AMD Posts Secure Memory Encryption For The Linux Kernel (SME)
Written by Michael Larabel in AMD on 26 April 2016 at 09:49 PM EDT. 30 Comments
AMD --
Well, today seems to be the day for x86 CPU vendors to push out memory security related features for the Linux kernel... After Intel posted the Secure Guard Extensions driver for Linux, AMD has come out with a patch-set for "Secure Memory Encryption" (SME) that looks like it will be a hardware feature of Zen.

I hadn't heard much about AMD's Secure Memory Encryption (SME) feature up to now and some quick searching isn't turning up too much, but presumably is a feature for Zen. Tom Lendacky of AMD describes SME as:
SME can be used to mark individual pages of memory as encrypted through the page tables. A page of memory that is marked encrypted will be automatically decrypted when read from DRAM and will be automatically encrypted when written to DRAM. Details on SME can found in the links below.

The SME feature is identified through a CPUID function and enabled through the SYSCFG MSR. Once enabled, page table entries will determine how the memory is accessed. If a page table entry has the memory encryption mask set, then that memory will be accessed as encrypted memory. The memory encryption mask (as well as other related information) is determined from settings returned through the same CPUID function that identifies the presence of the feature.

The approach that this patch series takes is to encrypt everything possible starting early in the boot where the kernel is encrypted. Using the page table macros the encryption mask can be incorporated into all page table entries and page allocations. By updating the protection map, userspace allocations are also marked encrypted. Certain data must be accounted for as having been placed in memory before SME was enabled (EFI, initrd, etc.) and accessed accordingly.

This patch series is a pre-cursor to another AMD processor feature called Secure Encrypted Virtualization (SEV). The support for SEV will build upon the SME support and will be submitted later.

More details on Secure Memory Encryption and Secure Encrypted Virtualization from AMD can be found via this 12-page PDF whitepaper that was just published a few days ago. This SME support for the Linux kernel affects just over one thousand lines of x86 kernel code and until being merged into a future version of the Linux kernel can be found via this patch series.
Related News
About The Author
Author picture

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter or contacted via MichaelLarabel.com.

Popular News This Week