Re: [PATCH] Ability to read the MKTME status from userspace

From: Dave Hansen
Date: Fri Jun 19 2020 - 09:58:42 EST

Next message: Greg Kroah-Hartman: "Re: [PATCH] Ability to read the MKTME status from userspace"
Previous message: Christoph Hellwig: "Re: [PATCH v13 3/9] smccc: Export smccc conduit get helper."
In reply to: Richard Hughes: "Re: [PATCH] Ability to read the MKTME status from userspace"
Next in thread: Richard Hughes: "Re: [PATCH] Ability to read the MKTME status from userspace"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 6/19/20 6:37 AM, Richard Hughes wrote:
> On Fri, 19 Jun 2020 at 14:33, Dave Hansen <dave.hansen@xxxxxxxxx> wrote:
>> On top of that, the kernel can just swap data out to unencrypted storage.
>
> Right, but for the most part you'd agree that a machine with
> functioning TME and encrypted swap partition is more secure than a
> machine without TME?

Nope. There might be zero memory connected to the memory controller
that supports TME.

>> So, I really wonder what folks want from this flag in the first place.
>> It really tells you _nothing_.
>
> Can I use TME if the CPU supports it, but the platform has disabled
> it? How do I know that my system is actually *using* the benefits the
> TME feature provides?

You must have a system with UEFI 2.8, ensure TME is enabled, then make
sure the OS parses EFI_MEMORY_CPU_CRYPTO, then ensure you request that
you data be placed in a region marked with EFI_MEMORY_CPU_CRYPTO, and
that it be *kept* there (hint: NUMA APIs don't do this).

Next message: Greg Kroah-Hartman: "Re: [PATCH] Ability to read the MKTME status from userspace"
Previous message: Christoph Hellwig: "Re: [PATCH v13 3/9] smccc: Export smccc conduit get helper."
In reply to: Richard Hughes: "Re: [PATCH] Ability to read the MKTME status from userspace"
Next in thread: Richard Hughes: "Re: [PATCH] Ability to read the MKTME status from userspace"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]