From: "Limonciello, Mario" <Mario.Limonciello@amd.com>
To: Borislav Petkov <bp@alien8.de>,
Martin Fernandez <martin.fernandez@eclypsium.com>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-efi@vger.kernel.org" <linux-efi@vger.kernel.org>,
"platform-driver-x86@vger.kernel.org"
<platform-driver-x86@vger.kernel.org>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
"tglx@linutronix.de" <tglx@linutronix.de>,
"mingo@redhat.com" <mingo@redhat.com>,
"dave.hansen@linux.intel.com" <dave.hansen@linux.intel.com>,
"x86@kernel.org" <x86@kernel.org>,
"hpa@zytor.com" <hpa@zytor.com>,
"ardb@kernel.org" <ardb@kernel.org>,
"dvhart@infradead.org" <dvhart@infradead.org>,
"andy@infradead.org" <andy@infradead.org>,
"gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>,
"rafael@kernel.org" <rafael@kernel.org>,
"rppt@kernel.org" <rppt@kernel.org>,
"akpm@linux-foundation.org" <akpm@linux-foundation.org>,
"daniel.gutson@eclypsium.com" <daniel.gutson@eclypsium.com>,
"hughsient@gmail.com" <hughsient@gmail.com>,
"alex.bazhaniuk@eclypsium.com" <alex.bazhaniuk@eclypsium.com>,
"alison.schofield@intel.com" <alison.schofield@intel.com>,
"keescook@chromium.org" <keescook@chromium.org>
Subject: RE: [PATCH v8 0/8] x86: Show in sysfs if a memory node is able to do encryption
Date: Fri, 6 May 2022 14:18:17 +0000 [thread overview]
Message-ID: <BL1PR12MB5157B790AB125DFAE1855067E2C59@BL1PR12MB5157.namprd12.prod.outlook.com> (raw)
In-Reply-To: <YnUYLDjIThbIz/Uf@zn.tnic>
[Public]
> -----Original Message-----
> From: Borislav Petkov <bp@alien8.de>
> Sent: Friday, May 6, 2022 07:44
> To: Martin Fernandez <martin.fernandez@eclypsium.com>
> Cc: linux-kernel@vger.kernel.org; linux-efi@vger.kernel.org; platform-
> driver-x86@vger.kernel.org; linux-mm@kvack.org; tglx@linutronix.de;
> mingo@redhat.com; dave.hansen@linux.intel.com; x86@kernel.org;
> hpa@zytor.com; ardb@kernel.org; dvhart@infradead.org;
> andy@infradead.org; gregkh@linuxfoundation.org; rafael@kernel.org;
> rppt@kernel.org; akpm@linux-foundation.org;
> daniel.gutson@eclypsium.com; hughsient@gmail.com;
> alex.bazhaniuk@eclypsium.com; alison.schofield@intel.com;
> keescook@chromium.org
> Subject: Re: [PATCH v8 0/8] x86: Show in sysfs if a memory node is able to do
> encryption
>
> On Wed, May 04, 2022 at 02:18:30PM -0300, Martin Fernandez wrote:
> > The use case is to know if a user is using hardware encryption or
> > not. This new sysfs file plus knowing if tme/sev is active you can be
> > pretty sure about that.
>
> Then please explain it in detail and in the text so that it is clear. As
> it is now, the reader is left wondering what that file is supposed to
> state.
>
> > Dave Hansen pointed those out in a previuos patch serie, here is the
> > quote:
> >
> > > CXL devices will have normal RAM on them, be exposed as "System
> RAM" and
> > > they won't have encryption capabilities. I think these devices were
> > > probably the main motivation for EFI_MEMORY_CPU_CRYPTO.
>
> So this would mean that if a system doesn't have CXL devices and has
> TME/SME/SEV-* enabled, then it is running with encrypted memory.
>
> Which would then also mean, you don't need any of that code - you only
> need to enumerate CXL devices which, it seems, do not support memory
> encryption, and then state that memory encryption is enabled on the
> whole system, except for the memory of those devices.
>
> I.e.,
>
> $ dmesg | grep -i SME
> [ 1.783650] AMD Memory Encryption Features active: SME
>
> Done - memory is encrypted on the whole system.
>
> We could export it into /proc/cpuinfo so that you don't have to grep
> dmesg and problem solved.
>
Actually we solved that already for SME. Kernel only exposes the feature
in /proc/cpuinfo if it's active now.
See kernel commit 08f253ec3767bcfafc5d32617a92cee57c63968e.
Fwupd code has been changed to match it too. It will only trust the presence of
sme flag with kernel 5.18.0 and newer.
https://github.com/fwupd/fwupd/commit/53a49b4ac1815572f242f85a1a1cc52a2d7ed50c
next prev parent reply other threads:[~2022-05-06 14:18 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-29 20:17 Martin Fernandez
2022-04-29 20:17 ` [PATCH v8 1/8] mm/memblock: Tag memblocks with crypto capabilities Martin Fernandez
2022-04-29 20:17 ` [PATCH v8 2/8] mm/mmzone: Tag pg_data_t " Martin Fernandez
2022-04-29 20:17 ` [PATCH v8 3/8] x86/e820: Add infrastructure to refactor e820__range_{update,remove} Martin Fernandez
2022-04-29 20:17 ` [PATCH v8 4/8] x86/e820: Refactor __e820__range_update Martin Fernandez
2022-04-29 20:17 ` [PATCH v8 5/8] x86/e820: Refactor e820__range_remove Martin Fernandez
2022-04-29 20:17 ` [PATCH v8 6/8] x86/e820: Tag e820_entry with crypto capabilities Martin Fernandez
2022-04-29 20:17 ` [PATCH v8 7/8] x86/efi: Mark e820_entries as crypto capable from EFI memmap Martin Fernandez
2022-04-29 20:17 ` [PATCH v8 8/8] drivers/node: Show in sysfs node's crypto capabilities Martin Fernandez
2022-05-04 16:38 ` [PATCH v8 0/8] x86: Show in sysfs if a memory node is able to do encryption Borislav Petkov
2022-05-04 17:18 ` Martin Fernandez
2022-05-06 12:44 ` Borislav Petkov
2022-05-06 14:18 ` Limonciello, Mario [this message]
2022-05-06 15:32 ` Dave Hansen
2022-05-06 16:00 ` Dan Williams
2022-05-06 17:55 ` Boris Petkov
2022-05-06 18:14 ` Dave Hansen
2022-05-06 18:25 ` Boris Petkov
2022-05-06 18:43 ` Dave Hansen
2022-05-06 19:02 ` Boris Petkov
2022-05-09 18:47 ` Dave Hansen
2022-05-09 22:17 ` Borislav Petkov
2022-05-09 22:56 ` Dave Hansen
2022-05-16 8:39 ` Richard Hughes
2022-05-18 7:52 ` Borislav Petkov
2022-05-18 18:28 ` Dan Williams
2022-05-18 20:23 ` Borislav Petkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=BL1PR12MB5157B790AB125DFAE1855067E2C59@BL1PR12MB5157.namprd12.prod.outlook.com \
--to=mario.limonciello@amd.com \
--cc=akpm@linux-foundation.org \
--cc=alex.bazhaniuk@eclypsium.com \
--cc=alison.schofield@intel.com \
--cc=andy@infradead.org \
--cc=ardb@kernel.org \
--cc=bp@alien8.de \
--cc=daniel.gutson@eclypsium.com \
--cc=dave.hansen@linux.intel.com \
--cc=dvhart@infradead.org \
--cc=gregkh@linuxfoundation.org \
--cc=hpa@zytor.com \
--cc=hughsient@gmail.com \
--cc=keescook@chromium.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=martin.fernandez@eclypsium.com \
--cc=mingo@redhat.com \
--cc=platform-driver-x86@vger.kernel.org \
--cc=rafael@kernel.org \
--cc=rppt@kernel.org \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox