Changes in Kconfig

4d05e948cebe03974ab9927daee55273207fdc22 - KEYS: trusted: Debugging as a feature

Thu, 09 Apr 2026 18:07:51 +0200

KEYS: trusted: Debugging as a featureTPM_DEBUG, and other similar flags, are a non-standard way to specify afeature in Linux kernel. Introduce CONFIG_TRUSTED_KEYS_DEBUG for trustedkeys, and use it to replace these ad-hoc feature flags.Given that trusted keys debug dumps can contain sensitive data, harden thefeature as follows:1. In the Kconfig description postulate that pr_debug() statements must be used.2. Use pr_debug() statements in TPM 1.x driver to print the protocol dump.3. Require trusted.debug=1 on the kernel command line (default: 0) to activate dumps at runtime, even when CONFIG_TRUSTED_KEYS_DEBUG=y.Traces, when actually needed, can be easily enabled by providingtrusted.dyndbg='+p' and trusted.debug=1 in the kernel command-line.Reported-by: Nayna Jain Closes: https://lore.kernel.org/all/7f8b8478-5cd8-4d97-bfd0-341fd5cf10f9@linux.ibm.com/Reviewed-by: Nayna Jain Tested-by: Srish Srinivasan Signed-off-by: Jarkko Sakkinen List of files: /linux/security/keys/trusted-keys/Kconfig

c99fcb0d735bdb6f06dfe6eb7134d5d988d32dae - keys/trusted_keys: establish PKWM as a trusted source

Tue, 27 Jan 2026 15:52:27 +0100

keys/trusted_keys: establish PKWM as a trusted sourceThe wrapping key does not exist by default and is generated by thehypervisor as a part of PKWM initialization. This key is then persisted bythe hypervisor and is used to wrap trusted keys. These are variable lengthsymmetric keys, which in the case of PowerVM Key Wrapping Module (PKWM) aregenerated using the kernel RNG. PKWM can be used as a trust source throughthe following example keyctl commands:keyctl add trusted my_trusted_key "new 32" @uUse the wrap_flags command option to set the secure boot requirement forthe wrapping request through the following keyctl commandscase1: no secure boot requirement. (default)keyctl usage: keyctl add trusted my_trusted_key "new 32" @u OR keyctl add trusted my_trusted_key "new 32 wrap_flags=0x00" @ucase2: secure boot required to in either audit or enforce mode. set bit 0keyctl usage: keyctl add trusted my_trusted_key "new 32 wrap_flags=0x01" @ucase3: secure boot required to be in enforce mode. set bit 1keyctl usage: keyctl add trusted my_trusted_key "new 32 wrap_flags=0x02" @uNOTE:-> Setting the secure boot requirement is NOT a must.-> Only either of the secure boot requirement options should be set. Notboth.-> All the other bits are required to be not set.-> Set the kernel parameter trusted.source=pkwm to choose PKWM as thebackend for trusted keys implementation.-> CONFIG_PSERIES_PLPKS must be enabled to build PKWM.Add PKWM, which is a combination of IBM PowerVM and Power LPAR PlatformKeyStore, as a new trust source for trusted keys.Signed-off-by: Srish Srinivasan Tested-by: Nayna Jain Reviewed-by: Mimi Zohar Reviewed-by: Nayna Jain Reviewed-by: Jarkko Sakkinen Signed-off-by: Madhavan Srinivasan Link: https://patch.msgid.link/20260127145228.48320-6-ssrish@linux.ibm.com List of files: /linux/security/keys/trusted-keys/Kconfig

366284cfbc8ff4110c00fc23285449f53df739a7 - KEYS: trusted_tpm1: Use SHA-1 library instead of crypto_shash

Sat, 09 Aug 2025 19:19:40 +0200

KEYS: trusted_tpm1: Use SHA-1 library instead of crypto_shashUse the SHA-1 and HMAC-SHA1 library functions instead of crypto_shash.This is simpler and faster.Replace the selection of CRYPTO, CRYPTO_HMAC, and CRYPTO_SHA1 withCRYPTO_LIB_SHA1 and CRYPTO_LIB_UTILS. The latter is needed forcrypto_memneq() which was previously being pulled in via CRYPTO.Signed-off-by: Eric Biggers Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen List of files: /linux/security/keys/trusted-keys/Kconfig

2e8a0f40a39cc253002f21c54e1b5b995e5ec510 - KEYS: trusted: Introduce NXP DCP-backed trusted keys

