Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754551AbcKJAtt (ORCPT ); Wed, 9 Nov 2016 19:49:49 -0500 Received: from mail-bl2nam02on0072.outbound.protection.outlook.com ([104.47.38.72]:14424 "EHLO NAM02-BL2-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1754365AbcKJAtc (ORCPT ); Wed, 9 Nov 2016 19:49:32 -0500 Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Thomas.Lendacky@amd.com; From: Tom Lendacky Subject: [RFC PATCH v3 01/20] x86: Documentation for AMD Secure Memory Encryption (SME) To: , , , , , , , , CC: Rik van Riel , Radim =?utf-8?b?S3LEjW3DocWZ?= , Arnd Bergmann , Jonathan Corbet , Matt Fleming , Joerg Roedel , Konrad Rzeszutek Wilk , "Paolo Bonzini" , Larry Woodman , "Ingo Molnar" , Borislav Petkov , Andy Lutomirski , "H. Peter Anvin" , Andrey Ryabinin , Alexander Potapenko , "Thomas Gleixner" , Dmitry Vyukov Date: Wed, 9 Nov 2016 18:34:39 -0600 Message-ID: <20161110003439.3280.82634.stgit@tlendack-t1.amdoffice.net> In-Reply-To: <20161110003426.3280.2999.stgit@tlendack-t1.amdoffice.net> References: <20161110003426.3280.2999.stgit@tlendack-t1.amdoffice.net> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: DM5PR20CA0020.namprd20.prod.outlook.com (10.173.136.158) To CY4PR12MB1141.namprd12.prod.outlook.com (10.168.163.149) X-MS-Office365-Filtering-Correlation-Id: e96fadfb-7e99-4c35-921a-08d409015d8e X-Microsoft-Exchange-Diagnostics: 1;CY4PR12MB1141;2:cGDKwMhxlz+k7jt5+F60xzE35ij7MVjOxdTT7u5vHq+ED+RoTah/wm6m7pDoGa6wRiV4RAgbOcRcnFURuLTUz+iWcYzwVGmyngrfZsxi1jUyiHPGPvNR9aosLlIMzNHREmt8IqBwvN51M9Gp8fWW2PpyV29q6GsjM89q75sQrgV5vWmddaUPcsk7+71v//X8XagbLct/si5tWFmN7awm+A==;3:9Mc+6jvApubCFKA1j+dWAIzLEh3v5T02VIE/ZC+6Yaj9dlSL0AZtzI5Iu+gew/N3HMCDV56zI3U9z8RpwQQPl/9jzH0BczJYSv3U4xzCFp5tVScyHDHYGpyEdiSgMOafHqUdTj/VaKFDLZCvwry3Fw== X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY4PR12MB1141; X-Microsoft-Exchange-Diagnostics: 1;CY4PR12MB1141;25:GKzIeQuZJahnpnNAfLJAk3Z5Ni+q/K7ltLX7krUEJOCDFNPSJ5W6MuyT9/ej6cTtqWRhMtY8StqLSAJVT3CKhxOW0TaWeGJBjHrl4vmI7RE+lNNh+h44fVwoYnHeJ5FjWhru/85mtzcGSc9R0kKWkawdS7vn1cOKLsd6kK+wJH4lYzclp0bVZdfFE1pIL+IMybMAihx5qhqDfkEy4CzhQ8D8YeK/SF9tFWrJIy6fPEgN/ndcOLD2pkOO0SgBJKNFPhLrguHBfgyfesl5xxMXfCE3pviQxAI4zg4j/cbpJkYhTFQXyRUCtdjjY8g60ZXyX7ZdYPmLmtSWGP8k3I7Xy3rcn9HnMGW7WWzAuBsV1g3lKVAYp3LSIieUERI4jxAqIlUbXJshkJ/J1Ebd68f6UujqO20rIkqIVamN5I2E7rNtBnNp2nZ4UmXQf3fiK3YlHtrDV+k6ix0C+sTKhGm5gGzmn82njYaEqhavLTHXNgEbLKvjqnAiGTeLulDhQgsi+2rdp8eZGqC+B63aL9kP4mMcc1WpbrHquQaYkxzKHxeEUJbmXw2Ov+Kn21gxSdMG/inUKbMb+TJjb6ewIQsFehLORCE7T7n6HJ4kfhvlMNv3PZnhnqhpZ51+SOjQCXHOUHLSgWAm6Bpx5nZJxFRKat4lDgdoJhBmCD0tfF2sbdDdPnItkFzyNYyAkz1eBXnHzBvjT4cC6P0wvrB80pmFtWd6qKUbXoq6vv/9bsy5kHfKxo0qqPv+pAvkEk4MW4/hJwDvxZnMp2XlvQ1mE6ZeqA== X-Microsoft-Exchange-Diagnostics: 