}]
 
-* xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
+* xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster]
 
-* If necessary, you can
-xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].

installing/installing_ibm_z/upi/installing-restricted-networks-ibm-z-kvm.adoc

@@ -59,7 +59,9 @@ include::modules/installation-user-infra-generate-k8s-manifest-ignition.adoc[lev
 
 include::modules/installation-ibm-z-kvm-user-infra-installing-rhcos.adoc[leveloffset=+1]
 
-include::modules/ibm-z-secure-execution.adoc[leveloffset=+2]
+include::modules/ibm-z-configure-encryption-kvm.adoc[leveloffset=+2]
+
+include::modules/ibm-z-secure-execution.adoc[leveloffset=+3]
 
 [role="_additional-resources"]
 .Additional resources
@@ -70,7 +72,9 @@ include::modules/ibm-z-secure-execution.adoc[leveloffset=+2]
 
 * link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/configuring_and_managing_virtualization/securing-virtual-machines-in-rhel_configuring-and-managing-virtualization#setting-up-secure-execution-on-ibm-z_securing-virtual-machines-in-rhel[Setting up {ibm-name} Secure Execution on {ibm-z-title}]
 
-include::modules/ibm-z-configure-nbde-with-static-ip.adoc[leveloffset=+2]
+include::modules/ibm-z-configure-hw-based-cex-encryption.adoc[leveloffset=+3]
+
+include::modules/ibm-z-configure-nbde-with-static-ip.adoc[leveloffset=+3]
 
 [role="_additional-resources"]
 .Additional resources
@@ -106,10 +110,12 @@ include::modules/installation-complete-user-infra.adoc[leveloffset=+1]
 
 * link:https://access.redhat.com/solutions/4387261[How to generate SOSREPORT within {product-title} version 4 nodes without SSH]
 
+* xref:../../../openshift_images/image-configuration.adoc#images-configuration-cas_image-configuration[Image configuration resources (Classic)]
+
+* xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[Opting out of remote health reporting]
+
+
 [id="next-steps_ibm-z-kvm-restricted"]
 == Next steps
 
-* xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
-* If the mirror registry that you used to install your cluster has a trusted CA, add it to the cluster by xref:../../../openshift_images/image-configuration.adoc#images-configuration-cas_image-configuration[configuring additional trust stores].
-* If necessary, you can xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].
-* If necessary, see xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#insights-operator-register-disconnected-cluster_opting-out-remote-health-reporting[Registering your disconnected cluster]
+* xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster]

installing/installing_ibm_z/upi/installing-restricted-networks-ibm-z-lpar.adoc

@@ -55,7 +55,11 @@ include::modules/nw-operator-cr.adoc[leveloffset=+1]
 
 include::modules/installation-user-infra-generate-k8s-manifest-ignition.adoc[leveloffset=+1]
 
-include::modules/ibm-z-configure-nbde-with-static-ip.adoc[leveloffset=+1]
+include::modules/ibm-z-configure-boot-volume-encryption.adoc[leveloffset=+1]
+
+include::modules/ibm-z-configure-hw-based-cex-encryption.adoc[leveloffset=+2]
+
+include::modules/ibm-z-configure-nbde-with-static-ip.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
 .Additional resources
@@ -89,10 +93,12 @@ include::modules/installation-complete-user-infra.adoc[leveloffset=+1]
 
 * link:https://access.redhat.com/solutions/4387261[How to generate SOSREPORT within {product-title} version 4 nodes without SSH]
 
+* xref:../../../openshift_images/image-configuration.adoc#images-configuration-cas_image-configuration[Image configuration resources (Classic)]
+
+* xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[Opting out of remote health reporting]
+
+
 [id="next-steps_ibm-z-lpar-restricted"]
 == Next steps
 
-* xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
-* If the mirror registry that you used to install your cluster has a trusted CA, add it to the cluster by xref:../../../openshift_images/image-configuration.adoc#images-configuration-cas_image-configuration[configuring additional trust stores].
-* If necessary, you can xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].
-* If necessary, see xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#insights-operator-register-disconnected-cluster_opting-out-remote-health-reporting[Registering your disconnected cluster]
+* xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster]

installing/installing_ibm_z/upi/installing-restricted-networks-ibm-z.adoc

@@ -56,7 +56,11 @@ include::modules/nw-operator-cr.adoc[leveloffset=+1]
 
 include::modules/installation-user-infra-generate-k8s-manifest-ignition.adoc[leveloffset=+1]
 
-include::modules/ibm-z-configure-nbde-with-static-ip.adoc[leveloffset=+1]
+include::modules/ibm-z-configure-boot-volume-encryption.adoc[leveloffset=+1]
+
+include::modules/ibm-z-configure-hw-based-cex-encryption.adoc[leveloffset=+2]
+
+include::modules/ibm-z-configure-nbde-with-static-ip.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
 [id="additional-resources_Configure-nbde-ibm-z-restricted"]
@@ -91,10 +95,12 @@ include::modules/installation-complete-user-infra.adoc[leveloffset=+1]
 
 * link:https://access.redhat.com/solutions/4387261[How to generate SOSREPORT within {product-title} version 4 nodes without SSH]
 
-[id="next-steps_ibm-z-restricted"]
+* xref:../../../openshift_images/image-configuration.adoc#images-configuration-cas_image-configuration[Image configuration resources (Classic)]
+
+* xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[Opting out of remote health reporting]
+
+
+[id="next-steps_ibm-z-zvm-restricted"]
 == Next steps
 
-* xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
-* If the mirror registry that you used to install your cluster has a trusted CA, add it to the cluster by xref:../../../openshift_images/image-configuration.adoc#images-configuration-cas_image-configuration[configuring additional trust stores].
-* If necessary, you can xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].
-* If necessary, see xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#insights-operator-register-disconnected-cluster_opting-out-remote-health-reporting[Registering your disconnected cluster]
+* xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster]

modules/ibm-z-configure-boot-volume-encryption.adoc

@@ -0,0 +1,15 @@
+// Module included in the following assemblies:
+//
+// * installing/installing_ibm_z/installing-ibm-z.adoc
+// * installing/installing_ibm_z/installing-restricted-networks-ibm-z.adoc
+// * installing/installing_ibm_z/installing-ibm-z-lpar.adoc
+// * installing/installing_ibm_z/installing-restricted-networks-ibm-z-lpar.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="configuring-boot-volume-encryption-ibm-z-linuxone-environment_{context}"]
+= Configuring boot volume encryption in an {ibm-z-title} or {ibm-linuxone-title} environment
+
+You can choose between two methods to optionally encrypt the boot volumes of your {product-title} control plane and compute nodes on {ibm-z-name} or {ibm-linuxone-name}:
+
+* Linux Unified Key Setup (LUKS) encryption via {ibm-name} Crypto Express (CEX)
+* Network Bound Disk Encryption (NBDE)

modules/ibm-z-configure-encryption-kvm.adoc

@@ -0,0 +1,14 @@
+// Module included in the following assemblies:
+//
+// * installing/installing_ibm_z/installing-ibm-z-kvm.adoc
+// * installing/installing_ibm_z/installing-restricted-networks-ibm-z-kvm.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="configuring-encryption-kvm-ibm-z-linuxone-environment_{context}"]
+= Configuring encryption for nodes in an {ibm-z-title} or {ibm-linuxone-title} environment
+
+You can choose between three methods to optionally secure your {product-title} control plane and compute nodes on {ibm-z-name} or {ibm-linuxone-name}:
+
+* {ibm-name} Secure Execution
+* Linux Unified Key Setup (LUKS) encryption via {ibm-name} Crypto Express (CEX)
+* Network Bound Disk Encryption (NBDE)

