From: Srish Srinivasan <ssrish@linux.ibm.com>
To: "Christophe Leroy (CS GROUP)" <chleroy@kernel.org>,
linux-integrity@vger.kernel.org, keyrings@vger.kernel.org,
linuxppc-dev@lists.ozlabs.org
Cc: maddy@linux.ibm.com, mpe@ellerman.id.au, npiggin@gmail.com,
James.Bottomley@HansenPartnership.com, jarkko@kernel.org,
zohar@linux.ibm.com, nayna@linux.ibm.com, rnsastry@linux.ibm.com,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH v6 0/6] Extend "trusted" keys to support a new trust source named the PowerVM Key Wrapping Module (PKWM)
Date: Fri, 27 Feb 2026 13:59:07 +0530 [thread overview]
Message-ID: <5d316ad2-a842-4d29-b155-ecfc47aa1066@linux.ibm.com> (raw)
In-Reply-To: <31dfcf7a-5b3d-406d-bdd4-c8b09f7eb1f0@kernel.org>
Hi Christophe,
On 2/27/26 1:21 PM, Christophe Leroy (CS GROUP) wrote:
>
>
> Le 01/02/2026 à 14:59, Srish Srinivasan a écrit :
>> Power11 has introduced a feature called the PowerVM Key Wrapping Module
>> (PKWM), where PowerVM in combination with Power LPAR Platform KeyStore
>> (PLPKS) [1] supports a new feature called "Key Wrapping" [2] to protect
>> user secrets by wrapping them using a hypervisor generated wrapping key.
>> This wrapping key is an AES-GCM-256 symmetric key that is stored as an
>> object in the PLPKS. It has policy based protections that prevents it
>> from
>> being read out or exposed to the user. This wrapping key can then be
>> used
>> by the OS to wrap or unwrap secrets via hypervisor calls.
>>
>> This patchset intends to add the PKWM, which is a combination of IBM
>> PowerVM and PLPKS, as a new trust source for trusted keys. The
>> wrapping key
>> does not exist by default and its generation is requested by the
>> kernel at
>> the time of PKWM initialization. This key is then persisted by the
>> PKWM and
>> is used for wrapping any kernel provided key, and is never exposed to
>> the
>> user. The kernel is aware of only the label to this wrapping key.
>>
>> Along with the PKWM implementation, this patchset includes two
>> preparatory
>> patches: one fixing the kernel-doc inconsistencies in the PLPKS code and
>> another reorganizing PLPKS config variables in the sysfs.
>>
>> Changelog:
>>
>> v6:
>
> Seems like v5 was applied, if needed can you send followup patch ?
>
> Christophe
I had sent out a patch on top of v5 to take care of this, and it has
been applied.
thanks,
Srish.
>
>>
>> * Patch 1 to Patch 3:
>> - Add Nayna's Tested-by tag
>> * Patch 4
>> - Fix build error reported by kernel test robot <lkp@intel.com>
>> - Add Nayna's Tested-by tag
>> * Patch 5
>> - Add Nayna's Tested-by tag
>>
>> v5:
>>
>> * Patch 1 to Patch 3:
>> - Add Nayna's Reviewed-by tag
>> * Patch 4:
>> - Fix build error identified by chleroy@kernel.org
>> - Add Nayna's Reviewed-by tag
>> * Patch 5:
>> - Add Reviewed-by tags from Nayna and Jarkko
>>
>> v4:
>>
>> * Patch 5:
>> - Add a per-backend private data pointer in trusted_key_options
>> to store a pointer to the backend-specific options structure
>> - Minor clean-up
>>
>> v3:
>>
>> * Patch 2:
>> - Add Mimi's Reviewed-by tag
>> * Patch 4:
>> - Minor tweaks to some print statements
>> - Fix typos
>> * Patch 5:
>> - Fix typos
>> - Add Mimi's Reviewed-by tag
>> * Patch 6:
>> - Add Mimi's Reviewed-by tag
>>
>> v2:
>>
>> * Patch 2:
>> - Fix build warning detected by the kernel test bot
>> * Patch 5:
>> - Use pr_debug inside dump_options
>> - Replace policyhande with wrap_flags inside dump_options
