Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.0/patches/2175290/?format=api
{ "id": 2175290, "url": "http://patchwork.ozlabs.org/api/1.0/patches/2175290/?format=api", "project": { "id": 2, "url": "http://patchwork.ozlabs.org/api/1.0/projects/2/?format=api", "name": "Linux PPC development", "link_name": "linuxppc-dev", "list_id": "linuxppc-dev.lists.ozlabs.org", "list_email": "linuxppc-dev@lists.ozlabs.org", "web_url": "https://github.com/linuxppc/wiki/wiki", "scm_url": "https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git", "webscm_url": "https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/" }, "msgid": "<20251217172505.112398-6-ssrish@linux.ibm.com>", "date": "2025-12-17T17:25:04", "name": "[v2,5/6] keys/trusted_keys: establish PKWM as a trusted source", "commit_ref": null, "pull_url": null, "state": "superseded", "archived": false, "hash": "18544f1eed1026fd49a004f4118f7f7a43bfec7a", "submitter": { "id": 90762, "url": "http://patchwork.ozlabs.org/api/1.0/people/90762/?format=api", "name": "Srish Srinivasan", "email": "ssrish@linux.ibm.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/linuxppc-dev/patch/20251217172505.112398-6-ssrish@linux.ibm.com/mbox/", "series": [ { "id": 485734, "url": "http://patchwork.ozlabs.org/api/1.0/series/485734/?format=api", "date": "2025-12-17T17:24:59", "name": "Extend \"trusted\" keys to support a new trust source named the PowerVM Key Wrapping Module (PKWM)", "version": 2, "mbox": "http://patchwork.ozlabs.org/series/485734/mbox/" } ], "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2175290/checks/", "tags": {}, "headers": { "Return-Path": "\n <linuxppc-dev+bounces-14849-incoming=patchwork.ozlabs.org@lists.ozlabs.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "linuxppc-dev@lists.ozlabs.org" ], "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256\n header.s=pp1 header.b=WjtlfQhd;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org\n (client-ip=2404:9400:21b9:f100::1; helo=lists.ozlabs.org;\n envelope-from=linuxppc-dev+bounces-14849-incoming=patchwork.ozlabs.org@lists.ozlabs.org;\n receiver=patchwork.ozlabs.org)", "lists.ozlabs.org;\n arc=none smtp.remote-ip=148.163.158.5", "lists.ozlabs.org;\n dmarc=pass (p=none dis=none) header.from=linux.ibm.com", "lists.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256\n header.s=pp1 header.b=WjtlfQhd;\n\tdkim-atps=neutral", "lists.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com\n (client-ip=148.163.158.5; helo=mx0b-001b2d01.pphosted.com;\n envelope-from=ssrish@linux.ibm.com; receiver=lists.ozlabs.org)" ], "Received": [ "from lists.ozlabs.org (lists.ozlabs.org\n [IPv6:2404:9400:21b9:f100::1])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4dWggg4F2Rz1y0P\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 18 Dec 2025 04:26:07 +1100 (AEDT)", "from boromir.ozlabs.org (localhost [127.0.0.1])\n\tby lists.ozlabs.org (Postfix) with ESMTP id 4dWggF15htz3bb2;\n\tThu, 18 Dec 2025 04:25:45 +1100 (AEDT)", "from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com\n [148.163.158.5])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby lists.ozlabs.org (Postfix) with ESMTPS id 4dWggD206Fz30TL\n\tfor <linuxppc-dev@lists.ozlabs.org>; Thu, 18 Dec 2025 04:25:43 +1100 (AEDT)", "from pps.filterd (m0360072.ppops.net [127.0.0.1])\n\tby mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id\n 5BHBDZp0018154;\n\tWed, 17 Dec 2025 17:25:32 GMT", "from pps.reinject (localhost [127.0.0.1])\n\tby mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4b0yt1nbk8-1\n\t(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);\n\tWed, 17 Dec 2025 17:25:31 +0000 (GMT)", "from m0360072.ppops.net (m0360072.ppops.net [127.0.0.1])\n\tby pps.reinject (8.18.1.12/8.18.0.8) with ESMTP id 5BHHDmqd009332;\n\tWed, 17 Dec 2025 17:25:31 GMT", "from ppma13.dal12v.mail.ibm.com\n (dd.9e.1632.ip4.static.sl-reverse.com [50.22.158.221])\n\tby mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4b0yt1nbk0-1\n\t(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);\n\tWed, 17 Dec 2025 17:25:31 +0000 (GMT)", "from pps.filterd (ppma13.dal12v.mail.ibm.com [127.0.0.1])\n\tby ppma13.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id\n 5BHEkA4U014406;\n\tWed, 17 Dec 2025 17:25:30 GMT", "from smtprelay05.fra02v.mail.ibm.com ([9.218.2.225])\n\tby ppma13.dal12v.mail.ibm.com (PPS) with ESMTPS id 4b1mpk3afs-1\n\t(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);\n\tWed, 17 Dec 2025 17:25:30 +0000", "from smtpav01.fra02v.mail.ibm.com (smtpav01.fra02v.mail.ibm.com\n [10.20.54.100])\n\tby smtprelay05.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id\n 5BHHPQ8M26542526\n\t(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);\n\tWed, 17 Dec 2025 17:25:26 GMT", "from smtpav01.fra02v.mail.ibm.com (unknown [127.0.0.1])\n\tby IMSVA (Postfix) with ESMTP id 977152004B;\n\tWed, 17 Dec 2025 17:25:26 +0000 (GMT)", "from smtpav01.fra02v.mail.ibm.com (unknown [127.0.0.1])\n\tby IMSVA (Postfix) with ESMTP id AD3D920040;\n\tWed, 17 Dec 2025 17:25:23 +0000 (GMT)", "from li-fc74f8cc-3279-11b2-a85c-ef5828687581.ibm.com.com (unknown\n [9.124.211.226])\n\tby smtpav01.fra02v.mail.ibm.com (Postfix) with ESMTP;\n\tWed, 17 Dec 2025 17:25:23 +0000 (GMT)" ], "ARC-Seal": "i=1; a=rsa-sha256; d=lists.ozlabs.org; s=201707; t=1765992345;\n\tcv=none;\n b=P+9ERR9P49RRAU9XMpYHgRbDB/qVsFO6dqF0/LoTGRqcAT6MVN6oYFmQA+6zZn84OOYxXC4bjKxIiZBurgXAMmZ4/kAy8w8nhD9vgswnH2sAHO85BeXfOfTKBTWmoY1c1o6AiOtXRZIo5PFpxjym4hCLS9JrUgiahlr+RHEq/PesE7rJQHdTy5sRt9WGO6hAWKczcuBYdqtN5XVHzRSUYvxpdsuM+Jrdkp7KJ4g/96lK+DHF1qEMNModtJsk/iQDADnAKxyersY4U4+qF8eE7TBUHPUio8e8VO1lasCsi0u/xlRTWX/Zo4jhGWLOV13IQqtX66UM0CDxef2TjNunDQ==", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=lists.ozlabs.org; s=201707;\n\tt=1765992345; c=relaxed/relaxed;\n\tbh=VofaA8q/4ABtaWVAdbWNse/SgziEVn30CfP4o9F2G2g=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=Vv7iFxesJoa75Ft+5rb3w5plZ+ggmOKSLk75nVxlPtK9tzDsu0yy232WD97gARyqYUH2viHQ5vqWgfZUnjNJnUtbUsAmr5l3ROk1j3KDVNsIMVwsQbuOzU/u8wLRpO+tB879l+rbiNY8WOYCqmp+qaTkVu8SmXqSGRl6UTluccQ2pnYsCWKq8IqYPzO68HFAwez6GrVeTeMSyfj82IldAghK65zcp6A7HrNjeNugbX1ofpYzgTNdNnDxpX/1JiuBZ9gyJ2piPLHby2Ei80tK1/ex2j8xLMek0ZuLKswXVWeI9M2HBeiK9wxbP9dUDHZCSFJm0DAIgeo8u8R26BKj4g==", "ARC-Authentication-Results": "i=1; lists.ozlabs.org;\n