27 Oct
2022
27 Oct
'22
3:33 p.m.
On Thu, Oct 27, 2022 at 08:21:02AM -0700, Dave Hansen wrote:
On 10/27/22 01:57, Borislav Petkov wrote:
Well, I still think this is not going to work in all cases. SME/TME can be enabled but the kernel can go - and for whatever reason - map a bunch of memory unencrypted.
For TME on Intel systems, there's no way to make it unencrypted. The memory controller is doing all the encryption behind the back of the OS and even devices that are doing DMA. Nothing outside of the memory controller really knows or cares that encryption is happening.
Ok, Tom just confirmed that AMD's TSME thing also encrypts all memory.
So I guess the code should check for TME or TSME. If those are set, then you can assume that all memory is encrypted.
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette