Re: [PATCH v8 0/8] x86: Show in sysfs if a memory node is able to do encryption

From: Borislav Petkov <bp@alien8.de>
To: Martin Fernandez <martin.fernandez@eclypsium.com>
Cc: linux-kernel@vger.kernel.org, linux-efi@vger.kernel.org,
	platform-driver-x86@vger.kernel.org, linux-mm@kvack.org,
	tglx@linutronix.de, mingo@redhat.com,
	dave.hansen@linux.intel.com, x86@kernel.org, hpa@zytor.com,
	ardb@kernel.org, dvhart@infradead.org, andy@infradead.org,
	gregkh@linuxfoundation.org, rafael@kernel.org, rppt@kernel.org,
	akpm@linux-foundation.org, daniel.gutson@eclypsium.com,
	hughsient@gmail.com, alex.bazhaniuk@eclypsium.com,
	alison.schofield@intel.com, keescook@chromium.org
Subject: Re: [PATCH v8 0/8] x86: Show in sysfs if a memory node is able to do encryption
Date: Wed, 4 May 2022 18:38:17 +0200	[thread overview]
Message-ID: <YnKr+aMf4PspDpHZ@zn.tnic> (raw)
In-Reply-To: <20220429201717.1946178-1-martin.fernandez@eclypsium.com>

On Fri, Apr 29, 2022 at 05:17:09PM -0300, Martin Fernandez wrote:
> Show for each node if every memory descriptor in that node has the
> EFI_MEMORY_CPU_CRYPTO attribute.
> 
> fwupd project plans to use it as part of a check to see if the users
> have properly configured memory hardware encryption
> capabilities. fwupd's people have seen cases where it seems like there
> is memory encryption because all the hardware is capable of doing it,
> but on a closer look there is not, either because of system firmware
> or because some component requires updating to enable the feature.

Hm, so in the sysfs patch you have:

+               This value is 1 if all system memory in this node is
+               capable of being protected with the CPU's memory
+               cryptographic capabilities.

So this says the node is capable - so what is fwupd going to report -
that the memory is capable?

From your previous paragraph above it sounds to me like you wanna
say whether memory encryption is active or not, not that the node is
capable.

Or what is the use case?

> It's planned to make it part of a specification that can be passed to
> people purchasing hardware

So people are supposed to run that fwupd on that new hw to check whether
they can use memory encryption?

> These checks will run at every boot. The specification is called Host
> Security ID: https://fwupd.github.io/libfwupdplugin/hsi.html.
> 
> We choosed to do it a per-node basis because although an ABI that
> shows that the whole system memory is capable of encryption would be
> useful for the fwupd use case, doing it in a per-node basis gives also
> the capability to the user to target allocations from applications to
> NUMA nodes which have encryption capabilities.

That's another hmmm: what systems do not do full system memory
encryption and do only per-node?

From those I know, you encrypt the whole memory on the whole system and
that's it. Even if it is a hypervisor which runs a lot of guests, you
still want the hypervisor itself to run encrypted, i.e., what's called
SME in AMD's variant.

Thx.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette