tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

pseries/plpks: expose PowerVM wrapping features via the sysfs

Starting with Power11, PowerVM supports a new feature called "Key Wrapping"
that protects user secrets by wrapping them using a hypervisor generated
wrapping key. The status of this feature can be read by the
H_PKS_GET_CONFIG HCALL.

Expose the Power LPAR Platform KeyStore (PLPKS) wrapping features config
via the sysfs file /sys/firmware/plpks/config/wrapping_features.

Signed-off-by: Srish Srinivasan <ssrish@linux.ibm.com>
Tested-by: Nayna Jain <nayna@linux.ibm.com>
Reviewed-by: Nayna Jain <nayna@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20260127145228.48320-4-ssrish@linux.ibm.com

authored by

Srish Srinivasan and committed by
Madhavan Srinivasan 447eb1d5 40850c90

+36 -1
+8
Documentation/ABI/testing/sysfs-firmware-plpks
··· 48 48 supports for signed update of objects, represented as a 16 byte 49 49 hexadecimal ASCII string. Consult the hypervisor documentation 50 50 for what these flags mean. 51 + 52 + What: /sys/firmware/plpks/config/wrapping_features 53 + Date: November 2025 54 + Contact: Srish Srinivasan <ssrish@linux.ibm.com> 55 + Description: Bitmask of the wrapping features indicating the wrapping 56 + algorithms that are supported for the H_PKS_WRAP_OBJECT requests 57 + , represented as a 8 byte hexadecimal ASCII string. Consult the 58 + hypervisor documentation for what these flags mean.
+3 -1
arch/powerpc/include/asm/hvcall.h
··· 360 360 #define H_GUEST_RUN_VCPU 0x480 361 361 #define H_GUEST_COPY_MEMORY 0x484 362 362 #define H_GUEST_DELETE 0x488 363 - #define MAX_HCALL_OPCODE H_GUEST_DELETE 363 + #define H_PKS_WRAP_OBJECT 0x490 364 + #define H_PKS_UNWRAP_OBJECT 0x494 365 + #define MAX_HCALL_OPCODE H_PKS_UNWRAP_OBJECT 364 366 365 367 /* Scope args for H_SCM_UNBIND_ALL */ 366 368 #define H_UNBIND_SCOPE_ALL (0x1)
+3
arch/powerpc/include/asm/plpks.h
··· 23 23 #define PLPKS_IMMUTABLE PPC_BIT32(5) // Once written, object cannot be removed 24 24 #define PLPKS_TRANSIENT PPC_BIT32(6) // Object does not persist through reboot 25 25 #define PLPKS_SIGNEDUPDATE PPC_BIT32(7) // Object can only be modified by signed updates 26 + #define PLPKS_WRAPPINGKEY PPC_BIT32(8) // Object contains a wrapping key 26 27 #define PLPKS_HVPROVISIONED PPC_BIT32(28) // Hypervisor has provisioned this object 27 28 28 29 // Signature algorithm flags from signed_update_algorithms ··· 103 102 u32 plpks_get_maxlargeobjectsize(void); 104 103 105 104 u64 plpks_get_signedupdatealgorithms(void); 105 + 106 + u64 plpks_get_wrappingfeatures(void); 106 107 107 108 u16 plpks_get_passwordlen(void); 108 109
+2
arch/powerpc/platforms/pseries/plpks-sysfs.c
··· 30 30 PLPKS_CONFIG_ATTR(supported_policies, "%08x\n", plpks_get_supportedpolicies); 31 31 PLPKS_CONFIG_ATTR(signed_update_algorithms, "%016llx\n", 32 32 plpks_get_signedupdatealgorithms); 33 + PLPKS_CONFIG_ATTR(wrapping_features, "%016llx\n", plpks_get_wrappingfeatures); 33 34 34 35 static const struct attribute *config_attrs[] = { 35 36 &attr_version.attr, ··· 39 38 &attr_used_space.attr, 40 39 &attr_supported_policies.attr, 41 40 &attr_signed_update_algorithms.attr, 41 + &attr_wrapping_features.attr, 42 42 NULL, 43 43 }; 44 44
+20
arch/powerpc/platforms/pseries/plpks.c
··· 38 38 static u32 supportedpolicies; 39 39 static u32 maxlargeobjectsize; 40 40 static u64 signedupdatealgorithms; 41 + static u64 wrappingfeatures; 41 42 42 43 struct plpks_auth { 43 44 u8 version; ··· 249 248 __be32 supportedpolicies; 250 249 __be32 maxlargeobjectsize; 251 250 __be64 signedupdatealgorithms; 251 + __be64 wrappingfeatures; 252 252 u8 rsvd1[476]; 253 253 } __packed * config; 254 254 size_t size; ··· 282 280 supportedpolicies = be32_to_cpu(config->supportedpolicies); 283 281 maxlargeobjectsize = be32_to_cpu(config->maxlargeobjectsize); 284 282 signedupdatealgorithms = be64_to_cpu(config->signedupdatealgorithms); 283 + wrappingfeatures = be64_to_cpu(config->wrappingfeatures); 285 284 286 285 // Validate that the numbers we get back match the requirements of the spec 287 286 if (maxpwsize < 32) { ··· 473 470 u64 plpks_get_signedupdatealgorithms(void) 474 471 { 475 472 return signedupdatealgorithms; 473 + } 474 + 475 + /** 476 + * plpks_get_wrappingfeatures() - Returns a bitmask of the wrapping features 477 + * supported by the hypervisor. 478 + * 479 + * Successful execution of the H_PKS_GET_CONFIG HCALL during initialization 480 + * reads a bitmask of the wrapping features supported by the hypervisor into the 481 + * file local static wrappingfeatures variable. This is valid only when the 482 + * PLPKS config structure version >= 3. 483 + * 484 + * Return: 485 + * bitmask of the wrapping features supported by the hypervisor 486 + */ 487 + u64 plpks_get_wrappingfeatures(void) 488 + { 489 + return wrappingfeatures; 476 490 } 477 491 478 492 /**