From nobody Sun Feb  8 11:43:10 2026
Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com
 [148.163.156.1])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6A8A735CBD2;
	Tue, 27 Jan 2026 14:53:23 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=148.163.156.1
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1769525604; cv=none;
 b=Of2fOj2CSwybA/o5DRkxPYCvXG0a9CHKf0sY8xGbEJqZZhmpWii6S3eTzp6wV/OcyRyig7j0FwMV09iEp0HFJ3cEmV6/ip3omgWbC/6WGKqS1rRsmQTNb91SL13ar2+nea5hgaNoG44uVDWz/QF/gRBDkgAIORYGdmLCyqDNLSk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1769525604; c=relaxed/simple;
	bh=XCefpgXUxyNEKk/AXlmykIVBUmEW8jSfP/BPAzjGEUk=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=KChMuCpEMNgP37ZFay/rw5lAAkrWQbU3hBDg7+lA03w0RA34Sf9bNDZ9lTT7UOVFLb3uvGcl+PX4ii39EMh2cx2gTmN2Vn4q3tYnluDJGF74BK1q9jqnkBVYCLZtWm8wO2nw2CSpG1ByjJjA77lrefN9lrJG3dux7HmasRcV9aE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linux.ibm.com;
 spf=pass smtp.mailfrom=linux.ibm.com;
 dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com
 header.b=aIIK/G6D; arc=none smtp.client-ip=148.163.156.1
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linux.ibm.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=linux.ibm.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com
 header.b="aIIK/G6D"
Received: from pps.filterd (m0353729.ppops.net [127.0.0.1])
	by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id
 60R7ARnZ014072;
	Tue, 27 Jan 2026 14:53:10 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc
	:content-transfer-encoding:date:from:in-reply-to:message-id
	:mime-version:references:subject:to; s=pp1; bh=3AlJIuHueyJfodCUq
	PQr+cGMD8wjDvVNfPBSHGCosjo=; b=aIIK/G6D7xUQhPZveW4m6hEsthJMthQDr
	dnKuBMl7mIzu97ifjyAm0juOrlxGC9Xa5FeZTBznYyTG6JGKHmGxw+6/cG+oscp+
	g8MsNpRBG+9ggvewJVnB0Te5ncPkAvxktuKMCG2GuWuWa5MFKAhg3lfcZKpBUAiy
	RIKFCN1MWfq9lZOdnNPXgPxVw2F5XGRUGql+mbss8IQowuwu/Avx5d0b87bL/UtJ
	0sMre6oPIvVY0SSFeuVXNY2F5Pte2B9SYDDEXG+68oKW+ojG7H2jUFceecI8tbjZ
	CMiYlQORWgGOoOJ3PPQIUIXHrzF9SguEAFb04QiLW/kxmJOnZ2t5w==
Received: from pps.reinject (localhost [127.0.0.1])
	by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4bvnrtdvxv-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Tue, 27 Jan 2026 14:53:10 +0000 (GMT)
Received: from m0353729.ppops.net (m0353729.ppops.net [127.0.0.1])
	by pps.reinject (8.18.1.12/8.18.0.8) with ESMTP id 60REr9mo016361;
	Tue, 27 Jan 2026 14:53:10 GMT
Received: from ppma22.wdc07v.mail.ibm.com
 (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92])
	by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4bvnrtdvxr-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Tue, 27 Jan 2026 14:53:09 +0000 (GMT)
Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1])
	by ppma22.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id
 60RD0rg9006737;
	Tue, 27 Jan 2026 14:53:08 GMT
Received: from smtprelay05.fra02v.mail.ibm.com ([9.218.2.225])
	by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4bw8sy94r8-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Tue, 27 Jan 2026 14:53:08 +0000
Received: from smtpav02.fra02v.mail.ibm.com (smtpav02.fra02v.mail.ibm.com
 [10.20.54.101])
	by smtprelay05.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id
 60REr4Bq46268850
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Tue, 27 Jan 2026 14:53:04 GMT
Received: from smtpav02.fra02v.mail.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id C46A32004B;
	Tue, 27 Jan 2026 14:53:04 +0000 (GMT)
Received: from smtpav02.fra02v.mail.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id 5D41220040;
	Tue, 27 Jan 2026 14:53:01 +0000 (GMT)
Received: from li-fc74f8cc-3279-11b2-a85c-ef5828687581.ibm.com.com (unknown