modules/ibm-z-configure-hw-based-cex-encryption.adoc

@@ -0,0 +1,163 @@
+// Module included in the following assemblies:
+//
+// * installing/installing_ibm_z/installing-ibm-z.adoc
+// * installing/installing_ibm_z/installing-restricted-networks-ibm-z.adoc
+// * installing/installing_ibm_z/installing-ibm-z-kvm.adoc
+// * installing/installing_ibm_z/installing-restricted-networks-ibm-z-kvm.adoc
+// * installing/installing_ibm_z/installing-ibm-z-lpar.adoc
+// * installing/installing_ibm_z/installing-restricted-networks-ibm-z-lpar.adoc
+
+ifeval::["{context}" == "installing-ibm-z"]
+:ibm-z:
+endif::[]
+ifeval::["{context}" == "installing-ibm-z-kvm"]
+:ibm-z-kvm:
+endif::[]
+ifeval::["{context}" == "installing-ibm-z-lpar"]
+:ibm-z-lpar:
+endif::[]
+ifeval::["{context}" == "installing-restricted-networks-ibm-z"]
+:ibm-z:
+endif::[]
+ifeval::["{context}" == "installing-restricted-networks-ibm-z-kvm"]
+:ibm-z-kvm:
+endif::[]
+ifeval::["{context}" == "installing-restricted-networks-ibm-z-lpar"]
+:ibm-z-lpar:
+endif::[]
+
+:_mod-docs-content-type: PROCEDURE
+[id="configuring-luks-encryption-via-cex-ibm-z-linuxone-environment_{context}"]
+= LUKS encryption via CEX in an {ibm-z-title} or {ibm-linuxone-title} environment
+
+Enabling hardware-based Linux Unified Key Setup (LUKS) encryption via {ibm-name} Crypto Express (CEX) in an {ibm-z-name} or {ibm-linuxone-name} environment requires additional steps, which are described in detail in this section.
+
+.Prerequisites
+
+* You have installed the `butane` utility.
+* You have reviewed the instructions for how to create machine configs with Butane.
+
+.Procedure
+
+. Create Butane configuration files for the control plane and compute nodes.
++
+The following example of a Butane configuration for a control plane node creates a file named `main-storage.bu` for disk encryption:
++
+[source,yaml,subs="attributes+"]
+----
+variant: openshift
+version: {product-version}.0
+metadata:
+  name: main-storage
+  labels:
+    machineconfiguration.openshift.io/role: master
+storage:
+  luks:
+    - cex:
+        enabled: true
+        options: <1>
+           - --pbkdf
+           - pbkdf2
+ifndef::ibm-z-kvm[]
+      device: /dev/disk/by-partlabel/root <2>
+endif::ibm-z-kvm[]
+ifdef::ibm-z-kvm[]
+      device: /dev/disk/by-partlabel/root
+endif::ibm-z-kvm[]
+      label: luks-root
+      name: root
+      wipe_volume: true
+  filesystems:
+    - device: /dev/mapper/root
+      format: xfs
+      label: root
+      wipe_filesystem: true
+openshift:
+ifndef::ibm-z-kvm[]
+  fips: true <3>
+  kernel_arguments: <4>
+endif::ibm-z-kvm[]
+ifdef::ibm-z-kvm[]
+  fips: true <2>
+  kernel_arguments: <3>
+endif::ibm-z-kvm[]
+    - rd.luks.key=/etc/luks/cex.key
+----
+<1> The `pbkdf` option is only required if FIPS mode is enabled. Omit the entry if FIPS is disabled.
+ifndef::ibm-z-kvm[]
+<2> For installations on DASD-type disks, replace with `device: /dev/disk/by-label/root`.
+<3> Specifies whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
+<4> Specifies the location of the pass key that is required to decrypt the device.
+endif::ibm-z-kvm[]
