{"id":2175285,"url":"http://patchwork.ozlabs.org/api/1.0/covers/2175285/?format=json","project":{"id":2,"url":"http://patchwork.ozlabs.org/api/1.0/projects/2/?format=json","name":"Linux PPC development","link_name":"linuxppc-dev","list_id":"linuxppc-dev.lists.ozlabs.org","list_email":"linuxppc-dev@lists.ozlabs.org","web_url":"https://github.com/linuxppc/wiki/wiki","scm_url":"https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git","webscm_url":"https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/"},"msgid":"<20251217172505.112398-1-ssrish@linux.ibm.com>","date":"2025-12-17T17:24:59","name":"[v2,0/6] Extend \"trusted\" keys to support a new trust source named the PowerVM Key Wrapping Module (PKWM)","submitter":{"id":90762,"url":"http://patchwork.ozlabs.org/api/1.0/people/90762/?format=json","name":"Srish Srinivasan","email":"ssrish@linux.ibm.com"},"series":[{"id":485734,"url":"http://patchwork.ozlabs.org/api/1.0/series/485734/?format=json","date":"2025-12-17T17:24:59","name":"Extend \"trusted\" keys to support a new trust source named the PowerVM Key Wrapping Module (PKWM)","version":2,"mbox":"http://patchwork.ozlabs.org/series/485734/mbox/"}],"headers":{"Return-Path":"\n <linuxppc-dev+bounces-14844-incoming=patchwork.ozlabs.org@lists.ozlabs.org>","X-Original-To":["incoming@patchwork.ozlabs.org","linuxppc-dev@lists.ozlabs.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256\n header.s=pp1 header.b=s7U0OgFZ;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org\n (client-ip=2404:9400:21b9:f100::1; helo=lists.ozlabs.org;\n envelope-from=linuxppc-dev+bounces-14844-incoming=patchwork.ozlabs.org@lists.ozlabs.org;\n receiver=patchwork.ozlabs.org)","lists.ozlabs.org;\n arc=none smtp.remote-ip=148.163.158.5","lists.ozlabs.org;\n dmarc=pass (p=none dis=none) header.from=linux.ibm.com","lists.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256\n header.s=pp1 header.b=s7U0OgFZ;\n\tdkim-atps=neutral","lists.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com\n (client-ip=148.163.158.5; helo=mx0b-001b2d01.pphosted.com;\n envelope-from=ssrish@linux.ibm.com; receiver=lists.ozlabs.org)"],"Received":["from lists.ozlabs.org (lists.ozlabs.org\n [IPv6:2404:9400:21b9:f100::1])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1 raw public key)\n server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4dWgfy6l4pz1y0P\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 18 Dec 2025 04:25:30 +1100 (AEDT)","from boromir.ozlabs.org (localhost [127.0.0.1])\n\tby lists.ozlabs.org (Postfix) with ESMTP id 4dWgfy0yDCz308P;\n\tThu, 18 Dec 2025 04:25:30 +1100 (AEDT)","from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com\n [148.163.158.5])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby lists.ozlabs.org (Postfix) with ESMTPS id 4dWgfx1MWNz304l\n\tfor <linuxppc-dev@lists.ozlabs.org>; Thu, 18 Dec 2025 04:25:28 +1100 (AEDT)","from pps.filterd (m0353725.ppops.net [127.0.0.1])\n\tby mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id\n 5BH81FSo006963;\n\tWed, 17 Dec 2025 17:25:15 GMT","from pps.reinject (localhost [127.0.0.1])\n\tby mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4b0xjm5ggu-1\n\t(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);\n\tWed, 17 Dec 2025 17:25:14 +0000 (GMT)","from m0353725.ppops.net (m0353725.ppops.net [127.0.0.1])\n\tby pps.reinject (8.18.1.12/8.18.0.8) with ESMTP id 5BHHOIMA001198;\n\tWed, 17 Dec 2025 17:25:14 GMT","from ppma21.wdc07v.mail.ibm.com\n (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91])\n\tby mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4b0xjm5ggp-1\n\t(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);\n\tWed, 17 Dec 2025 17:25:14 +0000 (GMT)","from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1])\n\tby ppma21.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id\n 5BHGvVkP002755;\n\tWed, 17 Dec 2025 17:25:13 GMT","from smtprelay04.fra02v.mail.ibm.com ([9.218.2.228])\n\tby ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4b1kfnbjwu-1\n\t(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);\n\tWed, 17 Dec 2025 17:25:13 +0000","from smtpav01.fra02v.mail.ibm.com (smtpav01.fra02v.mail.ibm.com\n [10.20.54.100])\n\tby smtprelay04.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id\n 5BHHP9ck15466814\n\t(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);\n\tWed, 17 Dec 2025 17:25:09 GMT","from smtpav01.fra02v.mail.ibm.com (unknown [127.0.0.1])\n\tby IMSVA (Postfix) with ESMTP id 7F87B20043;\n\tWed, 17 Dec 2025 17:25:09 +0000 (GMT)","from smtpav01.fra02v.mail.ibm.com (unknown [127.0.0.1])\n\tby IMSVA (Postfix) with ESMTP id 86AED20040;\n\tWed, 17 Dec 2025 17:25:06 +0000 (GMT)","from li-fc74f8cc-3279-11b2-a85c-ef5828687581.ibm.com.com (unknown\n [9.124.211.226])\n\tby smtpav01.fra02v.mail.ibm.com (Postfix) with ESMTP;\n\tWed, 17 Dec 2025 17:25:06 +0000 (GMT)"],"ARC-Seal":"i=1; a=rsa-sha256; d=lists.ozlabs.org; s=201707; t=1765992330;\n\tcv=none;\n b=YGYquDrcZDItGHKu0HBq5yb4/yExsCXmbFSyGV3Qbk3JBH9zkS9e061Crsg4Tahn5M/mkW+LUVXb9BdwrAwL35mL75DAYz6YtWZTgP+8B85QDsFmJK9zHZHh4xIHCVJ/M44hf9UQZtzwoU9KhWxYwIZXVObJGOtcOr/jAoKSwu5Sv7frDAFM/Oyb4/IQXylpDNS8SHT0N4jdAjebDtmFvqNn0WNqBI6Rw71JlY0nnFoX7eW8gbUmWA2exYOVs+tVVAvWCQbZIJZbChdK1Pn9adhR1LSehrb/ZhajtnI+r/PRzOuKJy1A/Ic8jh3P+g7K4JEmcPaEFKKnRHvpgoKGUw==","ARC-Message-Signature":"i=1; a=rsa-sha256; d=lists.ozlabs.org; s=201707;\n\tt=1765992330; c=relaxed/relaxed;\n\tbh=zbrErzyD8vgY33IzcsfRDYNsS9W7T81XI3oOqRxzZN8=;\n\th=From:To:Cc:Subject:Date:Message-ID:MIME-Version;\n b=X+AXoo4sJyDoJaMqrmV6zWmkV0PE8cKuG1SlbHytNJZkpUpMk0OiXky9RSKs6iEry0ntt3vABm8GLNjYR3wPy+C6p8CQMOnRrAu0Asufk3kEjzAgg8pRfv4tsNykriOwlP9VgSjtliPH+O4u57wN+G/mmmW+xTNF08pIvUfErm6QaZ9k1jGMA7ASiyK+F7oEq/bTORVj3UQKTgNzDU+QrJkRLD6f574xMfGc6NluyOafc907K3Y2roW22JUSLYqH0Np1hiFsq5D1DHnJzjLsAPH1nHbQuLYDtY1mNtS4RbkawcXCjSxtAD5RJcd01cVb0xd+Sdiho4cMfu6liC9XjA==","ARC-Authentication-Results":"i=1; lists.ozlabs.org;\n dmarc=pass (p=none dis=none) header.from=linux.ibm.com;\n dkim=pass (2048-bit key;\n unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256\n header.s=pp1 header.b=s7U0OgFZ; dkim-atps=neutral;\n spf=pass (client-ip=148.163.158.5; helo=mx0b-001b2d01.pphosted.com;\n envelope-from=ssrish@linux.ibm.com;\n receiver=lists.ozlabs.org) smtp.mailfrom=linux.ibm.com","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc\n\t:content-transfer-encoding:date:from:message-id:mime-version\n\t:subject:to; s=pp1; bh=zbrErzyD8vgY33IzcsfRDYNsS9W7T81XI3oOqRxzZ\n\tN8=; b=s7U0OgFZ0pHOh23yRYQfyFq4tZG2gsKYwQOh1mFnWVx9vLWfmslyJyzjT\n\t8XzRkwrn73RduKq/XFPrYwyPdw+YEtf2Zg3ficsWE4V/ybOGu3iVmhpLKESAV2K+\n\tYpofCxfTZGzicmhTXZujLj4ioXb+6I4XAupJtguHsIZZSDa/esbSHsXa6Klq7p87\n\tXRZuT0IAgyK3GWwg7FdPLx6INCGuGNgKtKdTafqpEhq6mWc/K3at0b6U3UKC0yS2\n\tZ9STz6zSQlmDe0DRNOLpEYxLbJw9+S38PpYO+U2V7ImbiHAAyqh7c0fZUiTbNrHr\n\tF5yw8yZ0Um70PaOVvr5TLFW54kZFg==","From":"Srish