On Thu, Oct 13, 2022 at 06:00:58PM -0300, Martin Fernandez wrote:
That's bad, because it would be nice if that attribute only depended on the hardware and not on some setting.
Why would that be bad?
You want to be able to disable encryption for whatever reason sometimes.
The plan of this patch was, as you mentioned just to report EFI_MEMORY_CPU_CRYPTO in a per node level.
Now, I think I will need to check for tme/sme and only if those are active then show the file in sysfs, otherwise not show it at all, because it would be misleading. Any other idea?
Well, I still think this is not going to work in all cases. SME/TME can be enabled but the kernel can go - and for whatever reason - map a bunch of memory unencrypted.
So I don't know what the goal of this fwupd checking whether users have configured memory encryption properly is. It might end up giving that false sense of security...
You mean that EFI_MEMORY_CPU_CRYPTO means nothing on an AMD system?
I mean, you still can disable memory encryption.