View Only

PowerVM introduces Platform KeyStore

By Chris Engel posted Fri November 20, 2020 03:30 PM

Starting with system firmware FW950 and HMC 9.2.950, the Platform KeyStore (PKS) feature creates an encrypted non-volatile store. This store provides logical partitions with additional capabilities to protect sensitive information.  PowerVM provides an isolated PKS storage allocation for each partition with individually managed access controls.  A new set of hypervisor calls has also been created to allow the partitions to access their PKS storage.

Some possible use cases of this feature include:
  • Boot device encryption
  • Self encrypting drives
  • Unlocking encrypted logical volumes without requiring a passphrase
  • Public key and certificate protection
    • Secure boot public keys can be maintained by the boot loader and protected from manipulation by the kernel
  • Provide a lockable flash that is accessible during early IPL of the partition and is then locked down from further access

Platform KeyStore Features

  • AES-256 GCM encrypted KeyStore in non-volatile flash on the service processor
    • Every Power 9 system generates a unique PKS root key which is maintained and protected by PowerVM.  This key is only accessible to PowerVM and can not be extracted by a system administrator or service provider
    • See 'Platform KeyStore Storage Protection' for more information
  • Redundant copy of PKS maintained on the hardware management console (HMC) to support hardware failure and partition migration.  See 'Disaster Recovery' and 'Migrating a partition that is using Platform KeyStore' for more information
  • Unique consumers are provided to support the separation of partition firmware, boot loader and kernel
    • Each consumer maintains its own access controls
    • Every object stored in PKS is associated to a consumer
  • Consumer access is controlled via an ephemeral password
    • On every IPL of the partition, PowerVM will reset all consumer passwords to a NULL/unset value.  Until this password is set, access to any objects owned by the consumer is acquired using a NULL password.  In order to protect its objects, the consumer must generate and set a password and provide that to PKS. The consumer will then use this password for all future accesses. This behavior allows the consumer to maintain the password in protected volatile memory but the consumer is not required to persist it.
  • Object access policies enable the consumer to define optional policies that must be met to allow future access to the object.  These policies are enforced by PowerVM on every attempt to read/write/remove an object in PKS.  Examples of policies are :
    • OS secure boot must be enabled
    • World readable : Object can be read by any consumer but only written/removed by owner
    • Write once/immutable : Once written can not be overwritten or removed

Configuring the Platform KeyStore

The Platform KeyStore is configured via the management console.  It is disabled by default when creating partitions, but can be enabled during creation or added to existing partitions.  The total per partition size of PKS available can be configured from 4K bytes to 64K bytes in increments of 1K.  Changes to the PKS configuration can be made after creation but there are a few limitations:
  • This size of PKS can be increased to the maximum allowed while the partition is powered off, but reducing the size is not allowed.
  • To disable PKS on a partition, the requested size should be set to 0.  This operation will be blocked by PowerVM if it detects existing objects in storage.  PKS can be disabled while the partition is running but it can not be re-enabled
NOTE: When planning to migrate a partition with PKS enabled, please see the 'Migrating a partition that is using the Platform KeyStore' section below to complete any necessary configuration
NOTE: FW950 supports a maximum of 1MB of PKS storage per system which is available to be assigned to the partitions
More information on configuring PKS from the management console can be found here : 

Platform KeyStore Storage Protection

The Platform KeyStore for each partition is stored in the non-volatile RAM on the service processor (SP).  Prior to storing this data on the service processor, it is encrypted by keys that are only accessible to PowerVM.
The following diagram helps to explain how PowerVM is able to decrypt and protect PKS:

