Announcement

Collapse
No announcement yet.

Linux To No Longer Enable AMD SME Usage By Default Due To Problems With Some Hardware

Collapse
X
Collapse
 
  • Page of 3
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 3 template Next
  • #21
    Originally posted by Developer12 View Post

    It's valuable in the first case because they thing they can be secure while not trusting their host. That's the purpose of encrypting the memory of a guest. This is wishful thinking and a classic security case of have-my-cake-and-eat-it-too. You can either trust your own computer or not trust someone else's.

    If your datacenter is on-premises, as a bank's damn well should be, then you have no need for this. You own the server. You guard the server. You install and run and operate the host OS. Anything otherwise is a failure to appropriately threat-model. We don't do "security" for security's sake.
    Some companies only make sense in the cloud. Startups don't always have the money to build out physical infrastructure.

    As for on premises, you assume I trust my employees.

    Really, you merely shot an arrow - encrypted mem bad - and now you are trying desperately to paint a target around it.
    • Likes 2

    Comment

    • #22
      I am having issues with SME (mem_encrypt=on) for a while now, even unrelated to this 5.15 default bug.
      Virtualbox 6.1.26 cannot initialize any VMs. (Gentoo) This program is my last stumbling block.
      I also had a problem where my NVidia driver was unable to allocate a DMA bounce buffer memory address, and I had to switch to AMDGPU.

      Encrypted Memory is important to me, I find this very compelling https://www.amd.com/system/files/doc...hite-paper.pdf
      Thank you devs, if anyone knows how to fix Virtualbox to get SME working with it, please respondevouz. TVM.
      • Likes 1

      Comment

      • #23
        mem_encrypt=on just only crashed my Ryzen 1600X since 2018 without giving any errors.

        Comment

        • #24
          Originally posted by Developer12 View Post

          It's valuable in the first case because they thing they can be secure while not trusting their host. That's the purpose of encrypting the memory of a guest. This is wishful thinking and a classic security case of have-my-cake-and-eat-it-too. You can either trust your own computer or not trust someone else's.

          If your datacenter is on-premises, as a bank's damn well should be, then you have no need for this. You own the server. You guard the server. You install and run and operate the host OS. Anything otherwise is a failure to appropriately threat-model. We don't do "security" for security's sake.
          Right, the major use case would be increasing security in VPSs... Yet basically none of the VPS providers have SME or SEV enabled on the hosts - and they don't even care. They continue to use AMD marketing to promote their hosting services despite not even enabling the security features.

          Comment

          • #25
            Originally posted by genBTC View Post
            I am having issues with SME (mem_encrypt=on) for a while now, even unrelated to this 5.15 default bug.
            Virtualbox 6.1.26 cannot initialize any VMs. (Gentoo) This program is my last stumbling block.
            I also had a problem where my NVidia driver was unable to allocate a DMA bounce buffer memory address, and I had to switch to AMDGPU.

            Encrypted Memory is important to me, I find this very compelling https://www.amd.com/system/files/doc...hite-paper.pdf
            Thank you devs, if anyone knows how to fix Virtualbox to get SME working with it, please respondevouz. TVM.
            Should work well in KVM... VBox doesn't have the performance of KVM regardless...

            Comment

            • #26
              It seems very myopic to call memory encryption so limited in utility or even useless. I'd like it in all of my systems. It makes it a lot more difficult for anyone who has compromised (i.e. stolen) your laptop to steal the filesystem encryption key out of memory, for example. It makes sense that SEV is limited to EPYC, but I'd like SME enabled on all laptops and desktops.

              Comment

              • #27
                Would be nice, AMD, if you'd actually update us on how your new security features are working now that you're on Zen 4 (with Linux)! It is like all marketing money is spent towards fluff for dummies and not details that any respect for experts would imbue.

                Comment

                • #28
                  Originally posted by ayumu View Post

                  The IOMMU will always be initialized and used if available. I'm also using a Zen+ Thinkpad.

                  My point here is that if the IOMMU is usable, then SME should be the default. If it isn't, then SME should be disabled as workaround.

                  And I very much want SME if at all possible. I shouldn't need to force it on. The laptop could be stolen while it's on, and security keys extracted from RAM.
                  Were you able to verify it is enabled on your Ryzen Thinkpad? Passing mem_encrypt doesn't seem to (sme should be present in cat /proc/cpuinfo

                  Comment

                  • #29
                    Originally posted by make_adobe_on_Linux! View Post

                    Were you able to verify it is enabled on your Ryzen Thinkpad? Passing mem_encrypt doesn't seem to (sme should be present in cat /proc/cpuinfo
                    Tried mem_encrypt back when this made news, and what I found is Linux freezing on boot.

                    I do not know if the situation has improved since.

                    Comment

                    Previous 1 2 3 template Next
                    Working...
                    X