From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id EDC13ECAAA1
	for <linux-mm@archiver.kernel.org>; Thu, 27 Oct 2022 15:21:07 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 7369B8E0003; Thu, 27 Oct 2022 11:21:07 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 6E6B48E0001; Thu, 27 Oct 2022 11:21:07 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 5AF418E0003; Thu, 27 Oct 2022 11:21:07 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13])
	by kanga.kvack.org (Postfix) with ESMTP id 4B64A8E0001
	for <linux-mm@kvack.org>; Thu, 27 Oct 2022 11:21:07 -0400 (EDT)
Received: from smtpin04.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay06.hostedemail.com (Postfix) with ESMTP id C488AAB948
	for <linux-mm@kvack.org>; Thu, 27 Oct 2022 15:21:06 +0000 (UTC)
X-FDA: 80067092532.04.FBB3CD9
Received: from mga06.intel.com (mga06b.intel.com [134.134.136.31])
	by imf24.hostedemail.com (Postfix) with ESMTP id CAE3C18000A
	for <linux-mm@kvack.org>; Thu, 27 Oct 2022 15:21:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1666884065; x=1698420065;
  h=message-id:date:mime-version:subject:to:cc:references:
   from:in-reply-to:content-transfer-encoding;
  bh=oIFe3ETvGueK4heImMYjCz/snuv7scKeOIGa2nELdHM=;
  b=nBDCibMFc7a3HRJ7+dIOY73tZ+irFWwXB7GQHy8ADtXppiu7KVbpQUSZ
   YJcYeEzNRNYOEcgwvrVMnynJpIIoXKrYfXN2L1pQcpdIS5XoYlBMOSGna
   IYh+9Ey1GcNJG2x1WYLWL/a2Zaw4uSHziOdMlhQ/d0XQFHkRuNiK9qWPJ
   wbhf1VzHnaY8jJ0Y6eMeGhV7vfywI85ete+iWJqo2SKk6GqqNlh/91ZDv
   UGqbrERILI7jHL8qUdyjZBJ3QSaeuHWYaS54cFzrPCxyEBvLkcW7KKgYy
   eTV4JhUkNivV+pFJuSAD/zD9+jK3NdPgkynuveEPOWIAtDdKh9/mHZJcY
   Q==;
X-IronPort-AV: E=McAfee;i="6500,9779,10513"; a="370320101"
X-IronPort-AV: E=Sophos;i="5.95,218,1661842800"; 
   d="scan'208";a="370320101"
Received: from orsmga007.jf.intel.com ([10.7.209.58])
  by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Oct 2022 08:21:04 -0700
X-IronPort-AV: E=McAfee;i="6500,9779,10513"; a="627203741"
X-IronPort-AV: E=Sophos;i="5.95,218,1661842800"; 
   d="scan'208";a="627203741"
Received: from vstelter-mobl.amr.corp.intel.com (HELO [10.212.214.108]) ([10.212.214.108])
  by orsmga007-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Oct 2022 08:21:03 -0700
Message-ID: <6758af9b-1110-ad5a-3961-e256d5c8d576@intel.com>
Date: Thu, 27 Oct 2022 08:21:02 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.2.2
Subject: Re: [PATCH v9 0/9] x86: Show in sysfs if a memory node is able to do
 encryption
Content-Language: en-US
To: Borislav Petkov <bp@alien8.de>,
 Martin Fernandez <martin.fernandez@eclypsium.com>
Cc: linux-kernel@vger.kernel.org, linux-efi@vger.kernel.org,
 platform-driver-x86@vger.kernel.org, linux-mm@kvack.org,
 kunit-dev@googlegroups.com, linux-kselftest@vger.kernel.org,
 tglx@linutronix.de, mingo@redhat.com, dave.hansen@linux.intel.com,
 x86@kernel.org, hpa@zytor.com, ardb@kernel.org, dvhart@infradead.org,
 andy@infradead.org, gregkh@linuxfoundation.org, rafael@kernel.org,
 rppt@kernel.org, akpm@linux-foundation.org, daniel.gutson@eclypsium.com,
 hughsient@gmail.com, alex.bazhaniuk@eclypsium.com,
 alison.schofield@intel.com, keescook@chromium.org
References: <20220704135833.1496303-1-martin.fernandez@eclypsium.com>
 <Y0hrhzprPFTK+VWV@zn.tnic>
 <CAKgze5ajp-z0+F+8Qo2z=834=i=HNa5=s54MLyrk16wQVnxCzQ@mail.gmail.com>
 <Y1pH/DuYJeo7Kyo5@zn.tnic>
From: Dave Hansen <dave.hansen@intel.com>
In-Reply-To: <Y1pH/DuYJeo7Kyo5@zn.tnic>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
ARC-Authentication-Results: i=1;
	imf24.hostedemail.com;
	dkim=none ("invalid DKIM record") header.d=intel.com header.s=Intel header.b=nBDCibMF;
	dmarc=pass (policy=none) header.from=intel.com;
	spf=pass (imf24.hostedemail.com: domain of dave.hansen@intel.com designates 134.134.136.31 as permitted sender) smtp.mailfrom=dave.hansen@intel.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1666884066; a=rsa-sha256;
	cv=none;
	b=EHZ560XdCzob4JPfOmTWPUvCR3SpQv3kEAbzeN/y2LnyU7cvB0qp1Tc0ofJ2Ar3sJEtFug
	wZCJJi37kenwovnQDqOjA5hPUFvvXLXDp+YJRwsQq5zT/O+SG93tHIsy4UKZbi1DPxdVDm
	0X1tTxiAjCuhtTc/0iBoym3MM1D7Df4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1666884066;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=/zBdMuO+v1VJIvsJga/Ym7iCoDdhGW1AwxBYbggzuGw=;
	b=tTQv0o4Z1shqoPI6f25KjCXdot7UYiRimX6hIjcd32cwBY6RIdra9cn9loOPikP62Fvbxr
	FXgbCyPCcNnH0VF/h7zYJHQP0RJY3RpwvSXcHW3Xzt2HznPDdDw7ecHJT9S2d4DxcmkGZf
	GLBgZswudmHVUS42VL94lUH09rux9t8=
Authentication-Results: imf24.hostedemail.com;
	dkim=none ("invalid DKIM record") header.d=intel.com header.s=Intel header.b=nBDCibMF;
	dmarc=pass (policy=none) header.from=intel.com;
	spf=pass (imf24.hostedemail.com: domain of dave.hansen@intel.com designates 134.134.136.31 as permitted sender) smtp.mailfrom=dave.hansen@intel.com
X-Rspam-User: 
X-Stat-Signature: kjcuakwgz15urwnihpyqj6sbdkdsfx1m
X-Rspamd-Queue-Id: CAE3C18000A
X-Rspamd-Server: rspam11
X-HE-Tag: 1666884065-472213
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On 10/27/22 01:57, Borislav Petkov wrote:
> Well, I still think this is not going to work in all cases. SME/TME can
> be enabled but the kernel can go - and for whatever reason - map a bunch
> of memory unencrypted.

For TME on Intel systems, there's no way to make it unencrypted.  The
memory controller is doing all the encryption behind the back of the OS
and even devices that are doing DMA.  Nothing outside of the memory
controller really knows or cares that encryption is happening.