[RFC] UABI to show system memory encryption

[RFC] UABI to show system memory encryption

[Martin Fernandez]

Hi guys,

I've been working on a patch [1] to show in sysfs the status of the
memory encryption.

One of the parts involved in reporting the status is that the platform
is capable of doing encryption. In this case I focused on x86 EFI
systems, where this is reported as a flag in the EFI memory map:
EFI_MEMORY_CPU_CRYPTO.

From the UEFI spec:

  The memory region is capable of being protected with CPU's
capabilities if and only if the flag is set.

After some discussion we decided that it would be nice to show if this
flag is set per memory node, ie, add a new file in the nodeX directory
where it will have a 1 if all the memory in that node is able to do
encryption (has the flag for x86 EFI systems) or 0 otherwise.

The idea is to determine, in conjunction with checking that the CPU is
actually able to do encryption (checking that TME/MKTME is enabled for
example), that a system is actively encryption its memory. Currently
fwupd is looking for something like this, in order to do some security
checks at boot time (more details on the use case on [1]).

More discussion on [2].

Please provide feedback on how this could be improved or new use cases
that could come up.

Thank you.

Martin.


[1] https://lore.kernel.org/linux-efi/20220704135833.1496303-1-martin.fernandez@eclypsium.com/

[2] https://lore.kernel.org/all/20200618210215.23602-1-daniel.gutson@eclypsium.com/