[PATCH v6 0/6] Extend "trusted" keys to support a new trust source named the PowerVM Key Wrapping Module (PKWM)

Srish Srinivasan ssrish at linux.ibm.com
Fri Feb 27 19:29:07 AEDT 2026 

Hi Christophe,

On 2/27/26 1:21 PM, Christophe Leroy (CS GROUP) wrote:
>
>
> Le 01/02/2026 à 14:59, Srish Srinivasan a écrit :
>> Power11 has introduced a feature called the PowerVM Key Wrapping Module
>> (PKWM), where PowerVM in combination with Power LPAR Platform KeyStore
>> (PLPKS) [1] supports a new feature called "Key Wrapping" [2] to protect
>> user secrets by wrapping them using a hypervisor generated wrapping key.
>> This wrapping key is an AES-GCM-256 symmetric key that is stored as an
>> object in the PLPKS. It has policy based protections that prevents it 
>> from
>> being read out or exposed to the user. This wrapping key can then be 
>> used
>> by the OS to wrap or unwrap secrets via hypervisor calls.
>>
>> This patchset intends to add the PKWM, which is a combination of IBM
>> PowerVM and PLPKS, as a new trust source for trusted keys. The 
>> wrapping key
>> does not exist by default and its generation is requested by the 
>> kernel at
>> the time of PKWM initialization. This key is then persisted by the 
>> PKWM and
>> is used for wrapping any kernel provided key, and is never exposed to 
>> the
>> user. The kernel is aware of only the label to this wrapping key.
>>
>> Along with the PKWM implementation, this patchset includes two 
>> preparatory
>> patches: one fixing the kernel-doc inconsistencies in the PLPKS code and
>> another reorganizing PLPKS config variables in the sysfs.
>>
>> Changelog:
>>
>> v6:
>
> Seems like v5 was applied, if needed can you send followup patch ?
>
> Christophe


I had sent out a patch on top of v5 to take care of this, and it has 
been applied.

thanks,
Srish.


>
>>
>> * Patch 1 to Patch 3:
>>    - Add Nayna's Tested-by tag
>> * Patch 4
>>    - Fix build error reported by kernel test robot <lkp at intel.com>
>>    - Add Nayna's Tested-by tag
>> * Patch 5
>>    - Add Nayna's Tested-by tag
>>
>> v5:
>>
>> * Patch 1 to Patch 3:
>>    - Add Nayna's Reviewed-by tag
>> * Patch 4:
>>    - Fix build error identified by chleroy at kernel.org
>>    - Add Nayna's Reviewed-by tag
>> * Patch 5:
>>    - Add Reviewed-by tags from Nayna and Jarkko
>>
>> v4:
>>
>> * Patch 5:
>>    - Add a per-backend private data pointer in trusted_key_options
>>      to store a pointer to the backend-specific options structure
>>    - Minor clean-up
>>
>> v3:
>>
>> * Patch 2:
>>    - Add Mimi's Reviewed-by tag
>> * Patch 4:
>>    - Minor tweaks to some print statements
>>    - Fix typos
>> * Patch 5:
>>    - Fix typos
>>    - Add Mimi's Reviewed-by tag
>> * Patch 6:
>>    - Add Mimi's Reviewed-by tag
>>
>> v2:
>>
>> * Patch 2:
>>    - Fix build warning detected by the kernel test bot
>> * Patch 5:
>>    - Use pr_debug inside dump_options
>>    - Replace policyhande with wrap_flags inside dump_options
>>    - Provide meaningful error messages with error codes
>>
>> Nayna Jain (1):
>>    docs: trusted-encryped: add PKWM as a new trust source
>>
>> Srish Srinivasan (5):
>>    pseries/plpks: fix kernel-doc comment inconsistencies
>>    powerpc/pseries: move the PLPKS config inside its own sysfs directory
>>    pseries/plpks: expose PowerVM wrapping features via the sysfs
>>    pseries/plpks: add HCALLs for PowerVM Key Wrapping Module
>>    keys/trusted_keys: establish PKWM as a trusted source
>>
>>   .../ABI/testing/sysfs-firmware-plpks          |  58 ++
>>   Documentation/ABI/testing/sysfs-secvar        |  65 --
>>   .../admin-guide/kernel-parameters.txt         |   1 +
>>   Documentation/arch/powerpc/papr_hcalls.rst    |  43 ++
>>   .../security/keys/trusted-encrypted.rst       |  50 ++
>>   MAINTAINERS                                   |   9 +
>>   arch/powerpc/include/asm/hvcall.h             |   4 +-
>>   arch/powerpc/include/asm/plpks.h              |  95 +--
>>   arch/powerpc/include/asm/secvar.h             |   1 -
>>   arch/powerpc/kernel/secvar-sysfs.c            |  21 +-
>>   arch/powerpc/platforms/pseries/Makefile       |   2 +-
>>   arch/powerpc/platforms/pseries/plpks-secvar.c |  29 -
>>   arch/powerpc/platforms/pseries/plpks-sysfs.c  |  96 +++
>>   arch/powerpc/platforms/pseries/plpks.c        | 688 +++++++++++++++++-
>>   include/keys/trusted-type.h                   |   7 +-
>>   include/keys/trusted_pkwm.h                   |  33 +
>>   security/keys/trusted-keys/Kconfig            |   8 +
>>   security/keys/trusted-keys/Makefile           |   2 +
>>   security/keys/trusted-keys/trusted_core.c     |   6 +-
>>   security/keys/trusted-keys/trusted_pkwm.c     | 190 +++++
>>   20 files changed, 1207 insertions(+), 201 deletions(-)
>>   create mode 100644 Documentation/ABI/testing/sysfs-firmware-plpks
>>   create mode 100644 arch/powerpc/platforms/pseries/plpks-sysfs.c
>>   create mode 100644 include/keys/trusted_pkwm.h
>>   create mode 100644 security/keys/trusted-keys/trusted_pkwm.c
>>
>

More information about the Linuxppc-dev mailing list