Re: [RFC PATCH v1 00/18] x86: Secure Memory Encryption (AMD)
From: Tom Lendacky <hidden>
Date: 2016-05-03 15:55:34
Also in:
kvm, linux-efi, linux-iommu, linux-mm, lkml
On 04/30/2016 01:13 AM, Elliott, Robert (Persistent Memory) wrote:
quoted
-----Original Message----- From: linux-kernel-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org [mailto:linux-kernel- owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org] On Behalf Of Tom Lendacky Sent: Tuesday, April 26, 2016 5:56 PM Subject: [RFC PATCH v1 00/18] x86: Secure Memory Encryption (AMD) This RFC patch series provides support for AMD's new Secure Memory Encryption (SME) feature. SME can be used to mark individual pages of memory as encrypted through the page tables. A page of memory that is marked encrypted will be automatically decrypted when read from DRAM and will be automatically encrypted when written to DRAM. Details on SME can found in the links below....quoted
... Certain data must be accounted for as having been placed in memory before SME was enabled (EFI, initrd, etc.) and accessed accordingly....quoted
x86/efi: Access EFI related tables in the clear x86: Access device tree in the clear x86: Do not specify encrypted memory for VGA mappingIf the SME encryption key "is created randomly each time a system is booted," data on NVDIMMs won't decrypt properly on the next boot. You need to exclude persistent memory regions (reported in the UEFI memory map as EfiReservedMemoryType with the NV attribute, or as EfiPersistentMemory).
The current plan is for the AMD Secure Processor to securely save the SME encryption key when NVDIMMs are installed on a system. The saved SME key will be restored if an NVDIMM restore event needs to be performed. If there isn't an NVDIMM restore event, then the randomly generated key will be used. Thanks, Tom
Perhaps the SEV feature will allow key export/import that could work for NVDIMMs. --- Robert Elliott, HPE Persistent Memory