AMD's SME/SEV Security Support For EPYC Not Yet Ready On Linux
While AMD announced their EPYC 7000 series CPUs last week, prominent new security features of these high-end processors aren't yet ready with support in the mainline Linux kernel.
New security features added to the Zen-based EPYC server processors is Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV). Secure Memory Encryption provides memory encryption on a per-page-table basis using AMD's ARM-based security co-processor. AMD SME + SEV are designed against both user-access attacks and physical access attacks with a particular focus on VM / hypervisor security. Sadly, support for SME and SEV have yet to be mainlined in the Linux kernel, thus EPYC Linux servers don't yet benefit from this new technology.
AMD posted SME patches back in April of 2016 but as of Linux 4.12 the work has yet to be mainlined and it's looking like it might not be ready yet for Linux 4.13. SEV patches are still pending for public posting. (For those concerned about a free software system, Epyc's secure processor firmware remains a binary blob.)
Posted on Tuesday was the latest SME patches. These 38 patches implement Secure Memory Encryption for the Linux kernel, "SME can be used to mark individual pages of memory as encrypted through the page tables. A page of memory that is marked encrypted will be automatically decrypted when read from DRAM and will be automatically encrypted when written to DRAM."
The Secure Encrypted Virtualization work meanwhile has yet to be published, "This patch series is a pre-cursor to another AMD processor feature called Secure Encrypted Virtualization (SEV). The support for SEV will build upon the SME support and will be submitted later."
Since the earlier version of these patches, the latest SME code has a number of fixes and some other changes. Still left to do by the developers is adding Kdump support. Hopefully it won't be too many more kernel releases before seeing SME/SEV appear in the mainline tree.
New security features added to the Zen-based EPYC server processors is Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV). Secure Memory Encryption provides memory encryption on a per-page-table basis using AMD's ARM-based security co-processor. AMD SME + SEV are designed against both user-access attacks and physical access attacks with a particular focus on VM / hypervisor security. Sadly, support for SME and SEV have yet to be mainlined in the Linux kernel, thus EPYC Linux servers don't yet benefit from this new technology.
AMD posted SME patches back in April of 2016 but as of Linux 4.12 the work has yet to be mainlined and it's looking like it might not be ready yet for Linux 4.13. SEV patches are still pending for public posting. (For those concerned about a free software system, Epyc's secure processor firmware remains a binary blob.)
Posted on Tuesday was the latest SME patches. These 38 patches implement Secure Memory Encryption for the Linux kernel, "SME can be used to mark individual pages of memory as encrypted through the page tables. A page of memory that is marked encrypted will be automatically decrypted when read from DRAM and will be automatically encrypted when written to DRAM."
The Secure Encrypted Virtualization work meanwhile has yet to be published, "This patch series is a pre-cursor to another AMD processor feature called Secure Encrypted Virtualization (SEV). The support for SEV will build upon the SME support and will be submitted later."
Since the earlier version of these patches, the latest SME code has a number of fixes and some other changes. Still left to do by the developers is adding Kdump support. Hopefully it won't be too many more kernel releases before seeing SME/SEV appear in the mainline tree.
9 Comments