Announcement

Collapse
No announcement yet.

AMD Secure Memory Encryption Patches Updated For Linux

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    AMD Secure Memory Encryption Patches Updated For Linux

    Phoronix: AMD Secure Memory Encryption Patches Updated For Linux

    Adding to the list of changes/features you will not find in Linux 4.13 is AMD's Secure Memory Encryption as supported by the new EPYC processors...

    AMD Secure Memory Encryption Patches Updated For Linux - Phoronix
    http://www.phoronix.com/scan.php?page=news_item&px=AMD-Secure-Memory-V10
    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite
    Tags: None
  • #2
    Typo:

    Originally posted by phoronix View Post
    The AMD Secure Memory Encryption (SME) paches in their v10 form disable this feature when built for 32-bit

    Comment

    • #3
      Is this a new feature of AMD processors? Or is this a generic kernel feature that will eventually have Intel support?

      Comment

      • #4
        Originally posted by doublez13 View Post
        Is this a new feature of AMD processors? Or is this a generic kernel feature that will eventually have Intel support?
        This is a feature of AMD's new Epyc server processors they have positioned to compete with high end Xeons. If Intel adds this it will be a copy and pasted feature and it won't be any time soon. The main use case for this AMD highlighted is the example of your VM being hosted in AWS and Amazon not being able to see what you have going on inside your VM or it's memory.
        • Likes 1

        Comment

        • #5
          Originally posted by No Username
          This will also apply for Ryzen PRO as they have the same features as EPYC?
          I believe it is a feature of the Zen micro architecture, so ALL zen based processors will have it (even the puny little ones)

          Comment

          • #6
            so, The hypervisor can't just NOP the instructions?
            It should be interesting to read how they prevent that. Does anyone have the documentation link?

            Comment

            • #7
              I may be wrong, but I don't believe this can protect a guest against a hypervisor that is hostile to start with. It can protect against attacks that escape from another guest and take over the hypervisor while it is running.

              If the hypervisor sets up the guest and lies about the memory encryption, I don't see how the guest could tell.

              Comment

              • #8
                Here is the white paper from AMD: http://developer.amd.com/wordpress/m..._v7-Public.pdf

                On page 11 it talks about how the guest can verify it is running on a genuine AMD SEV host with encrypted RAM.

                However, I can imagine at least three ways that an evil hypervisor could scan for the verification code in the executable and rewrite it to believe it is genuine when it isn't. It does raise the difficulty a lot. But there's no DRM scheme that hasn't been broken so far.
                • Likes 1

                Comment

                • #9
                  I'm not up to date but wasn't all that SME done via a PSP part? SME and SEV do sound interesting, but things with relation to a closed blob with ring <0 rights is a very mixed bag to say the least.
                  Stop TCPA, stupid software patents and corrupt politicians!

                  Comment

                  • #10
                    You obviously can't protect against a hostile hypervisor but you can protect against hostile cotenants with a system like this. I don't think AMD ever claimed otherwise.

                    Comment

                    Previous template Next
                    Working...
                    X