Re: [PATCH] Ability to read the MKTME status from userspace

From: Richard Hughes
Date: Fri Jun 19 2020 - 12:17:26 EST


On Fri, 19 Jun 2020 at 15:48, Dave Hansen <dave.hansen@xxxxxxxxx> wrote:
> You cut out the important part. The "pretty sure" involves a bunch of
> preconditions and knowing what your hardware configuration is in the
> first place.

Totally agree.

> Let's take a step back. We add read-only ABIs so that decisions can be
> made. What decision will somebody make from the ABI being proposed here?

The question of "is my memory encrypted" is what I'm trying to decide.
To the end user (or the person marking a compliance ticksheet for a
government contract) all they want to know is the end result. At the
moment for AMD SME this seems much simpler as there are less
"preconditions".

> Someone does 'cat /proc/mktme' (or whatever) and it says "1" or
> whatever, which means yay, encryption is on. What do they do?

I think "is my memory encrypted" for Intel has to be a superset of:

1. TME in CPU info
2. not disabled by the platform
3. not using unencrypted swap
4. not using a memory accelerator
5. entire DRAM area is marked with EFI_MEMORY_CPU_CRYPTO

It seems the only way to answer the questions and make it easy for the
consumer to know the answer is to ask the kernel for each of the 5
different questions. At the moment we can only get 1, 3, maybe 4, soon
to be 5, but not 2.

Richard.