tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

docs: trusted-encryped: add PKWM as a new trust source

Update Documentation/security/keys/trusted-encrypted.rst and Documentation/
admin-guide/kernel-parameters.txt with PowerVM Key Wrapping Module (PKWM)
as a new trust source

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Signed-off-by: Srish Srinivasan <ssrish@linux.ibm.com>
Tested-by: Nayna Jain <nayna@linux.ibm.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20260127145228.48320-7-ssrish@linux.ibm.com

authored by

Nayna Jain and committed by
Madhavan Srinivasan 1d72a02d c99fcb0d

+51
+1
Documentation/admin-guide/kernel-parameters.txt
··· 7755 7755 - "tee" 7756 7756 - "caam" 7757 7757 - "dcp" 7758 + - "pkwm" 7758 7759 If not specified then it defaults to iterating through 7759 7760 the trust source list starting with TPM and assigns the 7760 7761 first trust source as a backend which is initialized
+50
Documentation/security/keys/trusted-encrypted.rst
··· 81 81 and the UNIQUE key. Default is to use the UNIQUE key, but selecting 82 82 the OTP key can be done via a module parameter (dcp_use_otp_key). 83 83 84 + (5) PKWM (PowerVM Key Wrapping Module: IBM PowerVM + Platform KeyStore) 85 + 86 + Rooted to a unique, per-LPAR key, which is derived from a system-wide, 87 + randomly generated LPAR root key. Both the per-LPAR keys and the LPAR 88 + root key are stored in hypervisor-owned secure memory at runtime, 89 + and the LPAR root key is additionally persisted in secure locations 90 + such as the processor SEEPROMs and encrypted NVRAM. 91 + 84 92 * Execution isolation 85 93 86 94 (1) TPM ··· 109 101 Fixed set of cryptographic operations running in isolated execution 110 102 environment. Only basic blob key encryption is executed there. 111 103 The actual key sealing/unsealing is done on main processor/kernel space. 104 + 105 + (5) PKWM (PowerVM Key Wrapping Module: IBM PowerVM + Platform KeyStore) 106 + 107 + Fixed set of cryptographic operations done on on-chip hardware 108 + cryptographic acceleration unit NX. Keys for wrapping and unwrapping 109 + are managed by PowerVM Platform KeyStore, which stores keys in an 110 + isolated in-memory copy in secure hypervisor memory, as well as in a 111 + persistent copy in hypervisor-encrypted NVRAM. 112 112 113 113 * Optional binding to platform integrity state 114 114 ··· 145 129 Relies on Secure/Trusted boot process (called HAB by vendor) for 146 130 platform integrity. 147 131 132 + (5) PKWM (PowerVM Key Wrapping Module: IBM PowerVM + Platform KeyStore) 133 + 134 + Relies on secure and trusted boot process of IBM Power systems for 135 + platform integrity. 136 + 148 137 * Interfaces and APIs 149 138 150 139 (1) TPM ··· 169 148 170 149 Vendor-specific API that is implemented as part of the DCP crypto driver in 171 150 ``drivers/crypto/mxs-dcp.c``. 151 + 152 + (5) PKWM (PowerVM Key Wrapping Module: IBM PowerVM + Platform KeyStore) 153 + 154 + Platform Keystore has well documented interfaces in PAPR document. 155 + Refer to ``Documentation/arch/powerpc/papr_hcalls.rst`` 172 156 173 157 * Threat model 174 158 ··· 216 190 so the kernel default RNG is used. SoCs with DCP like the i.MX6ULL do have 217 191 a dedicated hardware RNG that is independent from DCP which can be enabled 218 192 to back the kernel RNG. 193 + 194 + * PKWM (PowerVM Key Wrapping Module: IBM PowerVM + Platform KeyStore) 195 + 196 + The normal kernel random number generator is used to generate keys. 219 197 220 198 Users may override this by specifying ``trusted.rng=kernel`` on the kernel 221 199 command-line to override the used RNG with the kernel's random number pool. ··· 349 319 350 320 "keyctl print" returns an ASCII hex copy of the sealed key, which is in format 351 321 specific to this DCP key-blob implementation. The key length for new keys is 322 + always in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bits). 323 + 324 + Trusted Keys usage: PKWM 325 + ------------------------ 326 + 327 + Usage:: 328 + 329 + keyctl add trusted name "new keylen [options]" ring 330 + keyctl add trusted name "load hex_blob" ring 331 + keyctl print keyid 332 + 333 + options: 334 + wrap_flags= ascii hex value of security policy requirement 335 + 0x00: no secure boot requirement (default) 336 + 0x01: require secure boot to be in either audit or 337 + enforced mode 338 + 0x02: require secure boot to be in enforced mode 339 + 340 + "keyctl print" returns an ASCII hex copy of the sealed key, which is in format 341 + specific to PKWM key-blob implementation. The key length for new keys is 352 342 always in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bits). 353 343 354 344 Encrypted Keys usage