IBM Z9, Руководство по планированию

Страница: 239 / 274

z/OS or MVS/ESA CONFIG (CF) operator command. See z/OS MVS System
Commands for further detail. While processing this command, MVS must interact
with PR/SM, via a service call instruction, to request that the storage be varied.
Because storage cannot be varied without PR/SM involvement, no way exists to
circumvent the validity checking PR/SM does to confine a partition occupant within
the storage limits defined for the logical partition.
I/O Security Considerations
IOCDS Considerations
Chapter 2, “Planning Considerations” contains a very thorough discussion of I/O
configuration-related topics. It should be read in its entirety before reading the
following security considerations.
When the IOCDS does not specify any sharing, I/O devices are owned solely by the
logical partitions that own the channel paths that are attached to them. Even if a
channel path has been designated as reconfigurable, that channel path cannot be
removed from a logical partition unless the channel path has first been taken offline
from within that logical partition. For z/OS System Control Program (SCP) partitions,
this is done with the SCP operator command CONFIG (CF). For partitions
containing other SCPs, the Channel Operations task list must be used. Use the
Configure On/Off task to configure channel paths that are online. Use the Release
task to release the channel paths that are isolated. Or, use the Reassign Channel
Path task to reconfigure a CHPID in one step.
I/O sharing, Dynamic I/O Configuration and Dynamic CHPID Management are
available in the trusted product, they should never be used in secure installation. If
the IOCDS were to specify I/O sharing, it would be indicated in the Input/Output
Configuration Program’s Configuration Reports (see the Input/Output Configuration
Program User’s Guide .)
In a secure installation, a channel path must never be defined as shared in the
IOCDS. Specification of a shared channel path can compromise the security of the
installation. A shared channel path is defined by specifying one of the following on
the CHPID statement:
v
SHARED keyword
v NOTPART keyword
v
PARTITION keyword with more than one logical partition in the access list
v IOCLUSTER keyword
v
PATH keyword with more than one CSS ID (i.e. a spanned channel path)
Shared channel paths were not part of the evaluated product. Use of a shared
channel path allows the possibility of two partitions having access to the same I/O
control units and devices. This is in contradiction to the policy of strict separation.
Additionally, the use of shared channels may facilitate some form of covert
signaling. However, if covert signaling is not perceived to be a significant threat, it is
highly recommended that each use of a shared channel be carefully analyzed for its
possible effect on the installations security policy. Although a shared channel path is
defined to be shared, none of the devices that are connected to it need to be
shared among logical partitions. When devices are assigned to a single logical
partition, they cannot be accessed by any other logical partition.
Appendix B. Developing, Building, and Delivering a Certified System
B-5