more info for AMD Secure Memory Encryption (SME) for Linux

A follow-up to:

Tom Lendacky of AMD posted v2 of a 20-part patch to most of the linux-kernel (and other) lists, adding support for AMD Secure Memory Encryption (SME), adding more documentation about AMD SME.

Secure Memory Encryption (SME) is a feature found on AMD processors.
SME provides the ability to mark individual pages of memory as encrypted using the standard x86 page tables.  A page that is marked encrpyted will be automatically decrypted when read from DRAM and encrypted when written to DRAM.  SME can therefore be used to protect the contents of DRAM from physical attacks on the system.
BOOT data (such as EFI related data) is not encyrpted when the system is booted and needs to be accessed as non-encrypted.  Add support to the early_memremap API to identify the type of data being accessed so that the proper encryption attribute can be applied.  Currently, two types of data are defined, KERNEL_DATA and BOOT_DATA.

Also check out the older v1 patch posting on the lists, there was some interesting technical discussion. The above previous blog post has a pointer to that discussion, as well as some other AMD specs.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s