AMDGPU Trusted Memory Zone Support Could Soon Be Enabled By Default
Going back to last September has been work within Linux's AMDGPU kernel driver on enabling encrypted vRAM support with "Trusted Memory Zone" functionality. Now it's looking like a kernel release in the not too distant future could be enabled this support by default.
The AMD Radeon Trusted Memory Zone functionality is about protecting the contents of select pages from being read by the CPU or other non-GPU clients and preventing writes from happening to TMZ-protected pages. With the Linux implementation, the Trusted Memory Zone support will allow a new "encrypted" flag from user-space via the GEM memory management interface for allocating memory that should be secured by the hardware. This isn't enabled by default presumably due to the added overhead involved and not being of much real use besides when needing to encrypt select bits of video memory.
AMD's intentions for offering this Radeon TMZ support were not clear, but it wouldn't be surprising if it stems from the growing AMD Chromebook potential where we have also seen HDCP support and other protection/privacy features being worked on by their Linux graphics stack for such commercial use-cases.
A new patch volleyed on Wednesday cleared up that only Raven, Renoir, and Navi GPUs are supporting TMZ on Linux. With that patch the support for capable GPUs is still hidden behind the amdgpu.tmz flag, but it was then brought up on the mailing list that following new TMZ buffer moves patches being posted, it may actually be ready for enabling by default. No patch, however, has been sent out yet proposing it be enabled by default but it appears with the latest patch work it should at least be stable for Raven Ridge APUs.
The AMD Radeon Trusted Memory Zone functionality is about protecting the contents of select pages from being read by the CPU or other non-GPU clients and preventing writes from happening to TMZ-protected pages. With the Linux implementation, the Trusted Memory Zone support will allow a new "encrypted" flag from user-space via the GEM memory management interface for allocating memory that should be secured by the hardware. This isn't enabled by default presumably due to the added overhead involved and not being of much real use besides when needing to encrypt select bits of video memory.
AMD's intentions for offering this Radeon TMZ support were not clear, but it wouldn't be surprising if it stems from the growing AMD Chromebook potential where we have also seen HDCP support and other protection/privacy features being worked on by their Linux graphics stack for such commercial use-cases.
A new patch volleyed on Wednesday cleared up that only Raven, Renoir, and Navi GPUs are supporting TMZ on Linux. With that patch the support for capable GPUs is still hidden behind the amdgpu.tmz flag, but it was then brought up on the mailing list that following new TMZ buffer moves patches being posted, it may actually be ready for enabling by default. No patch, however, has been sent out yet proposing it be enabled by default but it appears with the latest patch work it should at least be stable for Raven Ridge APUs.
6 Comments