+ifdef::ibm-z-kvm[]
+<2> Specifies whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
+<3> Specifies the location of the pass key that is required to decrypt the device.
+endif::ibm-z-kvm[]
+
+. Create a parameter file that includes `ignition.platform.id=metal` and `ignition.firstboot`.
++
+.Example kernel parameter file for the control plane machine
++
+ifndef::ibm-z-kvm[]
+[source,terminal]
+----
+cio_ignore=all,!condev rd.neednet=1 \
+console=ttysclp0 \
+coreos.inst.install_dev=/dev/disk/by-id/scsi-<serial_number> \// <1>
+ignition.firstboot ignition.platform.id=metal \
+coreos.inst.ignition_url=http://<http_server>/master.ign \// <2>
+coreos.live.rootfs_url=http://<http_server>/rhcos-<version>-live-rootfs.<architecture>.img \// <3>
+ip=<ip_address>::<gateway>:<netmask>:<hostname>::none nameserver=<dns> \
+rd.znet=qeth,0.0.bdd0,0.0.bdd1,0.0.bdd2,layer2=1 \
+rd.zfcp=0.0.5677,0x600606680g7f0056,0x034F000000000000 // <4>
+----
+ifdef::ibm-z[]
+<1> Specifies a unique fully qualified path depending on disk type. This can be DASD-type or FCP-type disks.
+endif::ibm-z[]
+ifdef::ibm-z-lpar[]
+<1> Specifies a unique fully qualified path depending on disk type. This can be DASD-type, FCP-type, or NVMe-type disks.
+endif::ibm-z-lpar[]
+<2> Specifies the location of the Ignition config file. Use `master.ign` or `worker.ign`. Only HTTP and HTTPS protocols are supported.
+<3> Specifies the location of the `rootfs` artifact for the `kernel` and `initramfs` you are booting. Only HTTP and HTTPS protocols are supported.
+<4> Specifies the root device. For installations on DASD-type disks, replace with `rd.dasd=0.0.xxxx` to specify the DASD device.
+endif::ibm-z-kvm[]
+ifdef::ibm-z-kvm[]
+[source,terminal]
+----
+cio_ignore=all,!condev rd.neednet=1 \
+console=ttysclp0 \
+ignition.firstboot ignition.platform.id=metal \
+coreos.inst.ignition_url=http://<http_server>/master.ign \// <1>
+coreos.live.rootfs_url=http://<http_server>/rhcos-<version>-live-rootfs.<architecture>.img \// <2>
+ip=<ip_address>::<gateway>:<netmask>:<hostname>::none nameserver=<dns> \
+rd.znet=qeth,0.0.bdd0,0.0.bdd1,0.0.bdd2,layer2=1 \
+rd.zfcp=0.0.5677,0x600606680g7f0056,0x034F000000000000
+----
+<1> Specifies the location of the Ignition config file. Use `master.ign` or `worker.ign`. Only HTTP and HTTPS protocols are supported.
+<2> Specifies the location of the `rootfs` artifact for the `kernel` and `initramfs` you are booting. Only HTTP and HTTPS protocols are supported.
+
+endif::ibm-z-kvm[]
++
+[NOTE]
+====
+Write all options in the parameter file as a single line and make sure you have no newline characters.
+====
+
+ifeval::["{context}" == "installing-ibm-z"]
+:!ibm-z:
+endif::[]
+ifeval::["{context}" == "installing-ibm-z-kvm"]
+:!ibm-z-kvm:
+endif::[]
+ifeval::["{context}" == "installing-ibm-z-lpar"]
+:!ibm-z-lpar:
+endif::[]
+ifeval::["{context}" == "installing-restricted-networks-ibm-z"]
+:!ibm-z:
+endif::[]
+ifeval::["{context}" == "installing-restricted-networks-ibm-z-kvm"]
+:!ibm-z-kvm:
+endif::[]
+ifeval::["{context}" == "installing-restricted-networks-ibm-z-lpar"]
+:!ibm-z-lpar:
+endif::[]