Commit c99fcb0d authored by Srish Srinivasan's avatar Srish Srinivasan Committed by Madhavan Srinivasan
Browse files

keys/trusted_keys: establish PKWM as a trusted source 



The wrapping key does not exist by default and is generated by the
hypervisor as a part of PKWM initialization. This key is then persisted by
the hypervisor and is used to wrap trusted keys. These are variable length
symmetric keys, which in the case of PowerVM Key Wrapping Module (PKWM) are
generated using the kernel RNG. PKWM can be used as a trust source through
the following example keyctl commands:

keyctl add trusted my_trusted_key "new 32" @u

Use the wrap_flags command option to set the secure boot requirement for
the wrapping request through the following keyctl commands

case1: no secure boot requirement. (default)
keyctl usage: keyctl add trusted my_trusted_key "new 32" @u
	      OR
	      keyctl add trusted my_trusted_key "new 32 wrap_flags=0x00" @u

case2: secure boot required to in either audit or enforce mode. set bit 0
keyctl usage: keyctl add trusted my_trusted_key "new 32 wrap_flags=0x01" @u

case3: secure boot required to be in enforce mode. set bit 1
keyctl usage: keyctl add trusted my_trusted_key "new 32 wrap_flags=0x02" @u

NOTE:
-> Setting the secure boot requirement is NOT a must.
-> Only either of the secure boot requirement options should be set. Not
both.
-> All the other bits are required to be not set.
-> Set the kernel parameter trusted.source=pkwm to choose PKWM as the
backend for trusted keys implementation.
-> CONFIG_PSERIES_PLPKS must be enabled to build PKWM.

Add PKWM, which is a combination of IBM PowerVM and Power LPAR Platform
KeyStore, as a new trust source for trusted keys.

Signed-off-by: default avatarSrish Srinivasan <ssrish@linux.ibm.com>
Tested-by: default avatarNayna Jain <nayna@linux.ibm.com>
Reviewed-by: default avatarMimi Zohar <zohar@linux.ibm.com>
Reviewed-by: default avatarNayna Jain <nayna@linux.ibm.com>
Reviewed-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: default avatarMadhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20260127145228.48320-6-ssrish@linux.ibm.com
parent 133aa79e

MAINTAINERS

+9 −0
Original line number Diff line number Diff line
@@ -14003,6 +14003,15 @@ S: Supported 
F:	include/keys/trusted_dcp.h

F:	security/keys/trusted-keys/trusted_dcp.c









KEYS-TRUSTED-PLPKS









M:	Srish Srinivasan <ssrish@linux.ibm.com>









M:	Nayna Jain <nayna@linux.ibm.com>









L:	linux-integrity@vger.kernel.org









L:	keyrings@vger.kernel.org









S:	Supported









F:	include/keys/trusted_pkwm.h









F:	security/keys/trusted-keys/trusted_pkwm.c

















KEYS-TRUSTED-TEE









M:	Sumit Garg <sumit.garg@kernel.org>









L:	linux-integrity@vger.kernel.org
































include/keys/trusted-type.h



+6
−1






























Original line number
Diff line number
Diff line







@@ -19,7 +19,11 @@

















#define MIN_KEY_SIZE			32









#define MAX_KEY_SIZE			128









#if IS_ENABLED(CONFIG_TRUSTED_KEYS_PKWM)









#define MAX_BLOB_SIZE			1152









#else









#define MAX_BLOB_SIZE                   512









#endif









#define MAX_PCRINFO_SIZE		64









#define MAX_DIGEST_SIZE			64


















@@ -46,6 +50,7 @@ struct trusted_key_options {







	uint32_t policydigest_len;









	unsigned char policydigest[MAX_DIGEST_SIZE];









	uint32_t policyhandle;









	void *private;









};



















struct trusted_key_ops {
































include/keys/trusted_pkwm.h
0 → 100644



+33
−0






























Original line number
Diff line number
Diff line









/* SPDX-License-Identifier: GPL-2.0 */









#ifndef __PKWM_TRUSTED_KEY_H









#define __PKWM_TRUSTED_KEY_H



















#include <keys/trusted-type.h>









#include <linux/bitops.h>









#include <linux/printk.h>



















extern struct trusted_key_ops pkwm_trusted_key_ops;



















struct trusted_pkwm_options {









	u16 wrap_flags;









};



















static inline void dump_options(struct trusted_key_options *o)









{









	const struct trusted_pkwm_options *pkwm;









	bool sb_audit_or_enforce_bit;









	bool sb_enforce_bit;



















	pkwm = o->private;









	sb_audit_or_enforce_bit = pkwm->wrap_flags & BIT(0);









	sb_enforce_bit = pkwm->wrap_flags & BIT(1);



















	if (sb_audit_or_enforce_bit)









		pr_debug("secure boot mode required: audit or enforce");









	else if (sb_enforce_bit)









		pr_debug("secure boot mode required: enforce");









	else









		pr_debug("secure boot mode required: disabled");









}



















#endif
























security/keys/trusted-keys/Kconfig



+8
−0






























Original line number
Diff line number
Diff line







@@ -46,6 +46,14 @@ config TRUSTED_KEYS_DCP







	help









	  Enable use of NXP's DCP (Data Co-Processor) as trusted key backend.



















config TRUSTED_KEYS_PKWM









	bool "PKWM-based trusted keys"









	depends on PSERIES_PLPKS >= TRUSTED_KEYS









	default y









	select HAVE_TRUSTED_KEYS









	help









	  Enable use of IBM PowerVM Key Wrapping Module (PKWM) as a trusted key backend.



















if !HAVE_TRUSTED_KEYS









	comment "No trust source selected!"









endif
























security/keys/trusted-keys/Makefile



+2
−0






























Original line number
Diff line number
Diff line







@@ -16,3 +16,5 @@ trusted-$(CONFIG_TRUSTED_KEYS_TEE) += trusted_tee.o







trusted-$(CONFIG_TRUSTED_KEYS_CAAM) += trusted_caam.o



















trusted-$(CONFIG_TRUSTED_KEYS_DCP) += trusted_dcp.o



















trusted-$(CONFIG_TRUSTED_KEYS_PKWM) += trusted_pkwm.o