1;CY4PR12MB1141;31:anib9KUGeN+DWvcf1RmHmx1Qas58XE7akAom3w3O/fwGYCqg6yI41wRkMHy6HdlsypTMIdDgWIdqtWxULjoiwP2ZwPOJG+zM1TyQCuGQQYO/20wvPV9keSCCgpm2HoJPh5prKFGp/zzNfPvmAykRMvjynWeLe8798LiOqdoTjxwfl8nKCop0m7iXRWN17rW1AStxhAvkHd3HCi6JoN4ZnLR1+KH/tAq4G98mp1Rc9BIx256XHjcxTwb+gqzMW9GwPzgB4PL2MPJxff+fE/1yMw==;20:pLmcdXocQTVZRDeRf1Ccu0mj3aZoV/I49Ls0na2wihAP64L8TxSvi1hazDLsNi8cOrnIjpyIfuE41pRGKxsAzWB793KXzi5XOEREZgauVtN1NDsBTxLcu83TKmsUaLqlHTLL4GOhKTm+np4ri27SGX8JKtWf95s+I7KM9xuCilb4JxgFE+TXp7XC5nNhwLlhqS1TAFdtA0C44kgh/yiPozxG1Fp9mBUw/8ZMMpfU6BLUi42dnXNz2ESJt56QON+luAPu2nXhKJRYCNbYCvxHVaihaUiyy54P5wpTdWRTK5q+Ys9pBhyzd46Ec0QtbAHzsLe57Rx2xhMN8gwx1Lvggv3Edxp8SZuCrzs/8iKVULzpAsCgsbdEHT3bhHAwr944bMsbUFHiNkJeSFxNjbkT7fPOTbXwRtFJXaUMlISdhkOt8Lp+eeGDrWM+b4u69R6umMCi3Gu5kH8gZY9auMHAzQDr7DBASxyaY0ccz4cqJs333YppyhtYySaoqRhlKavl X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(20558992708506)(767451399110); X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(6040176)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026);SRVR:CY4PR12MB1141;BCL:0;PCL:0;RULEID:;SRVR:CY4PR12MB1141; X-Microsoft-Exchange-Diagnostics: 1;CY4PR12MB1141;4:IRCdgEnw4HUeiJPfbZpPxL/xqo7SafdiLV0pzaT2Dushzo17NjlO0OWjRbbjBRCfo5bzEPMAMV1rB7EIF+iOyG5KIdhFXAX5PmWjdGYX/v0Bk9j1x3ZB/y5eGZwPRoWS2+73W5i7Oq5uJutGSWztvuqT+RctE1QSiFa5usZGvPEhKIRNOdUS3WxQEmFYmbptbKxu/zPU01IepPI5g7amk9Y7Sg64L5RTwe6W3nVZiJTGkghfGMXML2hpWmwYRlovFvf4zwfXIRaCP7UuRNhtqUrrZBQqfMmEDaSTEhBPpEKBmB/LBYHybVASpF3HzpHD7nZ9R7lvw1oJiKBU7jikyVlQWbwHMmOWeLqa+sYtlYgxceaza4CpHmHO5t8yB3RyOCarzqR0MDbFy7MShlKd9zHE4REDu/BuHKZIL8nyQiWv1BJZJT0tCLmjuqGYL6zu9xtPXdm2YDpIRY/soXiiwlZ+wurjmf0Pqvmnk57qdKABv3KZb7IemPMTSXNBpZeG X-Forefront-PRVS: 01221E3973 X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10009020)(4630300001)(6009001)(7916002)(199003)(189002)(103116003)(92566002)(47776003)(23676002)(8676002)(7736002)(69596002)(50466002)(189998001)(81166006)(66066001)(9686002)(305945005)(5660300001)(77096005)(7846002)(101416001)(86362001)(6666003)(2201001)(2950100002)(5001770100001)(50986999)(4001350100001)(76