Srish Srinivasan c99fcb0d73 keys/trusted_keys: establish PKWM as a trusted source ... The wrapping key does not exist by default and is generated by the hypervisor as a part of PKWM initialization. This key is then persisted by the hypervisor and is used to wrap trusted keys. These are variable length symmetric keys, which in the case of PowerVM Key Wrapping Module (PKWM) are generated using the kernel RNG. PKWM can be used as a trust source through the following example keyctl commands: keyctl add trusted my_trusted_key "new 32" @u Use the wrap_flags command option to set the secure boot requirement for the wrapping request through the following keyctl commands case1: no secure boot requirement. (default) keyctl usage: keyctl add trusted my_trusted_key "new 32" @u OR keyctl add trusted my_trusted_key "new 32 wrap_flags=0x00" @u case2: secure boot required to in either audit or enforce mode. set bit 0 keyctl usage: keyctl add trusted my_trusted_key "new 32 wrap_flags=0x01" @u case3: secure boot required to be in enforce mode. set bit 1 keyctl usage: keyctl add trusted my_trusted_key "new 32 wrap_flags=0x02" @u NOTE: -> Setting the secure boot requirement is NOT a must. -> Only either of the secure boot requirement options should be set. Not both. -> All the other bits are required to be not set. -> Set the kernel parameter trusted.source=pkwm to choose PKWM as the backend for trusted keys implementation. -> CONFIG_PSERIES_PLPKS must be enabled to build PKWM. Add PKWM, which is a combination of IBM PowerVM and Power LPAR Platform KeyStore, as a new trust source for trusted keys. Signed-off-by: Srish Srinivasan <ssrish@linux.ibm.com> Tested-by: Nayna Jain <nayna@linux.ibm.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Reviewed-by: Nayna Jain <nayna@linux.ibm.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com> Link: https://patch.msgid.link/20260127145228.48320-6-ssrish@linux.ibm.com		2026-01-30 09:27:26 +05:30
..
encrypted-keys	keys: Replace deprecated strncpy in ecryptfs_fill_auth_tok	2025-11-27 23:50:20 +02:00
trusted-keys	keys/trusted_keys: establish PKWM as a trusted source	2026-01-30 09:27:26 +05:30
big_key.c	keys: Remove redundant less-than-zero checks	2025-11-27 23:50:20 +02:00
compat.c	security/keys: remove compat_keyctl_instantiate_key_iov	2020-10-03 00:02:16 -04:00
compat_dh.c	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152	2019-05-30 11:26:32 -07:00
dh.c	KEYS: DH: Use crypto_wait_req	2023-02-13 18:34:48 +08:00
gc.c	KEYS: Invert FINAL_PUT bit	2025-06-11 11:57:14 -07:00
internal.h	keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry	2023-12-21 13:47:38 +00:00
Kconfig	security: keys: use menuconfig for KEYS symbol	2025-10-04 17:25:35 +03:00
key.c	KEYS: Invert FINAL_PUT bit	2025-06-11 11:57:14 -07:00
keyctl.c	task_work: s/task_work_cancel()/task_work_cancel_func()/	2024-07-09 13:26:31 +02:00
keyctl_pkey.c	KEYS: fix length validation in keyctl_pkey_params_get_2()	2022-03-08 10:33:18 +02:00
keyring.c	security/keys: fix slab-out-of-bounds in key_task_permission	2024-11-04 21:24:24 +02:00
Makefile	KEYS: remove CONFIG_KEYS_COMPAT	2019-12-12 23:41:17 +02:00
permission.c	keys: Make the KEY_NEED_* perms an enum rather than a mask	2020-05-19 15:42:22 +01:00
persistent.c	Revert "Merge tag 'keys-acl-20190703' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs"	2019-07-10 18:43:43 -07:00
proc.c	keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry	2023-12-21 13:47:38 +00:00
process_keys.c	cred: make init_cred static	2025-11-04 12:36:02 +01:00
request_key.c	keys: Fix linking a duplicate key to a keyring's assoc_array	2023-07-17 19:32:30 +00:00
request_key_auth.c	KEYS: Replace all non-returning strlcpy with strscpy	2023-08-17 20:12:35 +00:00
sysctl.c	treewide: const qualify ctl_tables where applicable	2025-01-28 13:48:37 +01:00
user_defined.c	keys: Remove redundant less-than-zero checks	2025-11-27 23:50:20 +02:00