Wed, 03 Apr 2024 09:21:19 +0200

KEYS: trusted: Introduce NXP DCP-backed trusted keysDCP (Data Co-Processor) is the little brother of NXP's CAAM IP.Beside of accelerated crypto operations, it also offers support forhardware-bound keys. Using this feature it is possible to implement a blobmechanism similar to what CAAM offers. Unlike on CAAM, constructing andparsing the blob has to happen in software (i.e. the kernel).The software-based blob format used by DCP trusted keys encryptsthe payload using AES-128-GCM with a freshly generated random key and nonce.The random key itself is AES-128-ECB encrypted using the DCP uniqueor OTP key.The DCP trusted key blob format is:/* * struct dcp_blob_fmt - DCP BLOB format. * * @fmt_version: Format version, currently being %1 * @blob_key: Random AES 128 key which is used to encrypt @payload, * @blob_key itself is encrypted with OTP or UNIQUE device key in * AES-128-ECB mode by DCP. * @nonce: Random nonce used for @payload encryption. * @payload_len: Length of the plain text @payload. * @payload: The payload itself, encrypted using AES-128-GCM and @blob_key, * GCM auth tag of size AES_BLOCK_SIZE is attached at the end of it. * * The total size of a DCP BLOB is sizeof(struct dcp_blob_fmt) + @payload_len + * AES_BLOCK_SIZE. */struct dcp_blob_fmt { __u8 fmt_version; __u8 blob_key[AES_KEYSIZE_128]; __u8 nonce[AES_KEYSIZE_128]; __le32 payload_len; __u8 payload[];} __packed;By default the unique key is used. It is also possible to use theOTP key. While the unique key should be unique it is not documented howthis key is derived. Therefore selection the OTP key is supported aswell via the use_otp_key module parameter.Co-developed-by: Richard Weinberger Signed-off-by: Richard Weinberger Co-developed-by: David Oberhollenzer Signed-off-by: David Oberhollenzer Signed-off-by: David Gstir Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen List of files: /linux/security/keys/trusted-keys/Kconfig

633cb72fb6969e420518fee4b2ae6040688ecc5a - KEYS: trusted: improve scalability of trust source config

Wed, 03 Apr 2024 09:21:18 +0200

KEYS: trusted: improve scalability of trust source configEnabling trusted keys requires at least one trust source implementation(currently TPM, TEE or CAAM) to be enabled. Currently, this isdone by checking each trust source's config option individually.This does not scale when more trust sources like the one for DCPare added, because the condition will get long and hard to read.Add config HAVE_TRUSTED_KEYS which is set to true by each trust sourceonce its enabled and adapt the check for having at least one active trustsource to use this option. Whenever a new trust source is added, it nowneeds to select HAVE_TRUSTED_KEYS.Signed-off-by: David Gstir Tested-by: Jarkko Sakkinen # for TRUSTED_KEYS_TPMReviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen List of files: /linux/security/keys/trusted-keys/Kconfig

e9c5048c2de1913d0bcd589bc1487810c2e24bc1 - KEYS: trusted: Introduce support for NXP CAAM-based trusted keys

Fri, 13 May 2022 16:57:03 +0200

KEYS: trusted: Introduce support for NXP CAAM-based trusted keysThe Cryptographic Acceleration and Assurance Module (CAAM) is an IP corebuilt into many newer i.MX and QorIQ SoCs by NXP.The CAAM does crypto acceleration, hardware number generation andhas a blob mechanism for encapsulation/decapsulation of sensitive material.This blob mechanism depends on a device specific random 256-bit One TimeProgrammable Master Key that is fused in each SoC at manufacturingtime. This key is unreadable and can only be used by the CAAM for AESencryption/decryption of user data.This makes it a suitable backend (source) for kernel trusted keys.Previous commits generalized trusted keys to support multiple backendsand added an API to access the CAAM blob mechanism. Based on these,provide the necessary glue to use the CAAM for trusted keys.Reviewed-by: David Gstir Reviewed-by: Pankaj Gupta Reviewed-by: Jarkko Sakkinen Tested-by: Tim Harvey Tested-by: Matthias Schiffer Tested-by: Pankaj Gupta Tested-by: Michael Walle # on ls1028a (non-E and E)Tested-by: John Ernberg # iMX8QXPSigned-off-by: Ahmad Fatoum Signed-off-by: Jarkko Sakkinen List of files: /linux/security/keys/trusted-keys/Kconfig

be07858fbf8115fc74528292c2ee8775fe49116f - KEYS: trusted: allow use of TEE as backend without TCG_TPM support

Fri, 13 May 2022 16:56:59 +0200

KEYS: trusted: allow use of TEE as backend without TCG_TPM supportWith recent rework, trusted keys are no longer limited to TPM as trustsource. The Kconfig symbol is unchanged however leading to a few issues: - TCG_TPM is required, even if only TEE is to be used - Enabling TCG_TPM, but excluding it from available trusted sources is not possible - TEE=m && TRUSTED_KEYS=y will lead to TEE support being silently dropped, which is not the best user experienceRemedy these issues by introducing two new boolean Kconfig symbols:TRUSTED_KEYS_TPM and TRUSTED_KEYS_TEE with the appropriatedependencies.Any new code depending on the TPM trusted key backend in particularor symbols exported by it will now need to explicitly state that it depends on TRUSTED_KEYS && TRUSTED_KEYS_TPMThe latter to ensure the dependency is built and the former to ensureit's reachable for module builds. There are no such users yet.Reviewed-by: Sumit Garg Reviewed-by: Jarkko Sakkinen Reviewed-by: Pankaj Gupta Tested-by: Pankaj Gupta Tested-by: Andreas Rammhold Tested-by: Tim Harvey Tested-by: Michael Walle # on ls1028a (non-E and E)Tested-by: John Ernberg # iMX8QXPSigned-off-by: Ahmad Fatoum Signed-off-by: Jarkko Sakkinen List of files: /linux/security/keys/trusted-keys/Kconfig