From: Srish Srinivasan <ssrish@linux.ibm.com>
To: Mimi Zohar <zohar@linux.ibm.com>,
linux-integrity@vger.kernel.org, keyrings@vger.kernel.org,
linuxppc-dev@lists.ozlabs.org
Cc: maddy@linux.ibm.com, mpe@ellerman.id.au, npiggin@gmail.com,
christophe.leroy@csgroup.eu,
James.Bottomley@HansenPartnership.com, jarkko@kernel.org,
nayna@linux.ibm.com, rnsastry@linux.ibm.com,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH v2 5/6] keys/trusted_keys: establish PKWM as a trusted source
Date: Tue, 6 Jan 2026 10:39:42 +0530 [thread overview]
Message-ID: <9f2f041d-37a7-42ed-bc06-540b65e8b54f@linux.ibm.com> (raw)
In-Reply-To: <14a30e37e0cf8ef373b63d3b905ec1a7d807118a.camel@linux.ibm.com>
Hi Mimi,
thanks for taking a look.
On 1/2/26 11:14 PM, Mimi Zohar wrote:
> On Wed, 2025-12-17 at 22:55 +0530, Srish Srinivasan wrote:
>> The wrapping key does not exist by default and is generated by the
>> hypervisor as a part of PKWM initialization. This key is then persisted by
>> the hypervisor and is used to wrap trusted keys. These are variable length
>> symmetric keys, which in the case of PowerVM Key Wrapping Module (PKWM) are
>> generated using the kernel RNG. PKWM can be used as a trust source through
>> the following example keyctl command
> -> commands:
Yes, I will fix this.
>
>> keyctl add trusted my_trusted_key "new 32" @u
>>
>> Use the wrap_flags command option to set the secure boot requirement for
>> the wrapping request through the following keyctl commands
>>
>> case1: no secure boot requirement. (default)
>> keyctl usage: keyctl add trusted my_trusted_key "new 32" @u
>> OR
>> keyctl add trusted my_trusted_key "new 32 wrap_flags=0x00" @u
>>
>> case2: secure boot required to in either audit or enforce mode. set bit 0
>> keyctl usage: keyctl add trusted my_trusted_key "new 32 wrap_flags=0x01" @u
>>
>> case3: secure boot required to be in enforce mode. set bit 1
>> keyctl usage: keyctl add trusted my_trusted_key "new 32 wrap_flags=0x02" @u
>>
>> NOTE:
>> -> Setting the secure boot requirement is NOT a must.
>> -> Only either of the secure boot requirement options should be set. Not
>> both.
>> -> All the other bits are requied to be not set.
> -> required
Noted.
Will fix this.
>
>> -> Set the kernel parameter trusted.source=pkwm to choose PKWM as the
>> backend for trusted keys implementation.
>> -> CONFIG_PSERIES_PLPKS must be enabled to build PKWM.
>>
>> Add PKWM, which is a combination of IBM PowerVM and Power LPAR Platform
>> KeyStore, as a new trust source for trusted keys.
>>
>> Signed-off-by: Srish Srinivasan <ssrish@linux.ibm.com>
> Thanks, Srish. Other than fixing the typo and other suggestion above,
> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Thanks for the review Mimi.
Will fix these typos and send out v3.
thanks,
Srish.
next prev parent reply other threads:[~2026-01-06 5:10 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-17 17:24 [PATCH v2 0/6] Extend "trusted" keys to support a new trust source named the PowerVM Key Wrapping Module (PKWM) Srish Srinivasan
2025-12-17 17:25 ` [PATCH v2 1/6] pseries/plpks: fix kernel-doc comment inconsistencies Srish Srinivasan
2026-01-02 17:23 ` Mimi Zohar
2025-12-17 17:25 ` [PATCH v2 2/6] powerpc/pseries: move the PLPKS config inside its own sysfs directory Srish Srinivasan
2026-01-02 17:28 ` Mimi Zohar
2025-12-17 17:25 ` [PATCH v2 3/6] pseries/plpks: expose PowerVM wrapping features via the sysfs Srish Srinivasan
2025-12-17 17:25 ` [PATCH v2 4/6] pseries/plpks: add HCALLs for PowerVM Key Wrapping Module Srish Srinivasan
2026-01-02 17:25 ` Mimi Zohar
2026-01-06 5:06 ` Srish Srinivasan
2025-12-17 17:25 ` [PATCH v2 5/6] keys/trusted_keys: establish PKWM as a trusted source Srish Srinivasan
2026-01-02 17:44 ` Mimi Zohar
2026-01-06 5:09 ` Srish Srinivasan [this message]
2025-12-17 17:25 ` [PATCH v2 6/6] docs: trusted-encryped: add PKWM as a new trust source Srish Srinivasan
2026-01-02 17:48 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9f2f041d-37a7-42ed-bc06-540b65e8b54f@linux.ibm.com \
--to=ssrish@linux.ibm.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=christophe.leroy@csgroup.eu \
--cc=jarkko@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=maddy@linux.ibm.com \
--cc=mpe@ellerman.id.au \
--cc=nayna@linux.ibm.com \
--cc=npiggin@gmail.com \
--cc=rnsastry@linux.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.