Linux To No Longer Enable AMD SME Usage By Default Due To Problems With Some Hardware
Being sent in as a fix for the Linux 5.15 kernel this morning and to be back-ported to existing stable series is a behavior change that the Linux kernel will no longer use AMD Secure Memory Encryption (SME) by default on supported hardware but rather making it now opt-in due to shortcomings of some platforms.
Since the introduction of AMD SME support to the Linux kernel, Secure Memory Encryption has been activated by default when the SME support (AMD_MEM_ENCRYPT) is built into the kernel. That defaulting of "AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT" allowed for Secure Memory Encryption to be used out-of-the-box without needing to specify any extra kernel parameters or the like. Unfortunately, that's led to boot failures on some platforms particularly around IOMMU along with other headaches to work out as well, like some graphics driver issues with not expecting the memory to be encrypted.
The change to not use AMD SME by default stems from this latest mailing list thread over platform problems (in this case, but not limited only to, Raven Ridge) and boot failures possible from trying SME by default. Unfortunately with SME needing to be enabled at an early stage in the kernel boot process, there isn't the possibility at least for now of having enhanced logic for figuring out in a more robust manner when it's possible to enable/disable SME without user interaction.
The patch making the change sums up the current situation:
So with today's x86/urgent pull request going into Linux 5.15 and then back-ported to prior kernels, AMD memory encryption will not default to enabled. Assuming your kernel is built though with the AMD memory encryption code included, it is possible to enjoy Secure Memory Encryption by setting the "mem_encrypt=on" option to have what was previously the default behavior.
Since the introduction of AMD SME support to the Linux kernel, Secure Memory Encryption has been activated by default when the SME support (AMD_MEM_ENCRYPT) is built into the kernel. That defaulting of "AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT" allowed for Secure Memory Encryption to be used out-of-the-box without needing to specify any extra kernel parameters or the like. Unfortunately, that's led to boot failures on some platforms particularly around IOMMU along with other headaches to work out as well, like some graphics driver issues with not expecting the memory to be encrypted.
The change to not use AMD SME by default stems from this latest mailing list thread over platform problems (in this case, but not limited only to, Raven Ridge) and boot failures possible from trying SME by default. Unfortunately with SME needing to be enabled at an early stage in the kernel boot process, there isn't the possibility at least for now of having enhanced logic for figuring out in a more robust manner when it's possible to enable/disable SME without user interaction.
The patch making the change sums up the current situation:
So with today's x86/urgent pull request going into Linux 5.15 and then back-ported to prior kernels, AMD memory encryption will not default to enabled. Assuming your kernel is built though with the AMD memory encryption code included, it is possible to enjoy Secure Memory Encryption by setting the "mem_encrypt=on" option to have what was previously the default behavior.
28 Comments