From: Srish Srinivasan <ssrish@linux.ibm.com>
To: linux-integrity@vger.kernel.org, keyrings@vger.kernel.org,
linuxppc-dev@lists.ozlabs.org
Cc: maddy@linux.ibm.com, mpe@ellerman.id.au, npiggin@gmail.com,
christophe.leroy@csgroup.eu,
James.Bottomley@HansenPartnership.com, jarkko@kernel.org,
zohar@linux.ibm.com, nayna@linux.ibm.com, rnsastry@linux.ibm.com,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, ssrish@linux.ibm.com
Subject: [PATCH v6 6/6] docs: trusted-encryped: add PKWM as a new trust source
Date: Sun, 1 Feb 2026 19:29:30 +0530 [thread overview]
Message-ID: <20260201135930.898721-7-ssrish@linux.ibm.com> (raw)
In-Reply-To: <20260201135930.898721-1-ssrish@linux.ibm.com>
From: Nayna Jain <nayna@linux.ibm.com>
Update Documentation/security/keys/trusted-encrypted.rst and Documentation/
admin-guide/kernel-parameters.txt with PowerVM Key Wrapping Module (PKWM)
as a new trust source
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Signed-off-by: Srish Srinivasan <ssrish@linux.ibm.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
---
.../admin-guide/kernel-parameters.txt | 1 +
.../security/keys/trusted-encrypted.rst | 50 +++++++++++++++++++
2 files changed, 51 insertions(+)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 1058f2a6d6a8..aac15079b33d 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -7790,6 +7790,7 @@ Kernel parameters
- "tee"
- "caam"
- "dcp"
+ - "pkwm"
If not specified then it defaults to iterating through
the trust source list starting with TPM and assigns the
first trust source as a backend which is initialized
diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
index eae6a36b1c9a..ddff7c7c2582 100644
--- a/Documentation/security/keys/trusted-encrypted.rst
+++ b/Documentation/security/keys/trusted-encrypted.rst
@@ -81,6 +81,14 @@ safe.
and the UNIQUE key. Default is to use the UNIQUE key, but selecting
the OTP key can be done via a module parameter (dcp_use_otp_key).
+ (5) PKWM (PowerVM Key Wrapping Module: IBM PowerVM + Platform KeyStore)
+
+ Rooted to a unique, per-LPAR key, which is derived from a system-wide,
+ randomly generated LPAR root key. Both the per-LPAR keys and the LPAR
+ root key are stored in hypervisor-owned secure memory at runtime,
+ and the LPAR root key is additionally persisted in secure locations
+ such as the processor SEEPROMs and encrypted NVRAM.
+
* Execution isolation
(1) TPM
@@ -102,6 +110,14 @@ safe.
environment. Only basic blob key encryption is executed there.
The actual key sealing/unsealing is done on main processor/kernel space.
+ (5) PKWM (PowerVM Key Wrapping Module: IBM PowerVM + Platform KeyStore)
+
+ Fixed set of cryptographic operations done on on-chip hardware
+ cryptographic acceleration unit NX. Keys for wrapping and unwrapping
+ are managed by PowerVM Platform KeyStore, which stores keys in an
+ isolated in-memory copy in secure hypervisor memory, as well as in a
+ persistent copy in hypervisor-encrypted NVRAM.
+
* Optional binding to platform integrity state
(1) TPM
@@ -129,6 +145,11 @@ safe.
Relies on Secure/Trusted boot process (called HAB by vendor) for
platform integrity.
+ (5) PKWM (PowerVM Key Wrapping Module: IBM PowerVM + Platform KeyStore)
+
+ Relies on secure and trusted boot process of IBM Power systems for
+ platform integrity.
+
* Interfaces and APIs
(1) TPM
@@ -149,6 +170,11 @@ safe.
Vendor-specific API that is implemented as part of the DCP crypto driver in
``drivers/crypto/mxs-dcp.c``.
+ (5) PKWM (PowerVM Key Wrapping Module: IBM PowerVM + Platform KeyStore)
+
+ Platform Keystore has well documented interfaces in PAPR document.
+ Refer to ``Documentation/arch/powerpc/papr_hcalls.rst``
+
* Threat model
The strength and appropriateness of a particular trust source for a given
@@ -191,6 +217,10 @@ selected trust source:
a dedicated hardware RNG that is independent from DCP which can be enabled
to back the kernel RNG.
+ * PKWM (PowerVM Key Wrapping Module: IBM PowerVM + Platform KeyStore)
+
+ The normal kernel random number generator is used to generate keys.
+
Users may override this by specifying ``trusted.rng=kernel`` on the kernel
command-line to override the used RNG with the kernel's random number pool.
@@ -321,6 +351,26 @@ Usage::
specific to this DCP key-blob implementation. The key length for new keys is
always in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bits).
+Trusted Keys usage: PKWM
+------------------------
+
+Usage::
+
+ keyctl add trusted name "new keylen [options]" ring
+ keyctl add trusted name "load hex_blob" ring
+ keyctl print keyid
+
+ options:
+ wrap_flags= ascii hex value of security policy requirement
+ 0x00: no secure boot requirement (default)
+ 0x01: require secure boot to be in either audit or
+ enforced mode
+ 0x02: require secure boot to be in enforced mode
+
+"keyctl print" returns an ASCII hex copy of the sealed key, which is in format
+specific to PKWM key-blob implementation. The key length for new keys is
+always in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bits).
+
Encrypted Keys usage
--------------------
--
2.47.3
next prev parent reply other threads:[~2026-02-01 14:00 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-01 13:59 [PATCH v6 0/6] Extend "trusted" keys to support a new trust source named the PowerVM Key Wrapping Module (PKWM) Srish Srinivasan
2026-02-01 13:59 ` [PATCH v6 1/6] pseries/plpks: fix kernel-doc comment inconsistencies Srish Srinivasan
2026-02-01 13:59 ` [PATCH v6 2/6] powerpc/pseries: move the PLPKS config inside its own sysfs directory Srish Srinivasan
2026-02-01 13:59 ` [PATCH v6 3/6] pseries/plpks: expose PowerVM wrapping features via the sysfs Srish Srinivasan
2026-02-01 13:59 ` [PATCH v6 4/6] pseries/plpks: add HCALLs for PowerVM Key Wrapping Module Srish Srinivasan
2026-02-01 13:59 ` [PATCH v6 5/6] keys/trusted_keys: establish PKWM as a trusted source Srish Srinivasan
2026-02-01 13:59 ` Srish Srinivasan [this message]
2026-02-01 22:29 ` [PATCH v6 6/6] docs: trusted-encryped: add PKWM as a new trust source Jarkko Sakkinen
2026-02-01 15:19 ` [PATCH v6 0/6] Extend "trusted" keys to support a new trust source named the PowerVM Key Wrapping Module (PKWM) Srish Srinivasan
2026-02-27 7:51 ` Christophe Leroy (CS GROUP)
2026-02-27 8:29 ` Srish Srinivasan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260201135930.898721-7-ssrish@linux.ibm.com \
--to=ssrish@linux.ibm.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=christophe.leroy@csgroup.eu \
--cc=jarkko@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=maddy@linux.ibm.com \
--cc=mpe@ellerman.id.au \
--cc=nayna@linux.ibm.com \
--cc=npiggin@gmail.com \
--cc=rnsastry@linux.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.