Srinivasan <ssrish@linux.ibm.com>","To":"linux-integrity@vger.kernel.org, keyrings@vger.kernel.org,\n        linuxppc-dev@lists.ozlabs.org","Cc":"maddy@linux.ibm.com, mpe@ellerman.id.au, npiggin@gmail.com,\n        christophe.leroy@csgroup.eu, James.Bottomley@HansenPartnership.com,\n        jarkko@kernel.org, zohar@linux.ibm.com, nayna@linux.ibm.com,\n        rnsastry@linux.ibm.com, linux-kernel@vger.kernel.org,\n        linux-security-module@vger.kernel.org, ssrish@linux.ibm.com","Subject":"[PATCH v2 0/6] Extend \"trusted\" keys to support a new trust source\n named the PowerVM Key Wrapping Module (PKWM)","Date":"Wed, 17 Dec 2025 22:54:59 +0530","Message-ID":"<20251217172505.112398-1-ssrish@linux.ibm.com>","X-Mailer":"git-send-email 2.52.0","X-Mailing-List":"linuxppc-dev@lists.ozlabs.org","List-Id":"<linuxppc-dev.lists.ozlabs.org>","List-Help":"<mailto:linuxppc-dev+help@lists.ozlabs.org>","List-Owner":"<mailto:linuxppc-dev+owner@lists.ozlabs.org>","List-Post":"<mailto:linuxppc-dev@lists.ozlabs.org>","List-Archive":"<https://lore.kernel.org/linuxppc-dev/>,\n  <https://lists.ozlabs.org/pipermail/linuxppc-dev/>","List-Subscribe":"<mailto:linuxppc-dev+subscribe@lists.ozlabs.org>,\n  <mailto:linuxppc-dev+subscribe-digest@lists.ozlabs.org>,\n  <mailto:linuxppc-dev+subscribe-nomail@lists.ozlabs.org>","List-Unsubscribe":"<mailto:linuxppc-dev+unsubscribe@lists.ozlabs.org>","Precedence":"list","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-TM-AS-GCONF":"00","X-Proofpoint-ORIG-GUID":"VSTkWLS8TsGeIEBy3UFTYnViii_McLn3","X-Authority-Analysis":"v=2.4 cv=CLgnnBrD c=1 sm=1 tr=0 ts=6942e77b cx=c_pps\n a=GFwsV6G8L6GxiO2Y/PsHdQ==:117 a=GFwsV6G8L6GxiO2Y/PsHdQ==:17\n a=wP3pNCr1ah4A:10 a=VkNPw1HP01LnGYTKEx00:22 a=OZ_REq_LgKhKeL2JI8IA:9","X-Proofpoint-GUID":"GTwg7vnZ0mqCuwG581jvbKGKT43tt6L2","X-Proofpoint-Spam-Details-Enc":"AW1haW4tMjUxMjEzMDAwOSBTYWx0ZWRfXzqRhp8kl6o0K\n +yddQmY6uwNiq/5yIsQCGWoB40ycFrJPNJ3u/bxIUcWUETTTGF3150TSGfOLm1VqWmLk1teVcPi\n fTLG+xrp8eAsm+4lhyVKjtiHnL+qmS8U/xe5ufj8DjjEza8Q+g8lOjYAipIc6gPAbx/MApq8y7Q\n M+9y4AhqZ4FXJ90KZNfd1pKGeOYQHBI51/3CMDJzzRN+6YXxvh6IwLh1lLrb1Rz9naJIaUtlVRm\n ZjV4iMj453AlQK6LnVAMEiCGv2zYDLE78/jixvtXBqXMv/lkS70CSIcQUeDZAbW41flyMNssOu9\n p0+ouaeGQLL1J/Mwx2yQQPJqBDCC757S1D8GAcg1STYfIAOSzyC8SGsIH1F8fvoX3RdoVYiguXL\n //RN/yX++Jc99iUVPOt1VIBkVnn54Q==","X-Proofpoint-Virus-Version":"vendor=baseguard\n engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49\n definitions=2025-12-17_03,2025-12-16_05,2025-10-01_01","X-Proofpoint-Spam-Details":"rule=outbound_notspam policy=outbound score=0\n spamscore=0 clxscore=1015 lowpriorityscore=0 malwarescore=0 suspectscore=0\n phishscore=0 priorityscore=1501 bulkscore=0 impostorscore=0 adultscore=0\n classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0\n reason=mlx scancount=1 engine=8.19.0-2510240000 definitions=main-2512130009","X-Spam-Status":"No, score=-0.7 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,\n\tRCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,\n\tSPF_PASS autolearn=disabled version=4.0.1 OzLabs 8","X-Spam-Checker-Version":"SpamAssassin 4.0.1 (2024-03-25) on lists.ozlabs.org"},"content":"Power11 has introduced a feature called the PowerVM Key Wrapping Module\n(PKWM), where PowerVM in combination with Power LPAR Platform KeyStore\n(PLPKS) [1] supports a new feature called \"Key Wrapping\" [2] to protect\nuser secrets by wrapping them using a hypervisor generated wrapping key.