From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756082AbcHVXIz (ORCPT ); Mon, 22 Aug 2016 19:08:55 -0400 Received: from mail-by2nam03on0075.outbound.protection.outlook.com ([104.47.42.75]:19425 "EHLO NAM03-BY2-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1755057AbcHVXIt (ORCPT ); Mon, 22 Aug 2016 19:08:49 -0400 Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Thomas.Lendacky@amd.com; From: Tom Lendacky Subject: [RFC PATCH v2 01/20] x86: Documentation for AMD Secure Memory Encryption (SME) To: , , , , , , , , CC: Radim =?utf-8?b?S3LEjW3DocWZ?= , Arnd Bergmann , Jonathan Corbet , Matt Fleming , Joerg Roedel , "Konrad Rzeszutek Wilk" , Andrey Ryabinin , Ingo Molnar , Borislav Petkov , "Andy Lutomirski" , "H. Peter Anvin" , "Paolo Bonzini" , Alexander Potapenko , Thomas Gleixner , Dmitry Vyukov Date: Mon, 22 Aug 2016 17:35:39 -0500 Message-ID: <20160822223539.29880.96739.stgit@tlendack-t1.amdoffice.net> In-Reply-To: <20160822223529.29880.50884.stgit@tlendack-t1.amdoffice.net> References: <20160822223529.29880.50884.stgit@tlendack-t1.amdoffice.net> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: BLUPR01CA026.prod.exchangelabs.com (10.160.23.16) To BN6PR12MB1139.namprd12.prod.outlook.com (10.168.226.141) X-MS-Office365-Filtering-Correlation-Id: d329ae5f-954e-4442-8711-08d3cadca788 X-Microsoft-Exchange-Diagnostics: 1;BN6PR12MB1139;2:wan+697sfdnUOCVKtTSZDFXv1ccGqby+WIQ5k38DtySE7RcMKU7ythXtjqRFHpYYysdkPLqRAr51Lv9CqlnMgrVFUHjXoZfs0QMvhWhclH/noUW8EXbGDBNJ00Drh3MigVqkMHzCisDAtLKqcOPiscbxRZ26hyh3Ghezv9QeDSY+77RVTA7Y0/R2rGm0M5SK;3:tyzu26DAqG97XCnlpJ8DX+sRXgitH50/YroxzGXIXg3qvpmlTEeWwsxG27Vr48JYL0hFIArk2hbyI65X14OreisA7g14SlOLZw3F4qB/A5SQ/dEXte/eOE4aNuC2PIq1;25:jkLw48T2bq7zp4dEHUXIqLP336wXvLCbtkSM2Om5EK4c7kBsOiySoggfpUTgKFe82HaG78W4ssdyB+LFFmKA34yYpyCH5WcvNLI8mQITXXumTKcPvObTyr7mu7bX1FIk5ZD634Kw1+fRcWAsmB491uN5tKSX/qccaeuYc2xrTlIX66DLWn7pfkuNV38Tyz5LX5gyaFvZfHMIF1hnGRqMcne053qRvIEzbja72S1jEunrB+ohGcLzoDVccgRn32B+zRhZ4Ah9IBjJqkmvO+Gdp0pITWCicIEiER3hWuF9Np0dX9F0foJTqzy7RJTwgcNDZFashFzycBmrc7TMJQ3aCEvUpM29uTMOmaMjea6ytk7OTqY3i4TMecfIErOwiNojPtMuHdoH1ffkVZm0F88UX/Fdq8Q0/TU2pXI/PDvb9YI= X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN6PR12MB1139; X-Microsoft-Exchange-Diagnostics: 1;BN6PR12MB1139;31:4hxnD7Up4qHANTKTwatLIAbd7Iz87XwK8LmtmURL8qxd2WcQORun1Xr/BN0ICu8ZljcAtYLALhFwzjmvtzZsaYAnxALBlgU4RFaOYT2cReXRmR0QnTAy8h4v1UL9jp/lRc/Y9kWxekRwXEGw9akiBgyWxHKfiJFB1ScDFclBVFw2bDRs8cS1Un8WsmuVJlIb8nCjPLGMX9jC4VrXzZ08+3YtkeRQmYfpnG3KKTNlYEU=;20:JrMhhQ7j1ww+iC5K71nATLF7bvj2obdyWPSutYn401LEowIgmA1fwN0Pmz4VM29L6y2ZpkiaJ1uWXlcrpbACoy++T99YmEBg9JIkUBdA9DURp+okTa2zinKXzSM3vhDGIOIHzWYcDYgZLwkUtG1dBpU87N1Lv/w4HO+L5m/LucFBuU8cE55aysXNGPq5uM8rfca7DNKrcSeBqKs0uwU1V0eTkoR98xB2NfgvVPVWqIaDZOaYnRi28470kPW0RxgCCe9ZJt9uoj6ovY+Cj9Q2x54yZ20HSghVsvj4y01waimzMa9Lkla9PkHD2oQGolikF2gv8ktG8pqrixObapYgYZmdF9YA7R2dR4XFMgpuqDGXGkgN9LCs5RflAFzVbvwJtZp+JWF+SWRp/5p4baSG7qXqjVy/jhJ43/eFuht7y62Z5M276nL9D0QG2DyVbPqY0M//qhigAH6P+JEW8r7DaapVmnKOBpMQ3M7WBWw1tsW5VqSmP92pyp1JtjaPJTK7 X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(20558992708506)(767451399110); X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(6040176)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026);SRVR:BN6PR12MB1139;BCL:0;PCL:0;RULEID:;SRVR:BN6PR12MB1139; X-Microsoft-Exchange-Diagnostics: 1;BN6PR12MB1139;4:z+caPClpvAgoabe6a40F9lqRnTVNmUOhZcniaqHE4Ci4iZFvx1wfaJq9Cc33cFQNifzL5EohGZrQkmct7Cow/rCzGJmiqxGhpTAtpvmcVtLezXo+7xu/5MdzvfG8RN1ySifNvE180YldPP9mrry12Y4TZJ0Whd1E2zjRfNO4/svfnPO5FRwvCEnXYqAnc9FdWQN36TigxOg6h+qz7a/wjmfkEBYC7MSR6vpIlVXeYWHXLldTTvBOd/+JnL6pQ2bCC3qtpeaTXT1btKRq5L5Tyy8vBePtSSuxv5RA/+WH3jfe8GXpedOKivkb6uvPDTwtWU7UpLgvgKz734ZjJQFE4F3rQv+1F8uDdcAobdbcT5kJQqcizUSUcSW8+tFuDv4wJwTuXkCuQtlyMII2tfFeaHxo18oQyoGpCas4DgLOms1tgM0v2PfW+g5TGZz0T80j+TWBxOvX8OlaOzicI0qskYV+3g1ZZnwx/F0h1/OR6t8= X-Forefront-PRVS: 00429279BA X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10009020)(4630300001)(6009001)(7916002)(189002)(199003)(3846002)(5660300001)(97746001)(50986999)(86362001)(6116002)(77096005)(76176999)(54356999)(97736004)(23676002)(586003)(81166006)(8676002)(2950100001)(92566002)(81156014)(5001770100001)(2201001)(53416004)(189998001)(1076002)(83506001)(33646002)(68736007)(2906002)(229853001)(4001350100001)(4326007)(69596002)(47776003)(7416002)(42186005)(7846002)(105586002)(230700001)(66066001)(7736002)(103116003)(50466002)(305945005)(19580405001)(19580395003)(106356001)(101416001)(9686002)(71626007)(217873001);DIR:OUT;SFP:1101;SCL:1;SRVR:BN6PR12MB1139;H:tlendack-t1.amdoffice.net;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en; X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtCTjZQUjEyTUIxMTM5OzIzOnNtNXBMNEtKMDRqY3VLNmpiSDYvT1JuWXRz?= =?utf-8?B?dHlUZ1NjSFFwWVZRSHdsQk1oRVhzYm5NZWtnOFY1ZWhUNHVXc3RrcmtZWHNv?= =?utf-8?B?bkFibXdxam9WbjF1b3lIclRMRmRKOWhYV2J5b0pWcEg5MVBtblRsZHVkQlZI?= =?utf-8?B?Z2lycjN4SFlWUlhJTVluVVNVcG5RYk5zdmVubmkzenVlOTlsMjhWc2dGck1r?= =?utf-8?B?MW1pOXF6RWROZVBoTDdLRUFwdjlqU2VjeXNVakhjRHpPdm45bVU5OW9XcGFS?= =?utf-8?B?Nm1MUnFaTGtjZWtnbzUzK3ZaWlY5U1gzbDFGU1VSbXUrVzdxV3BZNWZKWnp0?= =?utf-8?B?NGxCS3BpWnRmUFlDTnJsUnYxWkNmZ3NHeG5iYVRlQW9MK2xHYkZEcFc5OXB1?= =?utf-8?B?OTZCQzNpa2tzUmJsb3c3bGpQMXFXRUZyczNFdEw3MEJaZVB6K3B1Y3IzT2FB?= =?utf-8?B?SnNLT1VMRWgxUGpRdVMyR3A5cTVUdlpjZHNCdE9sV2hiMnRuZlJWd1czWGY5?= =?utf-8?B?bGlLSFFsY0pLRUQ4ZDVRS21yY2xNc2tYK3d4Mlo0OGRzMXF4b3VDdWd5MHlQ?= =?utf-8?B?Z3BxQjB3MUpCZ0huTjhVMXdWUzJ4QzNvOEw4SndFRmZCZFBTUGZUTVpMdHRZ?= =?utf-8?B?K3BDeVJKRnM0UTEwWVVTNVNGQzFDcXhuSWdyQklTalFkNE8zRjRuT2pqYTNi?= =?utf-8?B?Q2NmYk9FNEcrNkJsaG8zY3VRNEVPeTBIcUM5L1VNQXBjcjM4QWhyVDkxYmdt?= =?utf-8?B?R0hBQ2FzM1VvUDZ4bTYwS1YzK0V3L2FnTkdDazRwV3JMZmJxZ1RHU3NjNUtO?= =?utf-8?B?ek5JOW9RZEh4MG51R2d6b1RXZ0dVSEhSREtQb3lFaU9mcUhzeDNXbk1taFRt?= =?utf-8?B?anBESWpTd2Q5S2V4SEVVYmlRc3hOT0VycHVlelVUNFdCRVJDM0UrRE9Td2lZ?