dmarc=pass (p=none dis=none) header.from=linux.ibm.com;\n dkim=pass (2048-bit key;\n unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256\n header.s=pp1 header.b=WjtlfQhd; dkim-atps=neutral;\n spf=pass (client-ip=148.163.158.5; helo=mx0b-001b2d01.pphosted.com;\n envelope-from=ssrish@linux.ibm.com;\n receiver=lists.ozlabs.org) smtp.mailfrom=linux.ibm.com", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc\n\t:content-transfer-encoding:date:from:in-reply-to:message-id\n\t:mime-version:references:subject:to; s=pp1; bh=VofaA8q/4ABtaWVAd\n\tbWNse/SgziEVn30CfP4o9F2G2g=; b=WjtlfQhdW71UC6ku7wPdIXUG0iyc4uQXG\n\tslMLawU7QoaFfl+3VE05pU2pPjHklLiRmo+h/YBx4RRaRQ4KPKKGyBrMHqkxz3RR\n\tDVBKgIamQqjF91igFsUelvPy+Sb7xzwzeW1li+pOAngA5ObzoZbKzjID/+86Wz12\n\tqcJQnXUFZCZftngcKQrtNR1BJdmFrlU/PqgAG3/ybAScqk1xbwqhOfkMlt5UeJ4U\n\tA2lLjTKpccNYdjaYsojE2eP+e+YpsPz8dv2sfXSgqN6I9lNEV+E7D0bA/uZyelyx\n\tIP9uIZQgxBjg9quCiqB7oOC6Z317+vEt2b6vgbB2kyxSfiH7nDtZw==", "From": "Srish Srinivasan <ssrish@linux.ibm.com>", "To": "linux-integrity@vger.kernel.org, keyrings@vger.kernel.org,\n linuxppc-dev@lists.ozlabs.org", "Cc": "maddy@linux.ibm.com, mpe@ellerman.id.au, npiggin@gmail.com,\n christophe.leroy@csgroup.eu, James.Bottomley@HansenPartnership.com,\n jarkko@kernel.org, zohar@linux.ibm.com, nayna@linux.ibm.com,\n rnsastry@linux.ibm.com, linux-kernel@vger.kernel.org,\n linux-security-module@vger.kernel.org, ssrish@linux.ibm.com", "Subject": "[PATCH v2 5/6] keys/trusted_keys: establish PKWM as a trusted source", "Date": "Wed, 17 Dec 2025 22:55:04 +0530", "Message-ID": "<20251217172505.112398-6-ssrish@linux.ibm.com>", "X-Mailer": "git-send-email 2.52.0", "In-Reply-To": "<20251217172505.112398-1-ssrish@linux.ibm.com>", "References": "<20251217172505.112398-1-ssrish@linux.ibm.com>", "X-Mailing-List": "linuxppc-dev@lists.ozlabs.org", "List-Id": "<linuxppc-dev.lists.ozlabs.org>", "List-Help": "<mailto:linuxppc-dev+help@lists.ozlabs.org>", "List-Owner": "<mailto:linuxppc-dev+owner@lists.ozlabs.org>", "List-Post": "<mailto:linuxppc-dev@lists.ozlabs.org>", "List-Archive": "<https://lore.kernel.org/linuxppc-dev/>,\n <https://lists.ozlabs.org/pipermail/linuxppc-dev/>", "List-Subscribe": "<mailto:linuxppc-dev+subscribe@lists.ozlabs.org>,\n <mailto:linuxppc-dev+subscribe-digest@lists.ozlabs.org>,\n <mailto:linuxppc-dev+subscribe-nomail@lists.ozlabs.org>", "List-Unsubscribe": "<mailto:linuxppc-dev+unsubscribe@lists.ozlabs.org>", "Precedence": "list", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "X-TM-AS-GCONF": "00", "X-Proofpoint-GUID": "j92BvtY8jI_MrRpFlQT2MO_SpqYwH-b4", "X-Proofpoint-ORIG-GUID": "rFPkEKvzYdDBUz6OSgPZKktOL4Y-vj_m", "X-Proofpoint-Spam-Details-Enc": "AW1haW4tMjUxMjEzMDAyMyBTYWx0ZWRfXwT65vapD1Vhr\n PMFYUn4BhX1SN9oBKkcfPuYCAIVJwsNzMSocet92RoCzPJ62xt+s8cU28o2+V+6w/0Bswi6p9ut\n xC8G3GaQCJ12C230eTWGsilaYfuLtDdlsSpvefLwAnuaXVGpUQT0UOwCCFetYHIXhfp2aMMjPTO\n hF9xEo9KlYuVooS9F+ueyzP6XBPLSUQTafb4C+riQ5uXT9yTMi/7mmt1cof/UfGWyqKMfiab0hN\n