All of lore.kernel.org
 help / color / mirror / Atom feed
From: Martin Fernandez <martin.fernandez@eclypsium.com>
To: Dave Hansen <dave.hansen@intel.com>
Cc: linux-efi@vger.kernel.org, platform-driver-x86@vger.kernel.org,
	tglx@linutronix.de, mingo@redhat.com, bp@alien8.de,
	x86@kernel.org, hpa@zytor.com, dave.hansen@linux.intel.com,
	luto@kernel.org, peterz@infradead.org, ardb@kernel.org,
	dvhart@infradead.org, andy@infradead.org,
	gregkh@linuxfoundation.org, rafael@kernel.org,
	daniel.gutson@eclypsium.com, hughsient@gmail.com
Subject: Re: [PATCH v2 0/5] [RFC] x86: Export information about hardware memory encryption to sysfs
Date: Thu, 28 Oct 2021 11:28:57 -0300	[thread overview]
Message-ID: <CAKgze5Z3fT9F0S-mogfP6is9sL3=0imtCbfy6ZYrd3zgaBUqRg@mail.gmail.com> (raw)
In-Reply-To: <8a8e0743-e54d-ec96-da4e-1d101b550274@intel.com>

On 10/27/21, Dave Hansen <dave.hansen@intel.com> wrote:
> On 10/27/21 12:55 PM, Martin Fernandez wrote:
>> This is a serie of patches for exporting the needed information to
>> userspace to determine if a machine is using Intel's TME or MKTME.
>>
>> In a next patch I'm going to export if TME/MKTME is activated by the
>> BIOS to sysfs, since right now for the user, this information is only
>> available in the kernel logs, and it's not appropriate for fwupd to
>> scan the boot logs just to parse an integer. I'm looking for
>> suggestions for where to store this value.
>
> I didn't see any TME or MKTME-specific stuff in these patches.  Are you
> assuming that all systems with any MEMBLOCK_CRYPTO_CAPABLE regions have
> TME activated?

Yes, you are correct, I didn't do anything TME-specific. That's the
part that I still need to do, I'm planning to do something similar to
detect_tme in /arch/x86/kernel/cpu/intel.c, but showing "TME" or
"MKTME" somewhere in sysfs, don't know where. Maybe in securityfs? And
it can also show the AMD variants in the future.

And no, I'm assuming that MEMBLOCK_CRYPTO_CAPABLE implies TME
activated, it's just another check to secure that the memory is
actually being encrypted.

> This also doesn't mention how userspace plans to *use* this information.
>  I think you mentioned it before, but it needs to be in the cover letter
> and changelogs too.
>

Userspace will just read this values and conclude (as it is right now)
if your memory is able to do encryption. As I mentioned above, with
the TME part, you will conclude if your memory is being encrypted or
not, and if not, you can see why not. For example, if you have TME,
you have it enabled but you have crypto_capable = 0 in your nodes,
then you probably have an old BIOS that doesn't support UEFI 2.7, and
that's why you don't have your memory flagged with
EFI_MEMORY_CPU_CRYPTO. And then you can tell to the user that maybe a
BIOS update will fix that.

That's what fwupd will try to do.

  reply	other threads:[~2021-10-28 14:29 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-10-27 19:55 [PATCH v2 0/5] [RFC] x86: Export information about hardware memory encryption to sysfs Martin Fernandez
2021-10-27 19:55 ` [PATCH v2 1/5] Extend memblock to support memory encryption Martin Fernandez
2021-10-27 19:55 ` [PATCH v2 2/5] Extend pg_data_t to hold information about " Martin Fernandez
2021-10-27 19:55 ` [PATCH v2 3/5] Extend e820_table " Martin Fernandez
2021-10-27 19:55 ` [PATCH v2 4/5] Mark e820_entries as crypto capable from EFI memmap Martin Fernandez
2021-10-27 19:55 ` [PATCH v2 5/5] Show in sysfs if a memory node is able to do memory encryption Martin Fernandez
2021-10-28 18:09   ` Dave Hansen
2021-10-27 20:21 ` [PATCH v2 0/5] [RFC] x86: Export information about hardware memory encryption to sysfs Dave Hansen
2021-10-28 14:28   ` Martin Fernandez [this message]
2021-10-28 14:55     ` Borislav Petkov
2021-10-28 16:03       ` Richard Hughes
2021-10-28 16:35         ` Borislav Petkov
2021-10-28 17:39           ` Martin Fernandez
2021-10-28 18:10             ` Borislav Petkov
2021-10-28 18:17               ` Dave Hansen
2021-10-29 17:08             ` Dave Hansen
2021-11-01 18:12               ` Martin Fernandez
2021-11-01 20:10               ` Martin Fernandez
2021-10-29 13:14           ` Richard Hughes
2021-10-28 15:24     ` Dave Hansen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAKgze5Z3fT9F0S-mogfP6is9sL3=0imtCbfy6ZYrd3zgaBUqRg@mail.gmail.com' \
    --to=martin.fernandez@eclypsium.com \
    --cc=andy@infradead.org \
    --cc=ardb@kernel.org \
    --cc=bp@alien8.de \
    --cc=daniel.gutson@eclypsium.com \
    --cc=dave.hansen@intel.com \
    --cc=dave.hansen@linux.intel.com \
    --cc=dvhart@infradead.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=hpa@zytor.com \
    --cc=hughsient@gmail.com \
    --cc=linux-efi@vger.kernel.org \
    --cc=luto@kernel.org \
    --cc=mingo@redhat.com \
    --cc=peterz@infradead.org \
    --cc=platform-driver-x86@vger.kernel.org \
    --cc=rafael@kernel.org \
    --cc=tglx@linutronix.de \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.