Re: [PATCH] Ability to read the MKTME status from userspace
From: Dave Hansen
Date: Fri Jun 19 2020 - 09:58:42 EST
On 6/19/20 6:37 AM, Richard Hughes wrote:
> On Fri, 19 Jun 2020 at 14:33, Dave Hansen <dave.hansen@xxxxxxxxx> wrote:
>> On top of that, the kernel can just swap data out to unencrypted storage.
>
> Right, but for the most part you'd agree that a machine with
> functioning TME and encrypted swap partition is more secure than a
> machine without TME?
Nope. There might be zero memory connected to the memory controller
that supports TME.
>> So, I really wonder what folks want from this flag in the first place.
>> It really tells you _nothing_.
>
> Can I use TME if the CPU supports it, but the platform has disabled
> it? How do I know that my system is actually *using* the benefits the
> TME feature provides?
You must have a system with UEFI 2.8, ensure TME is enabled, then make
sure the OS parses EFI_MEMORY_CPU_CRYPTO, then ensure you request that
you data be placed in a region marked with EFI_MEMORY_CPU_CRYPTO, and
that it be *kept* there (hint: NUMA APIs don't do this).