AMD's SME/SEV Security Support For EPYC Not Yet Ready On Linux
Written by Michael Larabel in AMD on 28 June 2017 at 02:06 AM EDT. 9 Comments
AMD --
While AMD announced their EPYC 7000 series CPUs last week, prominent new security features of these high-end processors aren't yet ready with support in the mainline Linux kernel.

New security features added to the Zen-based EPYC server processors is Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV). Secure Memory Encryption provides memory encryption on a per-page-table basis using AMD's ARM-based security co-processor. AMD SME + SEV are designed against both user-access attacks and physical access attacks with a particular focus on VM / hypervisor security. Sadly, support for SME and SEV have yet to be mainlined in the Linux kernel, thus EPYC Linux servers don't yet benefit from this new technology.

AMD posted SME patches back in April of 2016 but as of Linux 4.12 the work has yet to be mainlined and it's looking like it might not be ready yet for Linux 4.13. SEV patches are still pending for public posting. (For those concerned about a free software system, Epyc's secure processor firmware remains a binary blob.)

Posted on Tuesday was the latest SME patches. These 38 patches implement Secure Memory Encryption for the Linux kernel, "SME can be used to mark individual pages of memory as encrypted through the page tables. A page of memory that is marked encrypted will be automatically decrypted when read from DRAM and will be automatically encrypted when written to DRAM."

The Secure Encrypted Virtualization work meanwhile has yet to be published, "This patch series is a pre-cursor to another AMD processor feature called Secure Encrypted Virtualization (SEV). The support for SEV will build upon the SME support and will be submitted later."

Since the earlier version of these patches, the latest SME code has a number of fixes and some other changes. Still left to do by the developers is adding Kdump support. Hopefully it won't be too many more kernel releases before seeing SME/SEV appear in the mainline tree.
Related News
About The Author
Author picture

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter or contacted via MichaelLarabel.com.

Popular News This Week