Preferred Machine Assist (PMA) is one of the performance enhancements available for production guest virtual machines. It lets these machines run in real supervisor state. Virtual machines that run in real supervisor state can examine or modify any storage on the machine. They can also execute I/O to any device unchecked. To activate real supervisor state, the virtual machine must have the V=R or V=F directory option. You must also IPL the system with the PMA or PMAV option.
Specify PMA as a parameter on the CP IPL command to enable PMA, such as IPL 440 PMA. This command performs an IPL from device 440 and requests PMA initialization. A PMAV option also exists that provides the same basic function of PMA with some extensions.
Absolutely no constraints apply to the OS/390 V=R guest when running through PMA; the guest has complete control of the machine until the microcode transfers control back to VM. Therefore, you might want to prevent a V=R untrusted guest from invoking PMA or PMAV.
To prevent IPL ccu PMA and IPL ccu PMAV while allowing other forms of the CP IPL command, use a rule such as the one shown below.
$KEY(IPL) - PM- - UID(*) PREVENT - PM- - UID(PRODSYS) ALLOW - UID(-) ALLOW
In the above rule, only the OS/390 production user can IPL PMA or PMAV. All other users are prevented from IPLing PMA and PMAV. All other IPLs are allowed.
|
Copyright © 2013 CA Technologies.
All rights reserved.
|
|