= =?utf-8?B?Z2NLMmtPWWx1R3QvNHBWUVEwVXorTGFzaGVPZE1ldlJCT1BsVlZrQ3grWlhs?= =?utf-8?B?SEZKc3R1cVVnMnRIa3VHVnNQb1RMOXc4K2lFdXY3aW9tK1BaYmVucDV0SXhr?= =?utf-8?B?cjZ2RGtkVXllMVRGZnhEcWR1TTloc0ExOEt5eXlxSElwSWdOWVlGRmxpOG1p?= =?utf-8?B?NWFvK1llckl4MHZRTVZwZ2s1RG1oQU8vd1ZLMWNKMElRaCtxbmxOK0dmQVN2?= =?utf-8?B?WUJBVnU1TEl5dFZTZ29EUFR5M05iblBQVjRFRU9pLzJicU1oa1NsU0tDMWVG?= =?utf-8?B?MGZGbzN3RDFDbnVoMnRXVWRPcmNQNzQzVWxFTmZzelc0ZURQU1NKQTkwcjRT?= =?utf-8?B?eG90Y0hHc25RZi9QQ1luenNoTjFwRmlTY3MvR1hkUGdVTFEvMTc4MUhZdDA3?= =?utf-8?B?TW5iZ0daWnlpMm5RWmxHZC9DaldQR2E2azdGQVUvQVh1Z3daOWFkajVaZW5I?= =?utf-8?B?ZkM3NG1vWllhUGg2Q3YrdE11TE9iSTV4MG1Ddm5EUXVXUEJUQXR5K0lJbGVi?= =?utf-8?B?UnltV1RDeC9NUFllYVhuRFhoUCtKTHQwNUNIRGNGdTRVOUhUL0dNUW4zODVn?= =?utf-8?B?SnkybHpZRmJjR3pFU3RvR21XTnpQd2RHZ2RTWExFYWxWS0svb2txT1ZSV1ZG?= =?utf-8?B?dWhNRTlISFEwbTVaN05CZGRsR09HUVlWM3BUY2JhdDRsVkxOemljckdSTWFv?= =?utf-8?B?bHB4ZUxlKzJCb1RieDF5T3VWWCtnNUlVTmgweGNKL0VRb1RCZlVUNFk0WTY3?= =?utf-8?Q?RNx21z0jbfwGl7iReXiNyXwmwrGqeX2Mmjgbg=3D?= X-Microsoft-Exchange-Diagnostics: 1;BN6PR12MB1139;6:WvIJiHEBeO1uN9V6JxgH4G1+dPHiUzqf9CpaucFxn95rXmlOPca/KNdUmMe9EEmzlU9wl4s4GXTFq5H2AWFgxpoQaEW+CpThoRmwjbdssWmnbQTtGmK4ysjfEsBUnakarQNZZcp+oWugv/gBPgd9GyHc+SZ3taXPQErXkFfpJX+CMCqwfV6pDKU5qICxOUAztn/x/8+0nFvlVDDp4lfJqo02lgvK3usson3QPcBZPzq4llUQlBcFvu93Kk+fGCDiVXOYeDN8cdy8Du+2Bgxd5wmzSOc/YzE7rNHmw6DxdKgI21Fy+8gJdEgVQ7Wwsj9Pr9LiIK5pizsxpPamJeGVVA==;5:ahlrHEuEWxgPD8xCcPALyt4k5S7MzYjCIEOU0RvATDLjuFSSpR7PJgwvuZi7FO47k8kUauch3wL/UORf1ty0hMfr7yqOKKftQJj7LE3sJMZP6k+64aupbzHZKNf/agkOFXPk5z6QqoGL86eI6pcFtw==;24:ik86Q+gMRb9z4jI9yF8HRZYYEKRPPYWisaZVTCjPQlo91uMzPoiYBsTc0U1phXA0S2P1OmjPZXI/z+zxnKqFbrJJ7UO0GcO7WC9zpt5BDd4=;7:n3Cj8KTcwZ/WwvsST+1xL+zINlc0fxuXtNqapEjFXG+cxATdm3XApvHtAVBWqGzc958Y/6ml83QA8llFUZvk0fl0eOwIO81/odz+crXy57cPHO6f+AupI7rn4Qr/epB8gYku7lhXlgyd4VA4Izx+FlP9EDMRTR0F1ik5RkSm5WSvhmS+uI9IjGBggb1p6qwPK8UjBBodLqT+xi+onEjlntaA1/SSHYROR73rMKz0L/O+aYb3tKzESIC9WLIeIfcv SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1;BN6PR12MB1139;20:Mc/YKTW9sKDgFqoQd86hWu0UhWiC87EQTZ/3UBTsmG260QWIQEwXdXDSf6Il3YmDOte+H0ZvUJUp8sQqaqIw/i5O3V/De6vpFMOWnQL7PSqyhz8Qo7QwKW3by6nve7ZxYplXadCcd4R3AAXOtqpWgYJ5Lw+8yGV4Of8k2T6ErA/wNOTGxTYhy9gg4kE1ZXket8rNXjEK0Vu2w2sQmx07owXtQTB+iO70GgOjFNSaD5MhV6UNkztdYeHh7T/ucx+C X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Aug 2016 22:35:42.8609 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR12MB1139 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This patch adds a Documenation entry to decribe the AMD Secure Memory Encryption (SME) feature. Signed-off-by: Tom Lendacky --- Documentation/x86/amd-memory-encryption.txt | 35 +++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 Documentation/x86/amd-memory-encryption.txt diff --git a/Documentation/x86/amd-memory-encryption.txt b/Documentation/x86/amd-memory-encryption.txt new file mode 100644 index 0000000..f19c555 --- /dev/null +++ b/Documentation/x86/amd-memory-encryption.txt @@ -0,0 +1,35 @@ +Secure Memory Encryption (SME) is a feature found on AMD processors. + +SME provides the ability to mark individual pages of memory as encrypted using +the standard x86 page tables. A page that is marked encrpyted will be +automatically decrypted when read from DRAM and encrypted when written to +DRAM. SME can therefore be used to protect the contents of DRAM from physical +attacks on the system. + +Support for SME can be determined through the CPUID instruction. The CPUID +function 0x8000001f reports information related to SME: + + 0x8000001f[eax]: + Bit[0] indicates support for SME + 0x8000001f[ebx]: + Bit[5:0] pagetable bit number used to enable memory encryption + Bit[11:6] reduction in physical address space, in bits, when + memory encryption is enabled (this only affects system + physical addresses, not guest physical addresses) + +If support for SME is present, MSR 0xc00100010 (SYS_CFG) can be used to +determine if SME is enabled and/or to enable memory encryption: + + 0xc0010010: + Bit[23] 0 = memory encryption features are disabled + 1 = memory encryption features are enabled + +Linux relies on BIOS to set this bit if BIOS has determined that the reduction +in the physical address space as a result of enabling memory encryption (see +CPUID information above) will not conflict with the address space resource +requirements for the system. If this bit is not set upon Linux startup then +Linux itself will not set it and memory encryption will not be possible. + +SME support is configurable in the kernel through the AMD_MEM_ENCRYPT config +option. Additionally, the mem_encrypt=on command line parameter is required +to activate memory encryption. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tom Lendacky Subject: [RFC PATCH v2 01/20] x86: Documentation for AMD Secure Memory Encryption (SME) Date: Mon, 22 Aug 2016 17:35:39 -0500 Message-ID: <20160822223539.29880.96739.stgit@tlendack-t1.amdoffice.net> References: <20160822223529.29880.50884.stgit@tlendack-t1.amdoffice.net> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20160822223529.29880.50884.stgit@tlendack-t1.amdoffice.net> Sender: owner-linux-mm@kvack.org To: linux-arch@vger.kernel.org, linux-efi@vger.kernel.org, kvm@vger.kernel.org, linux-doc@vger.kernel.org, x86@kernel.org, linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mm@kvack.org, iommu@lists.linux-foundation.org Cc: Radim =?utf-8?b?S3LEjW3DocWZ?