Re: [PATCHv3 0/5] x86: Enumerate TME and PCONFIG, add MKTME_KEY_PROG helper
From: Ingo Molnar
Date: Sun Feb 11 2018 - 14:02:56 EST
* Kirill A. Shutemov <kirill.shutemov@xxxxxxxxxxxxxxx> wrote:
> Multikey Total Memory Encryption (MKTME)[1] is a technology that allows
> transparent memory encryption in upcoming Intel platforms.
>
> MKTME is built on top of TME. TME allows encryption of the entirety of
> system memory using a single key. MKTME allows to have multiple encryption
> domains, each having own key -- different memory pages can be encrypted
> with different keys.
>
> The patchset does some ground work for MKTME enabling:
> - Adds two new cpufeatures: TME and PCONFIG;
> - Detects if BIOS enabled TME and MKTME;
> - Enumerates what PCONFIG targets are supported;
> - Provides helper to program encryption keys into CPU;
>
> As part of TME enumeration we check out how many bits from physical address
> are claimed for encryption key ID. This may be critical as we or guest VM
> must not use these bits for physical address.
So how will the 'full' patchset look like, roughly - is there a tree or diffstat
we could take a look at perhaps?
I'm also wondering how 'TME' compares to AMD's SME (Secure Memory Encryption) and
SEV features. SME required a number of low level boot code changes - I'm wondering
how much commonality there can be achieved with Intel's TME so that we don't end
up with two sets of interfaces.
Thanks,
Ingo