On 1/27/26 9:52 AM, Srish Srinivasan wrote:
Power11 has introduced a feature called the PowerVM Key Wrapping Module (PKWM), where PowerVM in combination with Power LPAR Platform KeyStore (PLPKS) [1] supports a new feature called "Key Wrapping" [2] to protect user secrets by wrapping them using a hypervisor generated wrapping key. This wrapping key is an AES-GCM-256 symmetric key that is stored as an object in the PLPKS. It has policy based protections that prevents it from being read out or exposed to the user. This wrapping key can then be used by the OS to wrap or unwrap secrets via hypervisor calls. This patchset intends to add the PKWM, which is a combination of IBM PowerVM and PLPKS, as a new trust source for trusted keys. The wrapping key does not exist by default and its generation is requested by the kernel at the time of PKWM initialization. This key is then persisted by the PKWM and is used for wrapping any kernel provided key, and is never exposed to the user. The kernel is aware of only the label to this wrapping key. Along with the PKWM implementation, this patchset includes two preparatory patches: one fixing the kernel-doc inconsistencies in the PLPKS code and another reorganizing PLPKS config variables in the sysfs.
Tested the entire patch series. Seems to work as expected. Tested-by: Nayna Jain <[email protected]> Thanks & Regards, - Nayna
