Re: [PATCH v9 00/38] x86: Secure Memory Encryption (AMD)

From: Tom Lendacky
Date: Mon Jul 10 2017 - 14:04:37 EST




On 7/8/2017 4:24 AM, Ingo Molnar wrote:

* Tom Lendacky <thomas.lendacky@xxxxxxx> wrote:

This patch series provides support for AMD's new Secure Memory Encryption (SME)
feature.

I'm wondering, what's the typical performance hit to DRAM access latency when SME
is enabled?

It's about an extra 10 cycles of DRAM latency when performing an
encryption or decryption operation.


On that same note, if the performance hit is noticeable I'd expect SME to not be
enabled in native kernels typically - but still it looks like a useful hardware

In some internal testing we've seen about 1.5% or less reduction in
performance. Of course it all depends on the workload: the number of
memory accesses, cache friendliness, etc.

feature. Since it's controlled at the page table level, have you considered
allowing SME-activated vmas via mmap(), even on kernels that are otherwise not
using encrypted DRAM?

That is definitely something to consider as an additional SME-related
feature and something I can look into after this.

Thanks,
Tom


One would think that putting encryption keys into such encrypted RAM regions would
generally improve robustness against various physical space attacks that want to
extract keys but don't have full control of the CPU.

Thanks,

Ingo