 [9.124.210.108])
	by smtpav02.fra02v.mail.ibm.com (Postfix) with ESMTP;
	Tue, 27 Jan 2026 14:53:00 +0000 (GMT)
From: Srish Srinivasan <ssrish@linux.ibm.com>
To: linux-integrity@vger.kernel.org, keyrings@vger.kernel.org,
        linuxppc-dev@lists.ozlabs.org
Cc: maddy@linux.ibm.com, mpe@ellerman.id.au, npiggin@gmail.com,
        christophe.leroy@csgroup.eu, James.Bottomley@HansenPartnership.com,
        jarkko@kernel.org, zohar@linux.ibm.com, nayna@linux.ibm.com,
        rnsastry@linux.ibm.com, linux-kernel@vger.kernel.org,
        linux-security-module@vger.kernel.org, ssrish@linux.ibm.com
Subject: [PATCH v5 6/6] docs: trusted-encryped: add PKWM as a new trust source
Date: Tue, 27 Jan 2026 20:22:28 +0530
Message-ID: <20260127145228.48320-7-ssrish@linux.ibm.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260127145228.48320-1-ssrish@linux.ibm.com>
References: <20260127145228.48320-1-ssrish@linux.ibm.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-TM-AS-GCONF: 00
X-Proofpoint-GUID: eGqTO_9vNmTSjSLiqNmrGVdlw7BiDUz7
X-Authority-Analysis: v=2.4 cv=Uptu9uwB c=1 sm=1 tr=0 ts=6978d156 cx=c_pps
 a=5BHTudwdYE3Te8bg5FgnPg==:117 a=5BHTudwdYE3Te8bg5FgnPg==:17
 a=vUbySO9Y5rIA:10 a=VkNPw1HP01LnGYTKEx00:22 a=VnNF1IyMAAAA:8
 a=ULK339cd-4IVAxCgyX4A:9
X-Proofpoint-ORIG-GUID: JLSNF7j7hRtVaLT0RnF5jsQyLH2OEOz1
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMTI3MDEyMSBTYWx0ZWRfX4cUkFswFFsJu
 EuaOOor/xWO+QGKh/XDApT/ukR/Q/OobJEubvDEz0NlpBlY1EDYjTbV2Y17SCRsK/dMuGjMcSfE
 SIAEmmGwUweguFUDoNQ6YrA/qRWYLVjR3tym9hemdvEA+VJsVQNFbKMkwqjwil67QwCPmSPAzgJ
 hW1KLlP1v2MZky0QfrMITA6iEpFRzbAyRnhWMWFx1YxDAs3nllx0Fr99hAeforozwebeGupCfhV
 mZ2ZqQjosAn1r6qotjNkElrW7GHKcuIsAAx/MH7rykD9vEyAaZnxrbEO19pvUNbN9tnRkwojcMY
 BnS2vQeOfVt7lpx7FqnTF8YFGtYTa5cX2F5sEn0lv+wDoFExG9tyO6DiUVwed2EYo9ZKrF95tLt
 ms6AXg+yplXXQ3vjpOPzzcBVWD+qIQncc2cr+Q3ZqZR8N04ZY6bCeY4uCnwhzrCYYHbRwuRMvsL
 owgX1CA2Z5WKjk2ydJQ==
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.51,FMLib:17.12.100.49
 definitions=2026-01-27_03,2026-01-27_02,2025-10-01_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 malwarescore=0 priorityscore=1501 clxscore=1015 lowpriorityscore=0
 phishscore=0 adultscore=0 impostorscore=0 bulkscore=0 spamscore=0
 suspectscore=0 classifier=typeunknown authscore=0 authtc= authcc=
 route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2601150000
 definitions=main-2601270121
Content-Type: text/plain; charset="utf-8"

From: Nayna Jain <nayna@linux.ibm.com>

Update Documentation/security/keys/trusted-encrypted.rst and Documentation/
admin-guide/kernel-parameters.txt with PowerVM Key Wrapping Module (PKWM)
as a new trust source

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Signed-off-by: Srish Srinivasan <ssrish@linux.ibm.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
---
 .../admin-guide/kernel-parameters.txt         |  1 +
 .../security/keys/trusted-encrypted.rst       | 50 +++++++++++++++++++
 2 files changed, 51 insertions(+)

diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentatio=
n/admin-guide/kernel-parameters.txt
index 1058f2a6d6a8..aac15079b33d 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -7790,6 +7790,7 @@ Kernel parameters
 			- "tee"
 			- "caam"
 			- "dcp"
+			- "pkwm"
 			If not specified then it defaults to iterating through
 			the trust source list starting with TPM and assigns the
 			first trust source as a backend which is initialized
diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentat=
ion/security/keys/trusted-encrypted.rst
index eae6a36b1c9a..ddff7c7c2582 100644
--- a/Documentation/security/keys/trusted-encrypted.rst
+++ b/Documentation/security/keys/trusted-encrypted.rst
@@ -81,6 +81,14 @@ safe.