vsh+VIVMthaZz++Do4vuEPWRGPXRAXg8/TKCcsqKwp6GRLLJUs1uBBMtZg+/mOGw56ZPDX26v6T\n Hti6ofj+VV8q9J2gdCX33vPy3j1aryJhjkJdva+w2zChId+oCC4CvsZ6OYv9mDEXaIJHKP46FcG\n 1K9op2RrWXJOpndXYvgul7ZRSlse1Q==", "X-Authority-Analysis": "v=2.4 cv=L/MQguT8 c=1 sm=1 tr=0 ts=6942e78b cx=c_pps\n a=AfN7/Ok6k8XGzOShvHwTGQ==:117 a=AfN7/Ok6k8XGzOShvHwTGQ==:17\n a=wP3pNCr1ah4A:10 a=VkNPw1HP01LnGYTKEx00:22 a=VnNF1IyMAAAA:8 a=VwQbUJbxAAAA:8\n a=SGwaXr-4V_wxwTcTBwMA:9", "X-Proofpoint-Virus-Version": "vendor=baseguard\n engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49\n definitions=2025-12-17_03,2025-12-16_05,2025-10-01_01", "X-Proofpoint-Spam-Details": "rule=outbound_notspam policy=outbound score=0\n impostorscore=0 phishscore=0 malwarescore=0 adultscore=0 priorityscore=1501\n clxscore=1015 lowpriorityscore=0 bulkscore=0 spamscore=0 suspectscore=0\n classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0\n reason=mlx scancount=1 engine=8.19.0-2510240000 definitions=main-2512130023", "X-Spam-Status": "No, score=-0.7 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,\n\tRCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,\n\tSPF_PASS autolearn=disabled version=4.0.1 OzLabs 8", "X-Spam-Checker-Version": "SpamAssassin 4.0.1 (2024-03-25) on lists.ozlabs.org" }, "content": "The wrapping key does not exist by default and is generated by the\nhypervisor as a part of PKWM initialization. This key is then persisted by\nthe hypervisor and is used to wrap trusted keys. These are variable length\nsymmetric keys, which in the case of PowerVM Key Wrapping Module (PKWM) are\ngenerated using the kernel RNG. PKWM can be used as a trust source through\nthe following example keyctl command\n\nkeyctl add trusted my_trusted_key \"new 32\" @u\n\nUse the wrap_flags command option to set the secure boot requirement for\nthe wrapping request through the following keyctl commands\n\ncase1: no secure boot requirement. (default)\nkeyctl usage: keyctl add trusted my_trusted_key \"new 32\" @u\n\t OR\n\t keyctl add trusted my_trusted_key \"new 32 wrap_flags=0x00\" @u\n\ncase2: secure boot required to in either audit or enforce mode. set bit 0\nkeyctl usage: keyctl add trusted my_trusted_key \"new 32 wrap_flags=0x01\" @u\n\ncase3: secure boot required to be in enforce mode. set bit 1\nkeyctl usage: keyctl add trusted my_trusted_key \"new 32 wrap_flags=0x02\" @u\n\nNOTE:\n-> Setting the secure boot requirement is NOT a must.\n-> Only either of the secure boot requirement options should be set. Not\nboth.\n-> All the other bits are requied to be not set.\n-> Set the kernel parameter trusted.source=pkwm to choose PKWM as the\nbackend for trusted keys implementation.\n-> CONFIG_PSERIES_PLPKS must be enabled to build PKWM.\n\nAdd PKWM, which is a combination of IBM PowerVM and Power LPAR Platform\nKeyStore, as a new trust source for trusted keys.\n\nSigned-off-by: Srish Srinivasan <ssrish@linux.ibm.com>\n---\n MAINTAINERS | 9 ++\n include/keys/trusted-type.h | 7 +-\n include/keys/trusted_pkwm.h | 22 +++\n security/keys/trusted-keys/Kconfig | 8 ++\n security/keys/trusted-keys/Makefile | 2 +\n security/keys/trusted-keys/trusted_core.c | 6 +-\n security/keys/trusted-keys/trusted_pkwm.c | 168 ++++++++++++++++++++++\n 7 files changed, 220 insertions(+), 2 deletions(-)\n create mode 100644 include/keys/trusted_pkwm.h\n create mode 100644 security/keys/trusted-keys/trusted_pkwm.c", "diff": "diff --git a/MAINTAINERS b/MAINTAINERS\nindex c9e416ba74c6..be4f561ec28a 100644\n--- a/MAINTAINERS\n+++ b/MAINTAINERS\n@@ -13994,6 +13994,15 @@ S:\tSupported\n F:\tinclude/keys/trusted_dcp.h\n F:\tsecurity/keys/trusted-keys/trusted_dcp.c\n \n+KEYS-TRUSTED-PLPKS\n+M:\tSrish Srinivasan <ssrish@linux.ibm.com>\n+M:\tNayna Jain <nayna@linux.ibm.com>\n+L:\tlinux-integrity@vger.kernel.org\n+L:\tkeyrings@vger.kernel.org\n+S:\tSupported\n+F:\tinclude/keys/trusted_plpks.h\n+F:\tsecurity/keys/trusted-keys/trusted_pkwm.c\n+\n KEYS-TRUSTED-TEE\n M:\tSumit Garg <sumit.garg@kernel.org>\n L:\tlinux-integrity@vger.kernel.org\ndiff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h\nindex 4eb64548a74f..45c6c538df22 100644\n--- a/include/keys/trusted-type.h\n+++ b/include/keys/trusted-type.h\n@@ -19,7 +19,11 @@\n \n #define MIN_KEY_SIZE\t\t\t32\n #define MAX_KEY_SIZE\t\t\t128\n-#define MAX_BLOB_SIZE\t\t\t512\n+#if IS_ENABLED(CONFIG_TRUSTED_KEYS_PKWM)\n+#define MAX_BLOB_SIZE\t\t\t1152\n+#else\n+#define MAX_BLOB_SIZE 512\n+#endif\n #define MAX_PCRINFO_SIZE\t\t64\n #define MAX_DIGEST_SIZE\t\t\t64\n \n@@ -46,6 +50,7 @@ struct trusted_key_options {\n \tuint32_t policydigest_len;\n \tunsigned char policydigest[MAX_DIGEST_SIZE];\n \tuint32_t policyhandle;\n+\tuint16_t wrap_flags;\n };\n \n struct trusted_key_ops {\ndiff --git a/include/keys/trusted_pkwm.h b/include/keys/trusted_pkwm.h\nnew file mode 100644\nindex 000000000000..c7249d08b4d8\n--- /dev/null\n+++ b/include/keys/trusted_pkwm.h\n@@ -0,0 +1,22 @@\n+/* SPDX-License-Identifier: GPL-2.0 */\n+#ifndef __PKWM_TRUSTED_KEY_H\n+#define __PKWM_TRUSTED_KEY_H\n+\n+#include <keys/trusted-type.h>\n+\n+extern struct trusted_key_ops pkwm_trusted_key_ops;\n+\n+static inline void dump_options(struct trusted_key_options *o)\n+{\n+\tbool sb_audit_or_enforce_bit = o->wrap_flags & BIT(0);\n+\tbool sb_enforce_bit = o->wrap_flags & BIT(1);\n+\n+\tif (sb_audit_or_enforce_bit)\n+\t\tpr_debug(\"secure boot mode required: audit or enforce\");\n+\telse if (sb_enforce_bit)\n+\t\tpr_debug(\"secure boot mode required: enforce\");\n+\telse\n+\t\tpr_debug(\"secure boot mode required: disabled\");\n+}\n+\n+#endif\ndiff --git a/security/keys/trusted-keys/Kconfig b/security/keys/trusted-keys/Kconfig\nindex 204a68c1429d..9e00482d886a 100644\n--- a/security/keys/trusted-keys/Kconfig\n+++ b/security/keys/trusted-keys/Kconfig\n@@ -46,6 +46,14 @@ config TRUSTED_KEYS_DCP\n \thelp\n \t Enable use of NXP's DCP (Data Co-Processor) as trusted key backend.\n \n+config TRUSTED_KEYS_PKWM\n+\tbool \"PKWM-based trusted keys\"\n+\tdepends on PSERIES_PLPKS >= TRUSTED_KEYS\n+\tdefault y\n+\tselect HAVE_TRUSTED_KEYS\n+\thelp\n+\t Enable use of IBM PowerVM Key Wrapping Module (PKWM) as a trusted key backend.