Merge pull request #93101 from SNiemann15/ibmz_hw_based_encryption

[OSDOCS-11048] IBM Z - Add module for CEX hw encryption

Author: skopacz1

installing/installing_ibm_z/upi/installing-ibm-z-kvm.adoc

@@ -51,7 +51,9 @@ include::modules/installation-user-infra-generate-k8s-manifest-ignition.adoc[lev
 
 include::modules/installation-ibm-z-kvm-user-infra-installing-rhcos.adoc[leveloffset=+1]
 
-include::modules/ibm-z-secure-execution.adoc[leveloffset=+2]
+include::modules/ibm-z-configure-encryption-kvm.adoc[leveloffset=+2]
+
+include::modules/ibm-z-secure-execution.adoc[leveloffset=+3]
 
 [role="_additional-resources"]
 .Additional resources
@@ -62,7 +64,9 @@ include::modules/ibm-z-secure-execution.adoc[leveloffset=+2]
 
 * link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/configuring_and_managing_virtualization/securing-virtual-machines-in-rhel_configuring-and-managing-virtualization#setting-up-secure-execution-on-ibm-z_securing-virtual-machines-in-rhel[Setting up {ibm-name} Secure Execution on {ibm-z-title}]
 
-include::modules/ibm-z-configure-nbde-with-static-ip.adoc[leveloffset=+2]
+include::modules/ibm-z-configure-hw-based-cex-encryption.adoc[leveloffset=+3]
+
+include::modules/ibm-z-configure-nbde-with-static-ip.adoc[leveloffset=+3]
 
 [role="_additional-resources"]
 .Additional resources
@@ -100,10 +104,9 @@ include::modules/cluster-telemetry.adoc[leveloffset=+1]
 
 * link:https://access.redhat.com/solutions/4387261[How to generate SOSREPORT within {product-title} version 4 nodes without SSH]
 
+* xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[Opting out of remote health reporting]
+
 [id="next-steps_ibm-z-kvm"]
 == Next steps
 
-* xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
-
-* If necessary, you can
-xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].
+* xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster]

installing/installing_ibm_z/upi/installing-ibm-z-lpar.adoc

@@ -47,7 +47,11 @@ include::modules/nw-operator-cr.adoc[leveloffset=+1]
 
 include::modules/installation-user-infra-generate-k8s-manifest-ignition.adoc[leveloffset=+1]
 
-include::modules/ibm-z-configure-nbde-with-static-ip.adoc[leveloffset=+1]
+include::modules/ibm-z-configure-boot-volume-encryption.adoc[leveloffset=+1]
+
+include::modules/ibm-z-configure-hw-based-cex-encryption.adoc[leveloffset=+2]
+
+include::modules/ibm-z-configure-nbde-with-static-ip.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
 .Additional resources
@@ -83,12 +87,11 @@ include::modules/cluster-telemetry.adoc[leveloffset=+1]
 
 * link:https://access.redhat.com/solutions/4387261[How to generate SOSREPORT within {product-title} version 4 nodes without SSH]
 
-[id="next-steps_installing-ibm-z-lpar"]
-== Next steps
+* xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[Opting out of remote health reporting]
 
-* xref:../../../machine_configuration/machine-configs-configure.adoc#rhcos-enabling-multipath-day-2_machine-configs-configure[Enabling multipathing with kernel arguments on {op-system}].
+[id="next-steps_ibm-z-lpar"]
+== Next steps
 
-* xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
+* xref:../../../machine_configuration/machine-configs-configure.adoc#rhcos-enabling-multipath-day-2_machine-configs-configure[Enabling multipathing with kernel arguments on {op-system}]
 
-* If necessary, you can
-xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].
+* xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster]

installing/installing_ibm_z/upi/installing-ibm-z.adoc

@@ -48,7 +48,11 @@ include::modules/nw-operator-cr.adoc[leveloffset=+1]
 
 include::modules/installation-user-infra-generate-k8s-manifest-ignition.adoc[leveloffset=+1]
 
-include::modules/ibm-z-configure-nbde-with-static-ip.adoc[leveloffset=+1]
+include::modules/ibm-z-configure-boot-volume-encryption.adoc[leveloffset=+1]
+
+include::modules/ibm-z-configure-hw-based-cex-encryption.adoc[leveloffset=+2]
+
+include::modules/ibm-z-configure-nbde-with-static-ip.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
 .Additional resources
@@ -84,12 +88,12 @@ include::modules/cluster-telemetry.adoc[leveloffset=+1]
 
