Announcement

Collapse
No announcement yet.

The Linux Kernel Now Seeing Patches For AMD SEV-ES "Encrypted State" Support

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • The Linux Kernel Now Seeing Patches For AMD SEV-ES "Encrypted State" Support

    Phoronix: The Linux Kernel Now Seeing Patches For AMD SEV-ES "Encrypted State" Support

    While since 2016~2017 AMD has been posting Linux kernel patches for Secure Memory Encryption (SME) and Secure Encrypted Virtualization, coming out this morning is finally the first public patch series wiring up the Linux kernel for SEV-ES as further enhancing virtualization encryption...

    http://www.phoronix.com/scan.php?pag...x-2020-Patches

  • #2
    hopefully one of these patches fixes the bug in amdgpu in linux-hardened

    Comment


    • #3
      I think we discussed this previously, but I would not expect these changes in CPU encryption to affect the issue you linked.

      My recollection is that the underlying issue here is that CPUs can access encrypted memory but GPUs can not - so one way or another memory buffers intended for use by GPU need to be non-encrypted. Not sure what default kernel does with DMA buffers when encryption is enabled by default (will check) but seems like the solution would lie in that direction.

      Comment


      • #4
        This thread provides some background:
        https://www.mail-archive.com/search?...on%22&o=newest

        Comment


        • #5
          Originally posted by itoffshore View Post
          hopefully one of these patches fixes the bug in amdgpu in linux-hardened
          The patch that you are looking for is probably https://patchwork.kernel.org/patch/10850833/

          Relevant fdo bugs are
          https://gitlab.freedesktop.org/drm/amd/issues/285
          https://gitlab.freedesktop.org/drm/amd/issues/832

          Originally posted by bridgman View Post
          My recollection is that the underlying issue here is that CPUs can access encrypted memory but GPUs can not
          Interestingly, nouveau and radeon are not affected by SME/TSME, while amdgpu is.

          Comment


          • #6
            Originally posted by agd5f View Post
            This thread provides some background:
            https://www.mail-archive.com/search?...on%22&o=newest
            From the titles, that looks like work to make the virtual vmwgfx driver support SVE i.e where each VM has its memory encrypted by a different key.
            The original problem is getting amdgpu to work with SME i.e where main memory is encrypted.
            Last edited by Imroy; 02-12-2020, 09:55 AM.

            Comment


            • #7
              Originally posted by Imroy View Post

              From the titles, that looks like work to make the virtual vmwgfx driver support SVE i.e where each VM has its memory encrypted by a different key.
              The original problem is getting amdgpu to work with SME i.e where main memory is encrypted.
              That was the original intent of the thread, but the subsequent discussion is relevant to either. The underlying mechanisms are the same. See:
              https://developer.amd.com/wordpress/..._v7-Public.pdf

              Comment


              • #8
                Exciting news. However, still seems too long to wait until 5.7

                Comment


                • #9
                  Originally posted by chithanh View Post
                  The patch that you are looking for is probably https://patchwork.kernel.org/patch/10850833/

                  Relevant fdo bugs are
                  https://gitlab.freedesktop.org/drm/amd/issues/285
                  https://gitlab.freedesktop.org/drm/amd/issues/832

                  Interestingly, nouveau and radeon are not affected by SME/TSME, while amdgpu is.
                  Many thanks for the pointer - I tried applying the patch but it seems to already be in the kernel
                  Code:
                    -> Applying patch drm-fallback-to-dma_alloc_coherent-when-memory-encryption-is-active.patch...
                  patching file drivers/gpu/drm/drm_memory.c
                  Reversed (or previously applied) patch detected!  Skipping patch.
                  booting linux-hardened with mem_encrypt=off on Ryzen cpus still required for the moment



                  Comment


                  • #10
                    Originally posted by itoffshore View Post

                    booting linux-hardened with mem_encrypt=off on Ryzen cpus still required for the moment
                    Yup. Still that dangling carrot until kernel version 5.7 (hopefully)

                    Comment

                    Working...
                    X