176999)(54356999)(97736004)(1076002)(81156014)(53416004)(105586002)(42186005)(4326007)(83506001)(7416002)(97746001)(6116002)(230700001)(3846002)(586003)(68736007)(106356001)(33646002)(2906002)(71626007)(217873001);DIR:OUT;SFP:1101;SCL:1;SRVR:CY4PR12MB1141;H:tlendack-t1.amdoffice.net;FPR:;SPF:None;PTR:InfoNoRecords;A:1;MX:1;LANG:en; X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtDWTRQUjEyTUIxMTQxOzIzOlhXdUkyb2NPRDh1MHJHV0RLTlFtQ0NhVGVO?= =?utf-8?B?Sis1aVlQRnYrdStTdElaN1pJSGIxQXVYamt6UUdHOEs0cnd4Qk1Pc1FrTHdY?= =?utf-8?B?c0lKbGNuck1CY3pUY1NkcEVpMlgrK0tlTkNQUnVJSDdzSGUxcVZJYlZMbmJ4?= =?utf-8?B?d09UK2RrVldkMU1UbWFXSjRzdjdBelFPRFgzdU42WTdvN1RiVHNzZFVZZ0V1?= =?utf-8?B?VmtYSzZoWXFWL2xqZHYzMW9tSEhUMmNUSnY2alBoWXJmQnVrYWt0QmtCc3RG?= =?utf-8?B?R1Ava2lQUHJQVHU0K1p6MFZZMTlTNVBBY2hLODNpTHFsOW54aVE1Sm5yYzR1?= =?utf-8?B?RVh3UmM0eUZWSzRzVkYwT1QwcnVKblBtaEo0ZlBPa21rVUxVQm1pWUJrNHUy?= =?utf-8?B?OUxqWExKTTF4YmQ0WjV1YVRRL2hKdjIyeFN5eXQ5TUE3eURtZVBxR245cVE1?= =?utf-8?B?aDBMeWdBR3NXUFVqMlBVMU1YWG1sWTNjeVJ4bkh3YjZNcEUyUkxNeHVReHdS?= =?utf-8?B?MFhiVXV4V0pPMExHSXlPYmVIYnV3L0FZekVFQmVRZDhNc3lrcDlrY3RkQ2xl?= =?utf-8?B?ZGc4c2pnQVo0Z1pDSEVFOTY2a2x6R3VYT0o3RTZBWm9mN0VxOWh1N1NZZFE1?= =?utf-8?B?VkRyQnRmS0dRUUtKQ3k1cjFPNDFZb05nQnZkaVErdHlxekxTWnY2SW92Q1FV?= =?utf-8?B?OXlJUUI0dVRUNkx2NSsxN0s0ZkZ0UEEwVWg2QWdIZkI4RUt3cTM2VE1JR2Vz?= =?utf-8?B?VWRJbW4wbkpSY2x5aGVXaVpGVklOdHhnOWdwSFRQZWRYVjgzWHE5NjlnVzVQ?= =?utf-8?B?MWE2bG56TnVWcDB2UzM2eUdPN09tWHBtb3p2QlI0WXhiSlkvV3ovV2h0b3JE?= =?utf-8?B?WXRIbVByNzR3ZjZMdzczS0E3bEFNOTNlMWNwbU0yWlpVR1RLREZnU1lybTBo?= =?utf-8?B?V0FIeEREOTBqMFZmWVpOZUxTdDlSVVlVbGJXcG5WaHo2WUtjb2c1L3U0dUhP?= =?utf-8?B?RUtoSzdHVC9wRFlObjZaekxyTEVObWttbjZkUVVRRTltUUFyaDFvWWMzWVl0?= =?utf-8?B?eHN4UVV4dDNTUXVuS2szMEdFWXptVzhNTmJhYUNQaUdpdmNybUNlbi9HeE4z?= =?utf-8?B?cjlBOE5KTmRpMUU4a296VkhtOXJHNVIybURBYmVIWnVDQiszdXdvQ3RSYzNy?= =?utf-8?B?TU1YNGNERExnQUI1WnRPR2dnTDFObFUzODgzb0g5MzBjcEZ3YkhBS2M4dWJp?= =?utf-8?B?cjZSeXo0bjd4aG1GVDB6RlVkaHA1a2xXMG02R2M0NFNGTkFEYTJKV3ZUaW9B?= =?utf-8?B?cSs1V2FLNXZoMytiUW1aY3NHakYyQjlGNDVtaThFbDNuTWVaaEV1MDVVRE5o?= =?utf-8?B?L0NWNWtPNGt0YmRVTDJXMFNpc1VMZFREd0diWmc3RlRBelJrK3dpeWxzWXZp?= =?utf-8?B?WUhZWkVENDBMVXF2TWs5MS9FZXlEaytXZWNMQTd1SWpNRWdMVjZvVWk2YmNj?= =?utf-8?B?ck0wdDRRbFYrSzVOQkpRdDFwKzJ6VDlxejN4cWdzZGxBRHlQcTFUOW1XWHBU?= =?utf-8?B?cFhqckdoenNhQzE0eHdyTlc5cVpxN0ZXdGxVOUZ2dEkrSUJnNkNTNndzWml1?= =?utf-8?B?SWx2V2xvK3VSR0grYm5rYlM2cTByQ2h6VmtWMmxmRWN2VElHdWJpdGpmTGlL?= =?utf-8?Q?GbYLoNvMLPIcl31yGI=3D?= X-Microsoft-Exchange-Diagnostics: 1;CY4PR12MB1141;6:obleHErlErJ9KDKHU6uLiMQcJnftu+FsdFZWIAi6S5+QC/lWMxxF3/BsuMIhnLeivEC57piJJF/hJL1fQw6tFjdxiMwqdA2LH2hJO0+n+C1Iinb0UZY6gruSZaYe6EelXgTFAkpPDznMybuXTvPpQ8ARXgy0E6JXugCG5LMabOC8CDvQKYiLgwcNstDsYHvtONsz8UzvZ9NmxpPctsMATD68FS5CjSTNbM2z40M+uSt3rUorBlfcruMt8HnF81Ae3zrfixb1mtxeiUYpl4Wrag+PilwT074lKSDSCJIW01KJ/3LEKCc38LhkFNsg39OgfiBB7R5y1VCT5nKazi/jkR7YUo9omPf8oDaCr0C4mYM=;5:xAC9TTC0kU0zfJ5eMvv6qrgDsquxzxYnxY7TfqaVXdn1kAdxwBeZ8cANU86soGLB4e7R2r2BjoxV4n+vG+WY82WyRWhQJ/I80N0yXC6q+hY4w0Rah34wZsSqudFknVhXZlz7pOSJ6ESovwS7q3aNZw==;24:PtR1KkwQilsy14zN7CKxxU8mPdLWOpoQxAVFScN+IajVnuf49hnNgePccf/SzdE4CUNU7d3HylB/rPsGcvfZvLrNrqNUBLXdPY4fQYEA2cc= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1;CY4PR12MB1141;7:YycCXAqHWjjn2FHEgbhdQa5hiC2MlRt8SgJ/t37i7j5NQWGmHMqoCaXU65dtOjeYs7APOBD9SbgGLe7Sy3QW2lakIopLMikljomxl55FjaJZbufcsCwbV9J3p/M7bQ3cAom/gfWlSRQoXkcnUp3wqIjJbeWrWncX4jfOrZExIR9E6fuEAEccMameg9886IZAyGZbXc+2DQAN1nVfflwnlGuLOBBA54c5RfRL0ex1aNnlTB9E6CUkgVZ4fbXrl6b3jLn27Wz9O9CotPkt2wQI7DZgrH/8NmaZIq+yexuxG5WS1Zc4MEp0K4AdJGEwaO1EL6IoMDcpWyDUH3HWcmMQzdl2Yh4nXNRhOqFZ5BgtUm0=;20:Q4iS3HW3a5OxXaL7iQoitScayZyTH3iFjsVE3btvnADtG0E2wjYHHqB5qH62jwy8eL+xLt2SZc8Gb0M+6j0zcHE4QVG5S7lriBriCHjxEBxnf/4jhx436QTmiqZ0OiYXsMYd1K3n4b6/cA3UTBJAANUoV6ZmgHXPw9Zs068UizgIiVjCBFIFJbQn98cwmRS4fI36MCfpintoNV94dASzs3mi9jAAMuDEl3Z9PL6P9y4feyhQS2Skh6gun5OaiboN X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Nov 2016 00:34:42.4485 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR12MB1141 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3265 Lines: 72 This patch adds a Documenation entry to decribe the AMD Secure Memory Encryption (SME) feature. Signed-off-by: Tom Lendacky --- Documentation/kernel-parameters.txt | 5 +++ Documentation/x86/amd-memory-encryption.txt | 40 +++++++++++++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100644 Documentation/x86/amd-memory-encryption.txt diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt index 030e9e9..4c730b0 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt @@ -2282,6 +2282,11 @@ bytes respectively. Such letter suffixes can also be entirely omitted. memory contents and reserves bad memory regions that are detected. + mem_encrypt= [X86-64] Enable AMD Secure Memory Encryption (SME) + Memory encryption is disabled by default, using this + switch, memory encryption can be enabled. + on: enable memory encryption + meye.*= [HW] Set MotionEye Camera parameters See Documentation/video4linux/meye.txt. diff --git a/Documentation/x86/amd-memory-encryption.txt b/Documentation/x86/amd-memory-encryption.txt new file mode 100644 index 0000000..788d871 --- /dev/null +++ b/Documentation/x86/amd-memory-encryption.txt @@ -0,0 +1,40 @@ +Secure Memory Encryption (SME) is a feature found on AMD processors. + +SME provides the ability to mark individual pages of memory as encrypted using +the standard x86 page tables. A page that is marked encrypted will be +automatically decrypted when read from DRAM and encrypted when written to +DRAM. SME can therefore be used to protect the contents of DRAM from physical +attacks on the system. + +A page is encrypted when a page table entry has the encryption bit set (see +below how to determine the position of the bit). The encryption bit can be +specified in the cr3 register, allowing the PGD table to be encrypted. Each +successive level of page tables can also be encrypted. + +Support for SME can be determined through the CPUID instruction. The CPUID +function 0x8000001f reports information related to SME: + + 0x8000001f[eax]: + Bit[0] indicates support for SME + 0x8000001f[ebx]: + Bit[5:0] pagetable bit number used to enable memory encryption + Bit[11:6] reduction in physical address space, in bits, when + memory encryption is enabled (this only affects system + physical addresses, not guest physical addresses) + +If support for SME is present, MSR 0xc00100010 (SYS_CFG) can be used to +determine if SME is enabled and/or to enable memory encryption: + + 0xc0010010: + Bit[23] 0 = memory encryption features are disabled + 1 = memory encryption features are enabled + +Linux relies on BIOS to set this bit if BIOS has determined that the reduction +in the physical address space as a result of enabling memory encryption (see +CPUID information above) will not conflict with the address space resource +requirements for the system. If this bit is not set upon Linux startup then +Linux itself will not set it and memory encryption will not be possible. + +SME support is configurable through the AMD_MEM_ENCRYPT config option. +Additionally, the mem_encrypt=on command line parameter is required to activate +memory encryption.