 * link:https://access.redhat.com/solutions/4387261[How to generate SOSREPORT within {product-title} version 4 nodes without SSH]
 
+* xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[Opting out of remote health reporting]
+
 [id="next-steps_ibm-z-vm"]
 == Next steps
 
-* xref:../../../machine_configuration/machine-configs-configure.adoc#rhcos-enabling-multipath-day-2_machine-configs-configure[Enabling multipathing with kernel arguments on {op-system}].
+* xref:../../../machine_configuration/machine-configs-configure.adoc#rhcos-enabling-multipath-day-2_machine-configs-configure[Enabling multipathing with kernel arguments on {op-system}]
 
-* xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
+* xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster]
 
-* If necessary, you can
-xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].

installing/installing_ibm_z/upi/installing-restricted-networks-ibm-z-kvm.adoc

@@ -59,7 +59,9 @@ include::modules/installation-user-infra-generate-k8s-manifest-ignition.adoc[lev
 
 include::modules/installation-ibm-z-kvm-user-infra-installing-rhcos.adoc[leveloffset=+1]
 
-include::modules/ibm-z-secure-execution.adoc[leveloffset=+2]
+include::modules/ibm-z-configure-encryption-kvm.adoc[leveloffset=+2]
+
+include::modules/ibm-z-secure-execution.adoc[leveloffset=+3]
 
 [role="_additional-resources"]
 .Additional resources
@@ -70,7 +72,9 @@ include::modules/ibm-z-secure-execution.adoc[leveloffset=+2]
 
 * link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/configuring_and_managing_virtualization/securing-virtual-machines-in-rhel_configuring-and-managing-virtualization#setting-up-secure-execution-on-ibm-z_securing-virtual-machines-in-rhel[Setting up {ibm-name} Secure Execution on {ibm-z-title}]
 
-include::modules/ibm-z-configure-nbde-with-static-ip.adoc[leveloffset=+2]
+include::modules/ibm-z-configure-hw-based-cex-encryption.adoc[leveloffset=+3]
+
+include::modules/ibm-z-configure-nbde-with-static-ip.adoc[leveloffset=+3]
 
 [role="_additional-resources"]
 .Additional resources
@@ -106,10 +110,12 @@ include::modules/installation-complete-user-infra.adoc[leveloffset=+1]
 
 * link:https://access.redhat.com/solutions/4387261[How to generate SOSREPORT within {product-title} version 4 nodes without SSH]
 
+* xref:../../../openshift_images/image-configuration.adoc#images-configuration-cas_image-configuration[Image configuration resources (Classic)]
+
+* xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[Opting out of remote health reporting]
+
+
 [id="next-steps_ibm-z-kvm-restricted"]
 == Next steps
 
-* xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
-* If the mirror registry that you used to install your cluster has a trusted CA, add it to the cluster by xref:../../../openshift_images/image-configuration.adoc#images-configuration-cas_image-configuration[configuring additional trust stores].
-* If necessary, you can xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].
-* If necessary, see xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#insights-operator-register-disconnected-cluster_opting-out-remote-health-reporting[Registering your disconnected cluster]
+* xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster]

installing/installing_ibm_z/upi/installing-restricted-networks-ibm-z-lpar.adoc

@@ -55,7 +55,11 @@ include::modules/nw-operator-cr.adoc[leveloffset=+1]
 
 include::modules/installation-user-infra-generate-k8s-manifest-ignition.adoc[leveloffset=+1]
 
-include::modules/ibm-z-configure-nbde-with-static-ip.adoc[leveloffset=+1]
+include::modules/ibm-z-configure-boot-volume-encryption.adoc[leveloffset=+1]
+
+include::modules/ibm-z-configure-hw-based-cex-encryption.adoc[leveloffset=+2]
+
+include::modules/ibm-z-configure-nbde-with-static-ip.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
 .Additional resources
@@ -89,10 +93,12 @@ include::modules/installation-complete-user-infra.adoc[leveloffset=+1]
 
 * link:https://access.redhat.com/solutions/4387261[How to generate SOSREPORT within {product-title} version 4 nodes without SSH]
 
+* xref:../../../openshift_images/image-configuration.adoc#images-configuration-cas_image-configuration[Image configuration resources (Classic)]
+
+* xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[Opting out of remote health reporting]
+
+
 [id="next-steps_ibm-z-lpar-restricted"]
 == Next steps
 
-* xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
-* If the mirror registry that you used to install your cluster has a trusted CA, add it to the cluster by xref:../../../openshift_images/image-configuration.adoc#images-configuration-cas_image-configuration[configuring additional trust stores].
-* If necessary, you can xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].
-* If necessary, see xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#insights-operator-register-disconnected-cluster_opting-out-remote-health-reporting[Registering your disconnected cluster]
+* xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster]

installing/installing_ibm_z/upi/installing-restricted-networks-ibm-z.adoc

@@ -56,7 +56,11 @@ include::modules/nw-operator-cr.adoc[leveloffset=+1]
 
 include::modules/installation-user-infra-generate-k8s-manifest-ignition.adoc[leveloffset=+1]
 
-include::modules/ibm-z-configure-nbde-with-static-ip.adoc[leveloffset=+1]
+include::modules/ibm-z-configure-boot-volume-encryption.adoc[leveloffset=+1]
+
+include::modules/ibm-z-configure-hw-based-cex-encryption.adoc[leveloffset=+2]
+
+include::modules/ibm-z-configure-nbde-with-static-ip.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
 [id="additional-resources_Configure-nbde-ibm-z-restricted"]
@@ -91,10 +95,12 @@ include::modules/installation-complete-user-infra.adoc[leveloffset=+1]
 
 * link:https://access.redhat.com/solutions/4387261[How to generate SOSREPORT within {product-title} version 4 nodes without SSH]
 
-[id="next-steps_ibm-z-restricted"]
+* xref:../../../openshift_images/image-configuration.adoc#images-configuration-cas_image-configuration[Image configuration resources (Classic)]
+
+* xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[Opting out of remote health reporting]
+
+
+[id="next-steps_ibm-z-zvm-restricted"]
 == Next steps
 
-* xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
-* If the mirror registry that you used to install your cluster has a trusted CA, add it to the cluster by xref:../../../openshift_images/image-configuration.adoc#images-configuration-cas_image-configuration[configuring additional trust stores].
-* If necessary, you can xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].
-* If necessary, see xref:../../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#insights-operator-register-disconnected-cluster_opting-out-remote-health-reporting[Registering your disconnected cluster]
+* xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster]

modules/ibm-z-configure-boot-volume-encryption.adoc

@@ -0,0 +1,15 @@
+// Module included in the following assemblies:
+//
+// * installing/installing_ibm_z/installing-ibm-z.adoc
+// * installing/installing_ibm_z/installing-restricted-networks-ibm-z.adoc
+// * installing/installing_ibm_z/installing-ibm-z-lpar.adoc
+// * installing/installing_ibm_z/installing-restricted-networks-ibm-z-lpar.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="configuring-boot-volume-encryption-ibm-z-linuxone-environment_{context}"]
+= Configuring boot volume encryption in an {ibm-z-title} or {ibm-linuxone-title} environment
+
+You can choose between two methods to optionally encrypt the boot volumes of your {product-title} control plane and compute nodes on {ibm-z-name} or {ibm-linuxone-name}:
+
+* Linux Unified Key Setup (LUKS) encryption via {ibm-name} Crypto Express (CEX)
+* Network Bound Disk Encryption (NBDE)

modules/ibm-z-configure-encryption-kvm.adoc

@@ -0,0 +1,14 @@
+// Module included in the following assemblies:
+//
+// * installing/installing_ibm_z/installing-ibm-z-kvm.adoc
+// * installing/installing_ibm_z/installing-restricted-networks-ibm-z-kvm.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="configuring-encryption-kvm-ibm-z-linuxone-environment_{context}"]
+= Configuring encryption for nodes in an {ibm-z-title} or {ibm-linuxone-title} environment
+
+You can choose between three methods to optionally secure your {product-title} control plane and compute nodes on {ibm-z-name} or {ibm-linuxone-name}:
+
+* {ibm-name} Secure Execution
+* Linux Unified Key Setup (LUKS) encryption via {ibm-name} Crypto Express (CEX)
+* Network Bound Disk Encryption (NBDE)