>> - Provide meaningful error messages with error codes
>>
>> Nayna Jain (1):
>> docs: trusted-encryped: add PKWM as a new trust source
>>
>> Srish Srinivasan (5):
>> pseries/plpks: fix kernel-doc comment inconsistencies
>> powerpc/pseries: move the PLPKS config inside its own sysfs directory
>> pseries/plpks: expose PowerVM wrapping features via the sysfs
>> pseries/plpks: add HCALLs for PowerVM Key Wrapping Module
>> keys/trusted_keys: establish PKWM as a trusted source
>>
>> .../ABI/testing/sysfs-firmware-plpks | 58 ++
>> Documentation/ABI/testing/sysfs-secvar | 65 --
>> .../admin-guide/kernel-parameters.txt | 1 +
>> Documentation/arch/powerpc/papr_hcalls.rst | 43 ++
>> .../security/keys/trusted-encrypted.rst | 50 ++
>> MAINTAINERS | 9 +
>> arch/powerpc/include/asm/hvcall.h | 4 +-
>> arch/powerpc/include/asm/plpks.h | 95 +--
>> arch/powerpc/include/asm/secvar.h | 1 -
>> arch/powerpc/kernel/secvar-sysfs.c | 21 +-
>> arch/powerpc/platforms/pseries/Makefile | 2 +-
>> arch/powerpc/platforms/pseries/plpks-secvar.c | 29 -
>> arch/powerpc/platforms/pseries/plpks-sysfs.c | 96 +++
>> arch/powerpc/platforms/pseries/plpks.c | 688 +++++++++++++++++-
>> include/keys/trusted-type.h | 7 +-
>> include/keys/trusted_pkwm.h | 33 +
>> security/keys/trusted-keys/Kconfig | 8 +
>> security/keys/trusted-keys/Makefile | 2 +
>> security/keys/trusted-keys/trusted_core.c | 6 +-
>> security/keys/trusted-keys/trusted_pkwm.c | 190 +++++
>> 20 files changed, 1207 insertions(+), 201 deletions(-)
>> create mode 100644 Documentation/ABI/testing/sysfs-firmware-plpks
>> create mode 100644 arch/powerpc/platforms/pseries/plpks-sysfs.c
>> create mode 100644 include/keys/trusted_pkwm.h
>> create mode 100644 security/keys/trusted-keys/trusted_pkwm.c
>>
>
prev parent reply other threads:[~2026-02-27 8:29 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-01 13:59 [PATCH v6 0/6] Extend "trusted" keys to support a new trust source named the PowerVM Key Wrapping Module (PKWM) Srish Srinivasan
2026-02-01 13:59 ` [PATCH v6 1/6] pseries/plpks: fix kernel-doc comment inconsistencies Srish Srinivasan
2026-02-01 13:59 ` [PATCH v6 2/6] powerpc/pseries: move the PLPKS config inside its own sysfs directory Srish Srinivasan
2026-02-01 13:59 ` [PATCH v6 3/6] pseries/plpks: expose PowerVM wrapping features via the sysfs Srish Srinivasan
2026-02-01 13:59 ` [PATCH v6 4/6] pseries/plpks: add HCALLs for PowerVM Key Wrapping Module Srish Srinivasan
2026-02-01 13:59 ` [PATCH v6 5/6] keys/trusted_keys: establish PKWM as a trusted source Srish Srinivasan
2026-02-01 13:59 ` [PATCH v6 6/6] docs: trusted-encryped: add PKWM as a new trust source Srish Srinivasan
2026-02-01 22:29 ` Jarkko Sakkinen
2026-02-01 15:19 ` [PATCH v6 0/6] Extend "trusted" keys to support a new trust source named the PowerVM Key Wrapping Module (PKWM) Srish Srinivasan
2026-02-27 7:51 ` Christophe Leroy (CS GROUP)
2026-02-27 8:29 ` Srish Srinivasan [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5d316ad2-a842-4d29-b155-ecfc47aa1066@linux.ibm.com \
--to=ssrish@linux.ibm.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=chleroy@kernel.org \
--cc=jarkko@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=maddy@linux.ibm.com \
--cc=mpe@ellerman.id.au \
--cc=nayna@linux.ibm.com \
--cc=npiggin@gmail.com \
--cc=rnsastry@linux.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox