Re: [PATCH] Ability to read the MKTME status from userspace

From: Dave Hansen
Date: Thu Jun 18 2020 - 19:52:27 EST


On 6/18/20 2:26 PM, Daniel Gutson wrote:
> Red Hat and Eclypsium are working on a specification to assess
> firmware platform security. One of the inputs that the specification
> takes into consideration is whether MKTME is enabled or disabled.
> Exposing this value is necessary for tools checking the conformance
> of the specification.

What does TME's status on the platform tell you, though?

It doesn't tell you if your data is encrypted. It doesn't even tell you
if your mlock()'d "in RAM" data is encrypted.

So, what good is it?

Are we going to need another one of these when the TME encryption
algorithm changes? Do we need another driver when running in a SEV
guest to tell us about SEV's status?