On Wed, 2025-12-17 at 22:55 +0530, Srish Srinivasan wrote: > The wrapping key does not exist by default and is generated by the > hypervisor as a part of PKWM initialization. This key is then persisted by > the hypervisor and is used to wrap trusted keys. These are variable length > symmetric keys, which in the case of PowerVM Key Wrapping Module (PKWM) are > generated using the kernel RNG. PKWM can be used as a trust source through > the following example keyctl command
-> commands: > > keyctl add trusted my_trusted_key "new 32" @u > > Use the wrap_flags command option to set the secure boot requirement for > the wrapping request through the following keyctl commands > > case1: no secure boot requirement. (default) > keyctl usage: keyctl add trusted my_trusted_key "new 32" @u > OR > keyctl add trusted my_trusted_key "new 32 wrap_flags=0x00" @u > > case2: secure boot required to in either audit or enforce mode. set bit 0 > keyctl usage: keyctl add trusted my_trusted_key "new 32 wrap_flags=0x01" @u > > case3: secure boot required to be in enforce mode. set bit 1 > keyctl usage: keyctl add trusted my_trusted_key "new 32 wrap_flags=0x02" @u > > NOTE: > -> Setting the secure boot requirement is NOT a must. > -> Only either of the secure boot requirement options should be set. Not > both. > -> All the other bits are requied to be not set. -> required > -> Set the kernel parameter trusted.source=pkwm to choose PKWM as the > backend for trusted keys implementation. > -> CONFIG_PSERIES_PLPKS must be enabled to build PKWM. > > Add PKWM, which is a combination of IBM PowerVM and Power LPAR Platform > KeyStore, as a new trust source for trusted keys. > > Signed-off-by: Srish Srinivasan <[email protected]> Thanks, Srish. Other than fixing the typo and other suggestion above, Reviewed-by: Mimi Zohar <[email protected]>
