mirror of
https://github.com/torvalds/linux.git
synced 2026-03-08 03:44:45 +01:00
c99fcb0d73
The wrapping key does not exist by default and is generated by the hypervisor as a part of PKWM initialization. This key is then persisted by the hypervisor and is used to wrap trusted keys. These are variable length symmetric keys, which in the case of PowerVM Key Wrapping Module (PKWM) are generated using the kernel RNG. PKWM can be used as a trust source through the following example keyctl commands: keyctl add trusted my_trusted_key "new 32" @u Use the wrap_flags command option to set the secure boot requirement for the wrapping request through the following keyctl commands case1: no secure boot requirement. (default) keyctl usage: keyctl add trusted my_trusted_key "new 32" @u OR keyctl add trusted my_trusted_key "new 32 wrap_flags=0x00" @u case2: secure boot required to in either audit or enforce mode. set bit 0 keyctl usage: keyctl add trusted my_trusted_key "new 32 wrap_flags=0x01" @u case3: secure boot required to be in enforce mode. set bit 1 keyctl usage: keyctl add trusted my_trusted_key "new 32 wrap_flags=0x02" @u NOTE: -> Setting the secure boot requirement is NOT a must. -> Only either of the secure boot requirement options should be set. Not both. -> All the other bits are required to be not set. -> Set the kernel parameter trusted.source=pkwm to choose PKWM as the backend for trusted keys implementation. -> CONFIG_PSERIES_PLPKS must be enabled to build PKWM. Add PKWM, which is a combination of IBM PowerVM and Power LPAR Platform KeyStore, as a new trust source for trusted keys. Signed-off-by: Srish Srinivasan <ssrish@linux.ibm.com> Tested-by: Nayna Jain <nayna@linux.ibm.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Reviewed-by: Nayna Jain <nayna@linux.ibm.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com> Link: https://patch.msgid.link/20260127145228.48320-6-ssrish@linux.ibm.com
59 lines
1.5 KiB
Text
59 lines
1.5 KiB
Text
config HAVE_TRUSTED_KEYS
|
|
bool
|
|
|
|
config TRUSTED_KEYS_TPM
|
|
bool "TPM-based trusted keys"
|
|
depends on TCG_TPM >= TRUSTED_KEYS
|
|
default y
|
|
select CRYPTO_HASH_INFO
|
|
select CRYPTO_LIB_SHA1
|
|
select CRYPTO_LIB_UTILS
|
|
select ASN1_ENCODER
|
|
select OID_REGISTRY
|
|
select ASN1
|
|
select HAVE_TRUSTED_KEYS
|
|
help
|
|
Enable use of the Trusted Platform Module (TPM) as trusted key
|
|
backend. Trusted keys are random number symmetric keys,
|
|
which will be generated and RSA-sealed by the TPM.
|
|
The TPM only unseals the keys, if the boot PCRs and other
|
|
criteria match.
|
|
|
|
config TRUSTED_KEYS_TEE
|
|
bool "TEE-based trusted keys"
|
|
depends on TEE >= TRUSTED_KEYS
|
|
default y
|
|
select HAVE_TRUSTED_KEYS
|
|
help
|
|
Enable use of the Trusted Execution Environment (TEE) as trusted
|
|
key backend.
|
|
|
|
config TRUSTED_KEYS_CAAM
|
|
bool "CAAM-based trusted keys"
|
|
depends on CRYPTO_DEV_FSL_CAAM_JR >= TRUSTED_KEYS
|
|
select CRYPTO_DEV_FSL_CAAM_BLOB_GEN
|
|
default y
|
|
select HAVE_TRUSTED_KEYS
|
|
help
|
|
Enable use of NXP's Cryptographic Accelerator and Assurance Module
|
|
(CAAM) as trusted key backend.
|
|
|
|
config TRUSTED_KEYS_DCP
|
|
bool "DCP-based trusted keys"
|
|
depends on CRYPTO_DEV_MXS_DCP >= TRUSTED_KEYS
|
|
default y
|
|
select HAVE_TRUSTED_KEYS
|
|
help
|
|
Enable use of NXP's DCP (Data Co-Processor) as trusted key backend.
|
|
|
|
config TRUSTED_KEYS_PKWM
|
|
bool "PKWM-based trusted keys"
|
|
depends on PSERIES_PLPKS >= TRUSTED_KEYS
|
|
default y
|
|
select HAVE_TRUSTED_KEYS
|
|
help
|
|
Enable use of IBM PowerVM Key Wrapping Module (PKWM) as a trusted key backend.
|
|
|
|
if !HAVE_TRUSTED_KEYS
|
|
comment "No trust source selected!"
|
|
endif
|