[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Request for guidance: implementing Platform Key Store
|
From: |
Daniel Axtens |
|
Subject: |
Request for guidance: implementing Platform Key Store |
|
Date: |
Wed, 12 May 2021 10:33:42 +1000 |
Hi all,
PowerVM recently added a new feature called the Platform Key Store
(sometimes referred to as Partition Key Store), PKS. See
e.g.
https://community.ibm.com/community/user/power/blogs/chris-engel1/2020/11/20/powervm-introduces-the-platform-keystore
I'd like to add some PKS support to qemu - it makes it much easier for
me to develop and test some code that I am writing which will make use
of the PKS.
What would you suggest as the best way to implement this in qemu?
- I looked at UEFI variables, which seemed to have a similar sort of
access model (in that access is mediated by firmware) - but they are
implemented using pflash which seems to be based around emulation of
a particular low level set of parallel flash chips.
- The other thing that seemed possible to me was nvram - there are
already nvram modules for SPAPR that expect to be addressed entirely
via RTAS calls, so that paravirtualised model already exists.
For what it's worth the access model for PKS is entirely via
hcalls. Unlike existing nvram or pflash, the hypervisor is responsible
for laying out data in the store, not the guest: it's basically a
managed, encrypted key-value store.
I wasn't intending to implement any of PowerVM's protection of the PKS
against malicious machine administrators - I figured because the trust
model for qemu is already so different I would start with just having
the PKS stored unencrypted on the host disk.
Thanks in advance for any suggestions.
Kind regards,
Daniel
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Request for guidance: implementing Platform Key Store,
Daniel Axtens <=