Back to home page

OSCL-LXR
 
 

     

0001 .. SPDX-License-Identifier: GPL-2.0
0002 
0003 =====================
0004 AMD Memory Encryption
0005 =====================
0006 
0007 Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV) are
0008 features found on AMD processors.
0009 
0010 SME provides the ability to mark individual pages of memory as encrypted using
0011 the standard x86 page tables.  A page that is marked encrypted will be
0012 automatically decrypted when read from DRAM and encrypted when written to
0013 DRAM.  SME can therefore be used to protect the contents of DRAM from physical
0014 attacks on the system.
0015 
0016 SEV enables running encrypted virtual machines (VMs) in which the code and data
0017 of the guest VM are secured so that a decrypted version is available only
0018 within the VM itself. SEV guest VMs have the concept of private and shared
0019 memory. Private memory is encrypted with the guest-specific key, while shared
0020 memory may be encrypted with hypervisor key. When SME is enabled, the hypervisor
0021 key is the same key which is used in SME.
0022 
0023 A page is encrypted when a page table entry has the encryption bit set (see
0024 below on how to determine its position).  The encryption bit can also be
0025 specified in the cr3 register, allowing the PGD table to be encrypted. Each
0026 successive level of page tables can also be encrypted by setting the encryption
0027 bit in the page table entry that points to the next table. This allows the full
0028 page table hierarchy to be encrypted. Note, this means that just because the
0029 encryption bit is set in cr3, doesn't imply the full hierarchy is encrypted.
0030 Each page table entry in the hierarchy needs to have the encryption bit set to
0031 achieve that. So, theoretically, you could have the encryption bit set in cr3
0032 so that the PGD is encrypted, but not set the encryption bit in the PGD entry
0033 for a PUD which results in the PUD pointed to by that entry to not be
0034 encrypted.
0035 
0036 When SEV is enabled, instruction pages and guest page tables are always treated
0037 as private. All the DMA operations inside the guest must be performed on shared
0038 memory. Since the memory encryption bit is controlled by the guest OS when it
0039 is operating in 64-bit or 32-bit PAE mode, in all other modes the SEV hardware
0040 forces the memory encryption bit to 1.
0041 
0042 Support for SME and SEV can be determined through the CPUID instruction. The
0043 CPUID function 0x8000001f reports information related to SME::
0044 
0045         0x8000001f[eax]:
0046                 Bit[0] indicates support for SME
0047                 Bit[1] indicates support for SEV
0048         0x8000001f[ebx]:
0049                 Bits[5:0]  pagetable bit number used to activate memory
0050                            encryption
0051                 Bits[11:6] reduction in physical address space, in bits, when
0052                            memory encryption is enabled (this only affects
0053                            system physical addresses, not guest physical
0054                            addresses)
0055 
0056 If support for SME is present, MSR 0xc00100010 (MSR_AMD64_SYSCFG) can be used to
0057 determine if SME is enabled and/or to enable memory encryption::
0058 
0059         0xc0010010:
0060                 Bit[23]   0 = memory encryption features are disabled
0061                           1 = memory encryption features are enabled
0062 
0063 If SEV is supported, MSR 0xc0010131 (MSR_AMD64_SEV) can be used to determine if
0064 SEV is active::
0065 
0066         0xc0010131:
0067                 Bit[0]    0 = memory encryption is not active
0068                           1 = memory encryption is active
0069 
0070 Linux relies on BIOS to set this bit if BIOS has determined that the reduction
0071 in the physical address space as a result of enabling memory encryption (see
0072 CPUID information above) will not conflict with the address space resource
0073 requirements for the system.  If this bit is not set upon Linux startup then
0074 Linux itself will not set it and memory encryption will not be possible.
0075 
0076 The state of SME in the Linux kernel can be documented as follows:
0077 
0078         - Supported:
0079           The CPU supports SME (determined through CPUID instruction).
0080 
0081         - Enabled:
0082           Supported and bit 23 of MSR_AMD64_SYSCFG is set.
0083 
0084         - Active:
0085           Supported, Enabled and the Linux kernel is actively applying
0086           the encryption bit to page table entries (the SME mask in the
0087           kernel is non-zero).
0088 
0089 SME can also be enabled and activated in the BIOS. If SME is enabled and
0090 activated in the BIOS, then all memory accesses will be encrypted and it will
0091 not be necessary to activate the Linux memory encryption support.  If the BIOS
0092 merely enables SME (sets bit 23 of the MSR_AMD64_SYSCFG), then Linux can activate
0093 memory encryption by default (CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT=y) or
0094 by supplying mem_encrypt=on on the kernel command line.  However, if BIOS does
0095 not enable SME, then Linux will not be able to activate memory encryption, even
0096 if configured to do so by default or the mem_encrypt=on command line parameter
0097 is specified.
Source navigation ] Diff markup ] Identifier search ] general search ]

This page was automatically generated by the 2.1.0 LXR engine.

The LXR team
Valid CSS 2.1! Valid HTML 4.01!