AMD Secure Memory Encryption "SME" Performance With 4th Gen EPYC Genoa
One of the security improvements made by AMD with their 4th Gen EPYC "Genoa" processors is upping their Secure Memory Encryption (SME) support from 128-bit to now 256-bit AES-XTS. AMD Secure Memory Encryption can be used for helping thwart attacks on the main system memory, but at what performance cost? In this article is an initial look at the AMD EPYC Genoa performance with AMD SME enabled/disabled.
With the EPYC 9004 series memory controllers now sporting 256-bit AES-XTS encryption engines when enabling Secure Memory Encryption (SME), I was curious about the performance cost of enabling this security feature. AMD has stated that this encryption support is in compliance with the US FIPS 140-3 standard for cryptographic hardware and that the encryption key isn't visible outside of the AMD Secure Processor. AMD Secure Memory Encryption is designed to safeguard against cold boot attacks and other physical attacks on the system. AMD Secure Encrypted Virtualization (SEV) makes use of SME as well for encrypting the guest VM memory as well.
By default the AMD Secure Memory Encryption isn't on out-of-the-box but can be managed by the BIOS with the SME state and whether Transparent System Memory Encryption is enabled or not for enabling it without any OS intervention. By default with the Linux kernel when AMD SME (non-TSME) is enabled, the "mem_encrypt=on" kernel parameter needs to be set for enabling SME use by the Linux kernel unless your kernel is built with CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT enabled.
Checking the status of AMD Secure Memory Encryption on EPYC Linux servers can be done via checking on the presence of the "sme" flag within /proc/cpuinfo as well as looking at the Linux kernel dmesg output around Secure Memory Encryption.
Today's article is quite simple and is simply looking at the performance impact of the EPYC 9654 2P server with SME disabled and then repeating the same assortment of real-world benchmarks once Secure Memory Encryption was active for protecting the system memory contents for seeing what performance impact there is of this 256-bit AES-XTS memory encryption with EPYC 9004 series hardware. The AMD EPYC 9654 2P was running an up-to-date Linux software stack on Ubuntu 22.10 and switching to the recently released Linux 6.1 kernel for a bleeding-edge look at the upstream Linux performance.