= , Arnd Bergmann , Jonathan Corbet , Matt Fleming , Joerg Roedel , Konrad Rzeszutek Wilk , Andrey Ryabinin , Ingo Molnar , Borislav Petkov , Andy Lutomirski , "H. Peter Anvin" , Paolo Bonzini , Alexander Potapenko , Thomas Gleixner , Dmitry Vyukov List-Id: linux-efi@vger.kernel.org This patch adds a Documenation entry to decribe the AMD Secure Memory Encryption (SME) feature. Signed-off-by: Tom Lendacky --- Documentation/x86/amd-memory-encryption.txt | 35 +++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 Documentation/x86/amd-memory-encryption.txt diff --git a/Documentation/x86/amd-memory-encryption.txt b/Documentation/x86/amd-memory-encryption.txt new file mode 100644 index 0000000..f19c555 --- /dev/null +++ b/Documentation/x86/amd-memory-encryption.txt @@ -0,0 +1,35 @@ +Secure Memory Encryption (SME) is a feature found on AMD processors. + +SME provides the ability to mark individual pages of memory as encrypted using +the standard x86 page tables. A page that is marked encrpyted will be +automatically decrypted when read from DRAM and encrypted when written to +DRAM. SME can therefore be used to protect the contents of DRAM from physical +attacks on the system. + +Support for SME can be determined through the CPUID instruction. The CPUID +function 0x8000001f reports information related to SME: + + 0x8000001f[eax]: + Bit[0] indicates support for SME + 0x8000001f[ebx]: + Bit[5:0] pagetable bit number used to enable memory encryption + Bit[11:6] reduction in physical address space, in bits, when + memory encryption is enabled (this only affects system + physical addresses, not guest physical addresses) + +If support for SME is present, MSR 0xc00100010 (SYS_CFG) can be used to +determine if SME is enabled and/or to enable memory encryption: + + 0xc0010010: + Bit[23] 0 = memory encryption features are disabled + 1 = memory encryption features are enabled + +Linux relies on BIOS to set this bit if BIOS has determined that the reduction +in the physical address space as a result of enabling memory encryption (see +CPUID information above) will not conflict with the address space resource +requirements for the system. If this bit is not set upon Linux startup then +Linux itself will not set it and memory encryption will not be possible. + +SME support is configurable in the kernel through the AMD_MEM_ENCRYPT config +option. Additionally, the mem_encrypt=on command line parameter is required +to activate memory encryption. -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-by2nam03on0075.outbound.protection.outlook.com ([104.47.42.75]:19425 "EHLO NAM03-BY2-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1755057AbcHVXIt (ORCPT ); Mon, 22 Aug 2016 19:08:49 -0400 From: Tom Lendacky Subject: [RFC PATCH v2 01/20] x86: Documentation for AMD Secure Memory Encryption (SME) Date: Mon, 22 Aug 2016 17:35:39 -0500 Message-ID: <20160822223539.29880.96739.stgit@tlendack-t1.amdoffice.net> In-Reply-To: <20160822223529.29880.50884.stgit@tlendack-t1.amdoffice.net> References: <20160822223529.29880.50884.stgit@tlendack-t1.amdoffice.net> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Sender: linux-arch-owner@vger.kernel.org List-ID: To: linux-arch@vger.kernel.org, linux-efi@vger.kernel.org, kvm@vger.kernel.org, linux-doc@vger.kernel.org, x86@kernel.org, linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mm@kvack.org, iommu@lists.linux-foundation.org Cc: Radim =?utf-8?b?S3LEjW3DocWZ?