Orange Pi5 kernel

Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards

3 Commits   0 Branches   0 Tags
Index
Trunk
Branches
Tags
Trunk
Branches
Tags
Home page
Home page
orangepi/linux-orangepi-5.10.y.git/trunk/Documentation/x86/amd-memory-encryption.rst 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  1) .. SPDX-License-Identifier: GPL-2.0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  2) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  3) =====================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  4) AMD Memory Encryption
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  5) =====================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  6) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  7) Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV) are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  8) features found on AMD processors.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  9) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) SME provides the ability to mark individual pages of memory as encrypted using
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) the standard x86 page tables.  A page that is marked encrypted will be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) automatically decrypted when read from DRAM and encrypted when written to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) DRAM.  SME can therefore be used to protect the contents of DRAM from physical
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) attacks on the system.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) SEV enables running encrypted virtual machines (VMs) in which the code and data
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) of the guest VM are secured so that a decrypted version is available only
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) within the VM itself. SEV guest VMs have the concept of private and shared
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) memory. Private memory is encrypted with the guest-specific key, while shared
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) memory may be encrypted with hypervisor key. When SME is enabled, the hypervisor
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) key is the same key which is used in SME.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) A page is encrypted when a page table entry has the encryption bit set (see
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) below on how to determine its position).  The encryption bit can also be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) specified in the cr3 register, allowing the PGD table to be encrypted. Each
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) successive level of page tables can also be encrypted by setting the encryption
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) bit in the page table entry that points to the next table. This allows the full
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) page table hierarchy to be encrypted. Note, this means that just because the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) encryption bit is set in cr3, doesn't imply the full hierarchy is encrypted.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) Each page table entry in the hierarchy needs to have the encryption bit set to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) achieve that. So, theoretically, you could have the encryption bit set in cr3
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) so that the PGD is encrypted, but not set the encryption bit in the PGD entry
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) for a PUD which results in the PUD pointed to by that entry to not be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) encrypted.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) When SEV is enabled, instruction pages and guest page tables are always treated
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) as private. All the DMA operations inside the guest must be performed on shared
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) memory. Since the memory encryption bit is controlled by the guest OS when it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) is operating in 64-bit or 32-bit PAE mode, in all other modes the SEV hardware
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) forces the memory encryption bit to 1.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) Support for SME and SEV can be determined through the CPUID instruction. The
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) CPUID function 0x8000001f reports information related to SME::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) 	0x8000001f[eax]:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) 		Bit[0] indicates support for SME
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) 		Bit[1] indicates support for SEV
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) 	0x8000001f[ebx]:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) 		Bits[5:0]  pagetable bit number used to activate memory
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) 			   encryption
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) 		Bits[11:6] reduction in physical address space, in bits, when
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) 			   memory encryption is enabled (this only affects
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) 			   system physical addresses, not guest physical
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) 			   addresses)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) If support for SME is present, MSR 0xc00100010 (MSR_K8_SYSCFG) can be used to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) determine if SME is enabled and/or to enable memory encryption::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) 	0xc0010010:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) 		Bit[23]   0 = memory encryption features are disabled
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) 			  1 = memory encryption features are enabled
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) If SEV is supported, MSR 0xc0010131 (MSR_AMD64_SEV) can be used to determine if
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) SEV is active::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) 	0xc0010131:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) 		Bit[0]	  0 = memory encryption is not active
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) 			  1 = memory encryption is active
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) Linux relies on BIOS to set this bit if BIOS has determined that the reduction
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) in the physical address space as a result of enabling memory encryption (see
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) CPUID information above) will not conflict with the address space resource
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) requirements for the system.  If this bit is not set upon Linux startup then
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) Linux itself will not set it and memory encryption will not be possible.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) The state of SME in the Linux kernel can be documented as follows:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) 	- Supported:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) 	  The CPU supports SME (determined through CPUID instruction).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) 	- Enabled:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) 	  Supported and bit 23 of MSR_K8_SYSCFG is set.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) 	- Active:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) 	  Supported, Enabled and the Linux kernel is actively applying
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) 	  the encryption bit to page table entries (the SME mask in the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) 	  kernel is non-zero).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) SME can also be enabled and activated in the BIOS. If SME is enabled and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) activated in the BIOS, then all memory accesses will be encrypted and it will
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) not be necessary to activate the Linux memory encryption support.  If the BIOS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) merely enables SME (sets bit 23 of the MSR_K8_SYSCFG), then Linux can activate
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) memory encryption by default (CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT=y) or
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) by supplying mem_encrypt=on on the kernel command line.  However, if BIOS does
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) not enable SME, then Linux will not be able to activate memory encryption, even
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) if configured to do so by default or the mem_encrypt=on command line parameter
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97) is specified.
cGit-ui 0.1.7
Git 2.40.0
Nginx 1.22.1

Where any material of this site is being reproduced, published or issued to others the reference to the source is obligatory.

© Andrey V. Kosteltsev, 2019 – 2025.