\n+\n if !HAVE_TRUSTED_KEYS\n \tcomment \"No trust source selected!\"\n endif\ndiff --git a/security/keys/trusted-keys/Makefile b/security/keys/trusted-keys/Makefile\nindex f0f3b27f688b..5fc053a21dad 100644\n--- a/security/keys/trusted-keys/Makefile\n+++ b/security/keys/trusted-keys/Makefile\n@@ -16,3 +16,5 @@ trusted-$(CONFIG_TRUSTED_KEYS_TEE) += trusted_tee.o\n trusted-$(CONFIG_TRUSTED_KEYS_CAAM) += trusted_caam.o\n \n trusted-$(CONFIG_TRUSTED_KEYS_DCP) += trusted_dcp.o\n+\n+trusted-$(CONFIG_TRUSTED_KEYS_PKWM) += trusted_pkwm.o\ndiff --git a/security/keys/trusted-keys/trusted_core.c b/security/keys/trusted-keys/trusted_core.c\nindex b1680ee53f86..2d328de170e8 100644\n--- a/security/keys/trusted-keys/trusted_core.c\n+++ b/security/keys/trusted-keys/trusted_core.c\n@@ -12,6 +12,7 @@\n #include <keys/trusted_caam.h>\n #include <keys/trusted_dcp.h>\n #include <keys/trusted_tpm.h>\n+#include <keys/trusted_pkwm.h>\n #include <linux/capability.h>\n #include <linux/err.h>\n #include <linux/init.h>\n@@ -31,7 +32,7 @@ MODULE_PARM_DESC(rng, \"Select trusted key RNG\");\n \n static char *trusted_key_source;\n module_param_named(source, trusted_key_source, charp, 0);\n-MODULE_PARM_DESC(source, \"Select trusted keys source (tpm, tee, caam or dcp)\");\n+MODULE_PARM_DESC(source, \"Select trusted keys source (tpm, tee, caam, dcp or pkwm)\");\n \n static const struct trusted_key_source trusted_key_sources[] = {\n #if defined(CONFIG_TRUSTED_KEYS_TPM)\n@@ -46,6 +47,9 @@ static const struct trusted_key_source trusted_key_sources[] = {\n #if defined(CONFIG_TRUSTED_KEYS_DCP)\n \t{ \"dcp\", &dcp_trusted_key_ops },\n #endif\n+#if defined(CONFIG_TRUSTED_KEYS_PKWM)\n+\t{ \"pkwm\", &pkwm_trusted_key_ops },\n+#endif\n };\n \n DEFINE_STATIC_CALL_NULL(trusted_key_seal, *trusted_key_sources[0].ops->seal);\ndiff --git a/security/keys/trusted-keys/trusted_pkwm.c b/security/keys/trusted-keys/trusted_pkwm.c\nnew file mode 100644\nindex 000000000000..d822b81afacf\n--- /dev/null\n+++ b/security/keys/trusted-keys/trusted_pkwm.c\n@@ -0,0 +1,168 @@\n+// SPDX-License-Identifier: GPL-2.0-only\n+/*\n+ * Copyright (C) 2025 IBM Corporation, Srish Srinivasan <ssrish@linux.ibm.com>\n+ */\n+\n+#include <keys/trusted_pkwm.h>\n+#include <keys/trusted-type.h>\n+#include <linux/build_bug.h>\n+#include <linux/key-type.h>\n+#include <linux/parser.h>\n+#include <asm/plpks.h>\n+\n+enum {\n+\tOpt_err,\n+\tOpt_wrap_flags,\n+};\n+\n+static const match_table_t key_tokens = {\n+\t{Opt_wrap_flags, \"wrap_flags=%s\"},\n+\t{Opt_err, NULL}\n+};\n+\n+static int getoptions(char *datablob, struct trusted_key_options **opt)\n+{\n+\tsubstring_t args[MAX_OPT_ARGS];\n+\tchar *p = datablob;\n+\tint token;\n+\tint res;\n+\tunsigned long wrap_flags;\n+\tunsigned long token_mask = 0;\n+\n+\tif (!datablob)\n+\t\treturn 0;\n+\n+\twhile ((p = strsep(&datablob, \" \\t\"))) {\n+\t\tif (*p == '\\0' || *p == ' ' || *p == '\\t')\n+\t\t\tcontinue;\n+\n+\t\ttoken = match_token(p, key_tokens, args);\n+\t\tif (test_and_set_bit(token, &token_mask))\n+\t\t\treturn -EINVAL;\n+\n+\t\tswitch (token) {\n+\t\tcase Opt_wrap_flags:\n+\t\t\tres = kstrtoul(args[0].from, 16, &wrap_flags);\n+\t\t\tif (res < 0 || wrap_flags > 2)\n+\t\t\t\treturn -EINVAL;\n+\t\t\t(*opt)->wrap_flags = wrap_flags;\n+\t\t\tbreak;\n+\t\tdefault:\n+\t\t\treturn -EINVAL;\n+\t\t}\n+\t}\n+\treturn 0;\n+}\n+\n+static struct trusted_key_options *trusted_options_alloc(void)\n+{\n+\tstruct trusted_key_options *options;\n+\n+\toptions = kzalloc(sizeof(*options), GFP_KERNEL);\n+\treturn options;\n+}\n+\n+static int trusted_pkwm_seal(struct trusted_key_payload *p, char *datablob)\n+{\n+\tstruct trusted_key_options *options = NULL;\n+\tu8 *input_buf, *output_buf;\n+\tu32 output_len, input_len;\n+\tint rc;\n+\n+\toptions = trusted_options_alloc();\n+\tif (!options)\n+\t\treturn -ENOMEM;\n+\n+\trc = getoptions(datablob, &options);\n+\tif (rc < 0)\n+\t\tgoto out;\n+\tdump_options(options);\n+\n+\tinput_len = p->key_len;\n+\tinput_buf = kmalloc(ALIGN(input_len, 4096), GFP_KERNEL);\n+\tif (!input_buf) {\n+\t\tpr_err(\"Input buffer allocation failed. Returning -ENOMEM.\");\n+\t\treturn -ENOMEM;\n+\t}\n+\n+\tmemcpy(input_buf, p->key, p->key_len);\n+\n+\trc = plpks_wrap_object(&input_buf, input_len, options->wrap_flags,\n+\t\t\t &output_buf, &output_len);\n+\tif (!rc) {\n+\t\tmemcpy(p->blob, output_buf, output_len);\n+\t\tp->blob_len = output_len;\n+\t\tdump_payload(p);\n+\t} else {\n+\t\tpr_err(\"Wrapping of payload key failed: %d\\n\", rc);\n+\t}\n+\n+\tkfree(input_buf);\n+\tkfree(output_buf);\n+\n+out:\n+\tkfree_sensitive(options);\n+\treturn rc;\n+}\n+\n+static int trusted_pkwm_unseal(struct trusted_key_payload *p, char *datablob)\n+{\n+\tu8 *input_buf, *output_buf;\n+\tu32 input_len, output_len;\n+\tint rc;\n+\n+\tinput_len = p->blob_len;\n+\tinput_buf = kmalloc(ALIGN(input_len, 4096), GFP_KERNEL);\n+\tif (!input_buf) {\n+\t\tpr_err(\"Input buffer allocation failed. Returning -ENOMEM.\");\n+\t\treturn -ENOMEM;\n+\t}\n+\n+\tmemcpy(input_buf, p->blob, p->blob_len);\n+\n+\trc = plpks_unwrap_object(&input_buf, input_len, &output_buf,\n+\t\t\t\t &output_len);\n+\tif (!rc) {\n+\t\tmemcpy(p->key, output_buf, output_len);\n+\t\tp->key_len = output_len;\n+\t\tdump_payload(p);\n+\t} else {\n+\t\tpr_err(\"Unwrapping of payload failed: %d\\n\", rc);\n+\t}\n+\n+\tkfree(input_buf);\n+\tkfree(output_buf);\n+\n+\treturn rc;\n+}\n+\n+static int trusted_pkwm_init(void)\n+{\n+\tint ret;\n+\n+\tif (!plpks_wrapping_is_supported()) {\n+\t\tpr_err(\"H_PKS_WRAP_OBJECT interface not supported\\n\");\n+\t\treturn -ENODEV;\n+\t}\n+\n+\tret = plpks_gen_wrapping_key();\n+\tif (ret) {\n+\t\tpr_err(\"Failed to generate default wrapping key\\n\");\n+\t\treturn -EINVAL;\n+\t}\n+\n+\treturn register_key_type(&key_type_trusted);\n+}\n+\n+static void trusted_pkwm_exit(void)\n+{\n+\tunregister_key_type(&key_type_trusted);\n+}\n+\n+struct trusted_key_ops pkwm_trusted_key_ops = {\n+\t.migratable = 0, /* non-migratable */\n+\t.init = trusted_pkwm_init,\n+\t.seal = trusted_pkwm_seal,\n+\t.unseal = trusted_pkwm_unseal,\n+\t.exit = trusted_pkwm_exit,\n+};\n", "prefixes": [ "v2", "5/6" ] }