archives/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-03-08 05:04:51 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
linux/include
History
Srish Srinivasan c99fcb0d73 keys/trusted_keys: establish PKWM as a trusted source 
The wrapping key does not exist by default and is generated by the
hypervisor as a part of PKWM initialization. This key is then persisted by
the hypervisor and is used to wrap trusted keys. These are variable length
symmetric keys, which in the case of PowerVM Key Wrapping Module (PKWM) are
generated using the kernel RNG. PKWM can be used as a trust source through
the following example keyctl commands:

keyctl add trusted my_trusted_key "new 32" @u

Use the wrap_flags command option to set the secure boot requirement for
the wrapping request through the following keyctl commands

case1: no secure boot requirement. (default)
keyctl usage: keyctl add trusted my_trusted_key "new 32" @u
	      OR
	      keyctl add trusted my_trusted_key "new 32 wrap_flags=0x00" @u

case2: secure boot required to in either audit or enforce mode. set bit 0
keyctl usage: keyctl add trusted my_trusted_key "new 32 wrap_flags=0x01" @u

case3: secure boot required to be in enforce mode. set bit 1
keyctl usage: keyctl add trusted my_trusted_key "new 32 wrap_flags=0x02" @u

NOTE:
-> Setting the secure boot requirement is NOT a must.
-> Only either of the secure boot requirement options should be set. Not
both.
-> All the other bits are required to be not set.
-> Set the kernel parameter trusted.source=pkwm to choose PKWM as the
backend for trusted keys implementation.
-> CONFIG_PSERIES_PLPKS must be enabled to build PKWM.

Add PKWM, which is a combination of IBM PowerVM and Power LPAR Platform
KeyStore, as a new trust source for trusted keys.

Signed-off-by: Srish Srinivasan <ssrish@linux.ibm.com>
Tested-by: Nayna Jain <nayna@linux.ibm.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Nayna Jain <nayna@linux.ibm.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20260127145228.48320-6-ssrish@linux.ibm.com
2026-01-30 09:27:26 +05:30
..
acpi Revert "ACPI: processor: idle: Optimize ACPI idle driver registration" 2025-11-25 16:08:06 +01:00
asm-generic hyperv-next for v6.19 2025-12-09 06:10:17 +09:00
clocksource
crypto This update includes the following changes: 2025-12-03 11:28:38 -08:00
cxl
drm drm/pagemap, drm/xe: Ensure that the devmem allocation is idle before use 2025-12-23 10:11:59 +01:00
dt-bindings This pull request is entirely SoC clk drivers, not for lack of trying to modify 2025-12-08 09:38:52 +09:00
hyperv mshv: Add definitions for MSHV sleep state configuration 2025-12-05 23:24:57 +00:00
keys keys/trusted_keys: establish PKWM as a trusted source 2026-01-30 09:27:26 +05:30
kunit kunit: Enforce task execution in {soft,hard}irq contexts 2025-12-22 12:20:08 -08:00
kvm KVM: arm64: GICv2: Handle deactivation via GICV_DIR traps 2025-11-24 14:29:14 -08:00
linux powerpc/iommu: bypass DMA APIs for coherent allocations for pre-mapped memory 2026-01-07 09:33:55 +05:30
math-emu
media
memory
misc
net net: dsa: properly keep track of conduit reference 2025-12-23 10:32:08 +01:00
pcmcia
ras Significant patch series in this merge are as follows: 2025-12-05 13:52:43 -08:00
rdma RDMA/core: Add new IB rate for XDR (8x) support 2025-11-24 02:58:30 -05:00
rv rv: Fix compilation if !CONFIG_RV_REACTORS 2025-12-02 12:33:37 -05:00
scsi
soc This pull request is entirely SoC clk drivers, not for lack of trying to modify 2025-12-08 09:38:52 +09:00
sound ASoC: soc-acpi / SOF: Add best_effort flag to get_function_tplg_files op 2025-12-15 23:08:35 +09:00
target
trace Miscellaneous x86 fixes: 2025-12-21 14:41:29 -08:00
uapi RDMA v6.19 first rc request 2026-01-02 12:25:47 -08:00
ufs
vdso
video
xen
Kbuild