= , Arnd Bergmann , Jonathan Corbet , Matt Fleming , Joerg Roedel , Konrad Rzeszutek Wilk , Andrey Ryabinin , Ingo Molnar , Borislav Petkov , Andy Lutomirski , "H. Peter Anvin" , Paolo Bonzini , Alexander Potapenko , Thomas Gleixner , Dmitry Vyukov Message-ID: <20160822223539.-SMtOuInCHGW14cSCZ3Z_8e851ZPvGEGuui5s06wpa4@z> This patch adds a Documenation entry to decribe the AMD Secure Memory Encryption (SME) feature. Signed-off-by: Tom Lendacky --- Documentation/x86/amd-memory-encryption.txt | 35 +++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 Documentation/x86/amd-memory-encryption.txt diff --git a/Documentation/x86/amd-memory-encryption.txt b/Documentation/x86/amd-memory-encryption.txt new file mode 100644 index 0000000..f19c555 --- /dev/null +++ b/Documentation/x86/amd-memory-encryption.txt @@ -0,0 +1,35 @@ +Secure Memory Encryption (SME) is a feature found on AMD processors. + +SME provides the ability to mark individual pages of memory as encrypted using +the standard x86 page tables. A page that is marked encrpyted will be +automatically decrypted when read from DRAM and encrypted when written to +DRAM. SME can therefore be used to protect the contents of DRAM from physical +attacks on the system. + +Support for SME can be determined through the CPUID instruction. The CPUID +function 0x8000001f reports information related to SME: + + 0x8000001f[eax]: + Bit[0] indicates support for SME + 0x8000001f[ebx]: + Bit[5:0] pagetable bit number used to enable memory encryption + Bit[11:6] reduction in physical address space, in bits, when + memory encryption is enabled (this only affects system + physical addresses, not guest physical addresses) + +If support for SME is present, MSR 0xc00100010 (SYS_CFG) can be used to +determine if SME is enabled and/or to enable memory encryption: + + 0xc0010010: + Bit[23] 0 = memory encryption features are disabled + 1 = memory encryption features are enabled + +Linux relies on BIOS to set this bit if BIOS has determined that the reduction +in the physical address space as a result of enabling memory encryption (see +CPUID information above) will not conflict with the address space resource +requirements for the system. If this bit is not set upon Linux startup then +Linux itself will not set it and memory encryption will not be possible. + +SME support is configurable in the kernel through the AMD_MEM_ENCRYPT config +option. Additionally, the mem_encrypt=on command line parameter is required +to activate memory encryption. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tom Lendacky Subject: [RFC PATCH v2 01/20] x86: Documentation for AMD Secure Memory Encryption (SME) Date: Mon, 22 Aug 2016 17:35:39 -0500 Message-ID: <20160822223539.29880.96739.stgit@tlendack-t1.amdoffice.net> References: <20160822223529.29880.50884.stgit@tlendack-t1.amdoffice.net> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Cc: Radim =?utf-8?b?S3LEjW3DocWZ?= , Arnd Bergmann , Jonathan Corbet , Matt Fleming , Joerg Roedel , "Konrad Rzeszutek Wilk" , Andrey Ryabinin , Ingo Molnar , Borislav Petkov , "Andy Lutomirski" , "H. Peter Anvin" , Paolo Bonzini , Alexander Potapenko , "Thomas Gleixner" , Dmitry Vyukov To: , , , , , , , , Return-path: In-Reply-To: <20160822223529.29880.50884.stgit@tlendack-t1.amdoffice.net> Sender: owner-linux-mm@kvack.org List-Id: kvm.vger.kernel.org This patch adds a Documenation entry to decribe the AMD Secure Memory Encryption (SME) feature. Signed-off-by: Tom Lendacky --- Documentation/x86/amd-memory-encryption.txt | 35 +++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 Documentation/x86/amd-memory-encryption.txt diff --git a/Documentation/x86/amd-memory-encryption.txt b/Documentation/x86/amd-memory-encryption.txt new file mode 100644 index 0000000..f19c555 --- /dev/null +++ b/Documentation/x86/amd-memory-encryption.txt @@ -0,0 +1,35 @@ +Secure Memory Encryption (SME) is a feature found on AMD processors. + +SME provides the ability to mark individual pages of memory as encrypted using +the standard x86 page tables. A page that is marked encrpyted will be +automatically decrypted when read from DRAM and encrypted when written to +DRAM. SME can therefore be used to protect the contents of DRAM from physical +attacks on the system. + +Support for SME can be determined through the CPUID instruction. The CPUID +function 0x8000001f reports information related to SME: + + 0x8000001f[eax]: + Bit[0] indicates support for SME + 0x8000001f[ebx]: + Bit[5:0] pagetable bit number used to enable memory encryption + Bit[11:6] reduction in physical address space, in bits, when + memory encryption is enabled (this only affects system + physical addresses, not guest physical addresses) + +If support for SME is present, MSR 0xc00100010 (SYS_CFG) can be used to +determine if SME is enabled and/or to enable memory encryption: + + 0xc0010010: + Bit[23] 0 = memory encryption features are disabled + 1 = memory encryption features are enabled + +Linux relies on BIOS to set this bit if BIOS has determined that the reduction +in the physical address space as a result of enabling memory encryption (see +CPUID information above) will not conflict with the address space resource +requirements for the system. If this bit is not set upon Linux startup then +Linux itself will not set it and memory encryption will not be possible. + +SME support is configurable in the kernel through the AMD_MEM_ENCRYPT config +option. Additionally, the mem_encrypt=on command line parameter is required +to activate memory encryption. -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org