| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251217172505.112398-1-ssrish@linux.ibm.com>
Date: Wed, 17 Dec 2025 22:54:59 +0530
From: Srish Srinivasan <ssrish@...ux.ibm.com>
To: linux-integrity@...r.kernel.org, keyrings@...r.kernel.org,
linuxppc-dev@...ts.ozlabs.org
Cc: maddy@...ux.ibm.com, mpe@...erman.id.au, npiggin@...il.com,
christophe.leroy@...roup.eu, James.Bottomley@...senPartnership.com,
jarkko@...nel.org, zohar@...ux.ibm.com, nayna@...ux.ibm.com,
rnsastry@...ux.ibm.com, linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org, ssrish@...ux.ibm.com
Subject: [PATCH v2 0/6] Extend "trusted" keys to support a new trust source named the PowerVM Key Wrapping Module (PKWM)
Power11 has introduced a feature called the PowerVM Key Wrapping Module
(PKWM), where PowerVM in combination with Power LPAR Platform KeyStore
(PLPKS) [1] supports a new feature called "Key Wrapping" [2] to protect
user secrets by wrapping them using a hypervisor generated wrapping key.
This wrapping key is an AES-GCM-256 symmetric key that is stored as an
object in the PLPKS. It has policy based protections that prevents it from
being read out or exposed to the user. This wrapping key can then be used
by the OS to wrap or unwrap secrets via hypervisor calls.
This patchset intends to add the PKWM, which is a combination of IBM
PowerVM and PLPKS, as a new trust source for trusted keys. The wrapping key
does not exist by default and its generation is requested by the kernel at
the time of PKWM initialization. This key is then persisted by the PKWM and
is used for wrapping any kernel provided key, and is never exposed to the
user. The kernel is aware of only the label to this wrapping key.
Along with the PKWM implementation, this patchset includes two preparatory
patches: one fixing the kernel-doc incosistencies in the PLPKS code and
another reorganizing PLPKS config variables in the sysfs.
Changelog:
v2:
* Patch 2:
- Fix build warning detected by the kernel test bot
* Patch 5:
- Use pr_debug inside dump_options
- Replace policyhande with wrap_flags inside dump_options
- Provide meaningful error messages with error codes
Nayna Jain (1):
docs: trusted-encryped: add PKWM as a new trust source
Srish Srinivasan (5):
pseries/plpks: fix kernel-doc comment inconsistencies
powerpc/pseries: move the PLPKS config inside its own sysfs directory
pseries/plpks: expose PowerVM wrapping features via the sysfs
pseries/plpks: add HCALLs for PowerVM Key Wrapping Module
keys/trusted_keys: establish PKWM as a trusted source
.../ABI/testing/sysfs-firmware-plpks | 58 ++
Documentation/ABI/testing/sysfs-secvar | 65 --
.../admin-guide/kernel-parameters.txt | 1 +
Documentation/arch/powerpc/papr_hcalls.rst | 43 ++
.../security/keys/trusted-encrypted.rst | 50 ++
MAINTAINERS | 9 +
arch/powerpc/include/asm/hvcall.h | 4 +-
arch/powerpc/include/asm/plpks.h | 95 +--
arch/powerpc/include/asm/secvar.h | 1 -
arch/powerpc/kernel/secvar-sysfs.c | 21 +-
arch/powerpc/platforms/pseries/Makefile | 2 +-
arch/powerpc/platforms/pseries/plpks-secvar.c | 29 -
arch/powerpc/platforms/pseries/plpks-sysfs.c | 96 +++
arch/powerpc/platforms/pseries/plpks.c | 689 +++++++++++++++++-
include/keys/trusted-type.h | 7 +-
include/keys/trusted_pkwm.h | 22 +
security/keys/trusted-keys/Kconfig | 8 +
security/keys/trusted-keys/Makefile | 2 +
security/keys/trusted-keys/trusted_core.c | 6 +-
security/keys/trusted-keys/trusted_pkwm.c | 168 +++++
20 files changed, 1175 insertions(+), 201 deletions(-)
create mode 100644 Documentation/ABI/testing/sysfs-firmware-plpks
create mode 100644 arch/powerpc/platforms/pseries/plpks-sysfs.c
create mode 100644 include/keys/trusted_pkwm.h
create mode 100644 security/keys/trusted-keys/trusted_pkwm.c
--
2.47.3
Powered by blists - more mailing lists