Re: [RFC PATCH v4 05/28] x86: Add Secure Memory Encryption (SME) support

From: Borislav Petkov
Date: Fri Feb 17 2017 - 07:01:07 EST


On Thu, Feb 16, 2017 at 09:43:07AM -0600, Tom Lendacky wrote:
> Add support for Secure Memory Encryption (SME). This initial support
> provides a Kconfig entry to build the SME support into the kernel and
> defines the memory encryption mask that will be used in subsequent
> patches to mark pages as encrypted.
>
> Signed-off-by: Tom Lendacky <thomas.lendacky@xxxxxxx>
> ---
> arch/x86/Kconfig | 22 +++++++++++++++++++
> arch/x86/include/asm/mem_encrypt.h | 42 ++++++++++++++++++++++++++++++++++++
> arch/x86/mm/Makefile | 1 +
> arch/x86/mm/mem_encrypt.c | 21 ++++++++++++++++++
> include/linux/mem_encrypt.h | 37 ++++++++++++++++++++++++++++++++
> 5 files changed, 123 insertions(+)
> create mode 100644 arch/x86/include/asm/mem_encrypt.h
> create mode 100644 arch/x86/mm/mem_encrypt.c
> create mode 100644 include/linux/mem_encrypt.h
>
> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> index f8fbfc5..a3b8c71 100644
> --- a/arch/x86/Kconfig
> +++ b/arch/x86/Kconfig
> @@ -1395,6 +1395,28 @@ config X86_DIRECT_GBPAGES
> supports them), so don't confuse the user by printing
> that we have them enabled.
>
> +config AMD_MEM_ENCRYPT
> + bool "AMD Secure Memory Encryption (SME) support"
> + depends on X86_64 && CPU_SUP_AMD
> + ---help---
> + Say yes to enable support for the encryption of system memory.
> + This requires an AMD processor that supports Secure Memory
> + Encryption (SME).
> +
> +config AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT
> + bool "Activate AMD Secure Memory Encryption (SME) by default"
> + default y
> + depends on AMD_MEM_ENCRYPT
> + ---help---
> + Say yes to have system memory encrypted by default if running on
> + an AMD processor that supports Secure Memory Encryption (SME).
> +
> + If set to Y, then the encryption of system memory can be
> + deactivated with the mem_encrypt=off command line option.
> +
> + If set to N, then the encryption of system memory can be
> + activated with the mem_encrypt=on command line option.

Good.

--
Regards/Gruss,
Boris.

Good mailing practices for 400: avoid top-posting and trim the reply.