Re: [PATCH] Ability to read the MKTME status from userspace
From: Dave Hansen
Date: Thu Jun 18 2020 - 19:52:27 EST
On 6/18/20 2:26 PM, Daniel Gutson wrote:
> Red Hat and Eclypsium are working on a specification to assess
> firmware platform security. One of the inputs that the specification
> takes into consideration is whether MKTME is enabled or disabled.
> Exposing this value is necessary for tools checking the conformance
> of the specification.
What does TME's status on the platform tell you, though?
It doesn't tell you if your data is encrypted. It doesn't even tell you
if your mlock()'d "in RAM" data is encrypted.
So, what good is it?
Are we going to need another one of these when the TME encryption
algorithm changes? Do we need another driver when running in a SEV
guest to tell us about SEV's status?