PRODUCT DESCRIPTION

The Logical Partition Architecture for Power Systems (LPAR) is a product that facilitates the sharing of hardware resources by disparate applications (e.g., AIX, Linux, i5/OS). The product is based on the concept of a 'hypervisor' that is designed to instantiate 'partitions', each with its own distinct resources, that each appear to their hosted applications as a completely functional underlying platform. These partitions are implemented to prevent interference among partitions and to prevent simultaneous sharing of storage and other device resources.

The operating systems executing in the available partitions are treated as subjects of the LPAR, where LPAR not only provides the necessary operational support for the hosted operating systems, but also serves to separate them from each other to ensure mutual non-interference. This evaluation added the separation of I/O device adapters.  LPAR controls which device adapters a given partition can access, it does not control or otherwise constrain the nature of those device adapters (and associated devices).

While not included as part of the evaluation, LPAR is configured using a connected Hardware Management Console (HMC) that provides access to the functions necessary to enable administrative personnel to effectively manage the allocation of resources (i.e., processors, memory, and I/O device adapters) to the configured partitions. Once the LPAR is configured, the HMC must be disconnected so that it offers no interfaces while LPAR is operating in its evaluated configuration

SECURITY EVALUATION SUMMARY

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the IBM LPAR TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.3.  The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 2.3.  Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 4 augmented with ALC_FLR.2.  The product, when delivered configured as identified in Common Criteria Installation Instructions for IBM Logical Partitioning Architecture on Power System document, satisfies all of the security functional requirements stated in the IBM Logical Partition Architecture for Power6 Security Target (Version 1.0). The project underwent three Validation Oversight Panel (VOR) panel reviews.  The evaluation was completed in November 2008.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-VID10299-2009, dated 26 November 2008) prepared by CCEVS.

ENVIRONMENTAL STRENGTHS

The logical boundaries of LPAR can be characterized as the set of security functions available at its physical interfaces. Each of these security functions is summarized below.

User Data Protection: LPAR manages the association of CPUs, memory, and I/O devices, in a relatively static environment, with partitions containing operating system instances. Memory and I/O devices can be assigned to single partitions and when assigned are accessible only by the partition. CPUs can also be assigned a single partition, and only that partition (and occasionally the TOE) can use that CPU. CPUs can also be configured to be shared among a collection of partitions (shared processor partition or also called micro-partitions) and LPAR will save/restore the hardware register state when switching between partitions.

LPAR also provides a mechanism where users can create LPAR groups (also referred to as eWLM groups) where a list of partitions are allowed to shared the quantity of resources (memory and processors but not I/O) between the partitions.  The resource is still owned at any point in time by one and only one partition but the operating system is given the ability to remove the resource from one partition and another partition can add the resource to their partition in the same group.   LPAR clears out the state of the resource before it is moved between partitions.

The Hypervisor allows the configuration of I/O device adapters such as Ethernet and virtual logical area network (LAN) which can be used to provide connections between partitions.  I/O device adapters are the only mechanisms offered by Hypervisor that facilitate communication between partitions, and such communication is possible only when partitions are explicitly configured to have access to specific I/O device adapters (i.e., those that provide communication services, such as virtual SCSI, virtual LAN, and Ethernet)

Identification and Authentication: Partitions are implicitly identified and authenticated by internal numerical identifiers associated with partitions (using internal data structures) as they are defined. Being implicitly identified by LPAR, partitions have no need, nor means, to identify themselves. Furthermore, the identification of a partition is guaranteed by LPAR and as such each partition is also continuously authenticated.

Security management:  All of the LPAR configuration occurs via the interface to the HMC. Since the HMC is disconnected while LPAR is operational, LPAR effectively doesn’t offer any security management functions. However, LPAR serves to restrict the ability to change its own configuration nonetheless.

Protection of the TOE Security Functions: The components of LPAR protect themselves using the domains provided by the Power6 processors. LPAR operates in the privileged domain and the partitions operate in the unprivileged domain. This allows LPAR to protect itself as well as the resources it makes selectively available to the applicable partitions.

Beyond protecting itself and its resources, LPAR is also designed such that when the hardware that supports a partition fails, the other partitions will continue uninterrupted.

Vendor Information

IBM Internet Security Systems, Inc.
Garry Sullivan
507-253-7954
507-253-0335 (Fax)
garryjs@us.ibm.com

http://www.ibm.com