          and the UNIQUE key. Default is to use the UNIQUE key, but selecti=
ng
          the OTP key can be done via a module parameter (dcp_use_otp_key).
=20
+     (5) PKWM (PowerVM Key Wrapping Module: IBM PowerVM + Platform KeyStor=
e)
+
+         Rooted to a unique, per-LPAR key, which is derived from a system-=
wide,
+         randomly generated LPAR root key. Both the per-LPAR keys and the =
LPAR
+         root key are stored in hypervisor-owned secure memory at runtime,
+         and the LPAR root key is additionally persisted in secure locatio=
ns
+         such as the processor SEEPROMs and encrypted NVRAM.
+
   *  Execution isolation
=20
      (1) TPM
@@ -102,6 +110,14 @@ safe.
          environment. Only basic blob key encryption is executed there.
          The actual key sealing/unsealing is done on main processor/kernel=
 space.
=20
+     (5) PKWM (PowerVM Key Wrapping Module: IBM PowerVM + Platform KeyStor=
e)
+
+         Fixed set of cryptographic operations done on on-chip hardware
+         cryptographic acceleration unit NX. Keys for wrapping and unwrapp=
ing
+         are managed by PowerVM Platform KeyStore, which stores keys in an
+         isolated in-memory copy in secure hypervisor memory, as well as i=
n a
+         persistent copy in hypervisor-encrypted NVRAM.
+
   * Optional binding to platform integrity state
=20
      (1) TPM
@@ -129,6 +145,11 @@ safe.
          Relies on Secure/Trusted boot process (called HAB by vendor) for
          platform integrity.
=20
+     (5) PKWM (PowerVM Key Wrapping Module: IBM PowerVM + Platform KeyStor=
e)
+
+         Relies on secure and trusted boot process of IBM Power systems for
+         platform integrity.
+
   *  Interfaces and APIs
=20
      (1) TPM
@@ -149,6 +170,11 @@ safe.
          Vendor-specific API that is implemented as part of the DCP crypto=
 driver in
          ``drivers/crypto/mxs-dcp.c``.
=20
+     (5) PKWM (PowerVM Key Wrapping Module: IBM PowerVM + Platform KeyStor=
e)
+
+         Platform Keystore has well documented interfaces in PAPR document.
+         Refer to ``Documentation/arch/powerpc/papr_hcalls.rst``
+
   *  Threat model
=20
      The strength and appropriateness of a particular trust source for a g=
iven
@@ -191,6 +217,10 @@ selected trust source:
      a dedicated hardware RNG that is independent from DCP which can be en=
abled
      to back the kernel RNG.
=20
+   * PKWM (PowerVM Key Wrapping Module: IBM PowerVM + Platform KeyStore)
+
+     The normal kernel random number generator is used to generate keys.
+
 Users may override this by specifying ``trusted.rng=3Dkernel`` on the kern=
el
 command-line to override the used RNG with the kernel's random number pool.
=20
@@ -321,6 +351,26 @@ Usage::
 specific to this DCP key-blob implementation.  The key length for new keys=
 is
 always in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bits).
=20
+Trusted Keys usage: PKWM
+------------------------
+
+Usage::
+
+    keyctl add trusted name "new keylen [options]" ring
+    keyctl add trusted name "load hex_blob" ring
+    keyctl print keyid
+
+    options:
+       wrap_flags=3D   ascii hex value of security policy requirement
+                       0x00: no secure boot requirement (default)
+                       0x01: require secure boot to be in either audit or
+                             enforced mode
+                       0x02: require secure boot to be in enforced mode
+
+"keyctl print" returns an ASCII hex copy of the sealed key, which is in fo=
rmat
+specific to PKWM key-blob implementation.  The key length for new keys is
+always in bytes. Trusted Keys can be 32 - 128 bytes (256 - 1024 bits).
+
 Encrypted Keys usage
 --------------------
=20
--=20
2.47.3