PowerVM procedure to access PKS on POWER9 systems
  1. The PKS root key is read from the protected anchor card (1) 
  2. The wrapped PKS root key is read from SP NVRAM (2)
  3. The Trusted Platform Modules(s) (TPM) (3) are used to unwrap the PKS root key
  4. PowerVM compares all copies of the PKS root key to ensure they match in all locations and restores any missing copies.  See 'Disaster Recovery' below to understand why
  5. PowerVM reads the encryption metadata (4) and the encrypted PKS (5) from SP NVRAM
  6. PowerVM derives a partition unique AES-256 encryption key from the PKS root key and decrypts the partition's PKS using AES-GCM mode in the POWER processor's NX accelerator unit
  7. PKS is now ready for the partitions to use
  8. When the partition modifies PKS contents, PowerVM will encrypt it and store it to SP NVRAM
    1. NOTE: The encryption and storage to SP NVRAM is handled asynchronously.  A separate h-call interface is provided to the partition to confirm the object has been completely flushed to SP NVRAM
  9. PowerVM will periodically encrypt PKS storage and store a copy on the management console as well.  See 'Disaster Recovery' below to understand why

Disaster Recovery

The PowerVM Platform KeyStore has been designed to be resilient to HW failure and part replacement.
The PKS root key that protect PKS is stored on multiple components throughout the platform.  When PowerVM detects a component has been replaced, it will restore the necessary information to the component during the next boot of the system to regain redundancy.
The partitions PKS data is stored encrypted on the service processor.  If the service processor is replaced or a 'Reset server firmware settings' operation is performed on it, then all of the PKS data will be cleared.  For this reason, PowerVM encrypts a copy of PKS for every partition and that backup copy is stored on the management console periodically.  When the HMC detects that the service processor has been cleared, it will restore PKS as part of the recovery procedure.  NOTE: When performing a profile backup from the HMC the PKS backup is included.  This means that restoring a partition from a profile backup will restore PKS to the snapshot when the backup was taken.  This means any updates to PKS that occurred after the snapshot will be lost.

Migrating a partition that is using the Platform KeyStore

PowerVM supports automatic encrypted migration of the Platform KeyStore.
NOTE: If PKS has been enabled for a partition, the management console will block migration of that partition to a target system that does not support PKS.  If nothing has been stored in PKS, PKS can be disabled for the partition, by setting the PKS size to 0 on the management console.  If PowerVM determines that PKS is empty, it will disable PKS and the migration can be re-attempted, however if PKS is not empty, the resize operation will be blocked.
Migration via active Live Partition Mobility
PowerVM previously introduced encryption of all data during LPM.  More information on this can be found here . PowerVM uses the same LPM encryption technique to transfer PKS from the source to the target destination.
Migration via Simplified Remote Restart (SRR) or Inactive LPM
In order to support SRR of PKS or Inactive LPM, you must setup a matching trusted system key on both the source and target system.  The trusted system key is used by PowerVM to generate encryption keys to encrypt the backup copy of PKS that is offloaded to the HMC.  This backup copy is used by the management console to migrate PKS to the target system during the SRR procedure.
Warning: The trusted system key must be setup on both systems ahead of time to ensure a successful SRR can be performed even if the source system is not available.
Information about how to change the trusted system key can be found here :

Performing a Secure Erase of the Platform KeyStore

The ASMI Secure Storage Policy menu has been provided to clear sensitive data from the system for the following activities :
  • Returning the system to IBM Global Asset Recovery Services (GARS)
  • Resale of the system
  • When there are changes in the customer workloads, such as moving a system from a development environment to production environment, and vice versa
This procedure will require physical access to the system to authorize the operation.  This ensures it can not be used to remotely perform a denial of service attack.
WARNING: Performing this procedure will destroy any data maintained by the Platform KeyStore for all partitions on the system with no way to recover.  Any partitions to be maintained MUST be migrated off the system before proceeding.
Process to perform a secure erase of the Platform KeyStore:
  1. Migrate all partitions to be kept to another system and delete the partitions that are no longer to be maintained
  2. If necessary power off the system
  3. Perform a 'Clear All' procedure as documented here to clear and generate a new PKS root key  
  4. After completing step 3 you will need to power off the system
  5. Perform a 'Reset server firmware settings' procedure as documented here to wipe all encrypted PKS data from SP NVRAM
    At this point all persistent data maintained by the server firmware in the platform has been cleared.

    Contacting the PowerVM Team

    Have questions for the PowerVM team or want to learn more?  Follow our discussion group on LinkedIn IBM PowerVM or IBM Community Discussions