\nThis wrapping key is an AES-GCM-256 symmetric key that is stored as an\nobject in the PLPKS. It has policy based protections that prevents it from\nbeing read out or exposed to the user. This wrapping key can then be used\nby the OS to wrap or unwrap secrets via hypervisor calls.\n\nThis patchset intends to add the PKWM, which is a combination of IBM\nPowerVM and PLPKS, as a new trust source for trusted keys. The wrapping key\ndoes not exist by default and its generation is requested by the kernel at\nthe time of PKWM initialization. This key is then persisted by the PKWM and\nis used for wrapping any kernel provided key, and is never exposed to the\nuser. The kernel is aware of only the label to this wrapping key.\n\nAlong with the PKWM implementation, this patchset includes two preparatory\npatches: one fixing the kernel-doc incosistencies in the PLPKS code and\nanother reorganizing PLPKS config variables in the sysfs.\n\nChangelog:\n\nv2:\n\n* Patch 2:\n  - Fix build warning detected by the kernel test bot\n\n* Patch 5:\n  - Use pr_debug inside dump_options\n  - Replace policyhande with wrap_flags inside dump_options\n  - Provide meaningful error messages with error codes\n\nNayna Jain (1):\n  docs: trusted-encryped: add PKWM as a new trust source\n\nSrish Srinivasan (5):\n  pseries/plpks: fix kernel-doc comment inconsistencies\n  powerpc/pseries: move the PLPKS config inside its own sysfs directory\n  pseries/plpks: expose PowerVM wrapping features via the sysfs\n  pseries/plpks: add HCALLs for PowerVM Key Wrapping Module\n  keys/trusted_keys: establish PKWM as a trusted source\n\n .../ABI/testing/sysfs-firmware-plpks          |  58 ++\n Documentation/ABI/testing/sysfs-secvar        |  65 --\n .../admin-guide/kernel-parameters.txt         |   1 +\n Documentation/arch/powerpc/papr_hcalls.rst    |  43 ++\n .../security/keys/trusted-encrypted.rst       |  50 ++\n MAINTAINERS                                   |   9 +\n arch/powerpc/include/asm/hvcall.h             |   4 +-\n arch/powerpc/include/asm/plpks.h              |  95 +--\n arch/powerpc/include/asm/secvar.h             |   1 -\n arch/powerpc/kernel/secvar-sysfs.c            |  21 +-\n arch/powerpc/platforms/pseries/Makefile       |   2 +-\n arch/powerpc/platforms/pseries/plpks-secvar.c |  29 -\n arch/powerpc/platforms/pseries/plpks-sysfs.c  |  96 +++\n arch/powerpc/platforms/pseries/plpks.c        | 689 +++++++++++++++++-\n include/keys/trusted-type.h                   |   7 +-\n include/keys/trusted_pkwm.h                   |  22 +\n security/keys/trusted-keys/Kconfig            |   8 +\n security/keys/trusted-keys/Makefile           |   2 +\n security/keys/trusted-keys/trusted_core.c     |   6 +-\n security/keys/trusted-keys/trusted_pkwm.c     | 168 +++++\n 20 files changed, 1175 insertions(+), 201 deletions(-)\n create mode 100644 Documentation/ABI/testing/sysfs-firmware-plpks\n create mode 100644 arch/powerpc/platforms/pseries/plpks-sysfs.c\n create mode 100644 include/keys/trusted_pkwm.h\n create mode 100644 security/keys/trusted-keys/trusted_pkwm.c"}