Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp509928imm; Wed, 15 Aug 2018 00:49:22 -0700 (PDT) X-Google-Smtp-Source: AA+uWPwXrd+NIL2FPd458yVEtZv2+8QxvTBOyvm6Z+ewHKBYn0f7oYtHRqLepBYvgxYLMu/0vmqY X-Received: by 2002:a63:1316:: with SMTP id i22-v6mr23508821pgl.403.1534319362262; Wed, 15 Aug 2018 00:49:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1534319362; cv=none; d=google.com; s=arc-20160816; b=ykjXGRl8zusQT7xQotvLDcPxhZuaQjwnfKG2xO6CnAK0TXoJsLAtn8/JzdTBT69oTI VeiIPhlWoYsx8RfSdipaZspwU7QauOTmsNWXXHMy7fSxvqFUhJpRQkd1BUxaK6r7dsZo O9OSMnWToRklZsBJSlBDXQqycYRL4eu1J+5SfKRJoVwggfQiMVSaPswnO9aU34cE5uA/ E0H/cUDLE6i6BQFZ+NAC8ak8fFp4S9shjhT5dY9MT7a5pZFj7Joulyxg9hrDApqdA6ts Gfks0ZePm7s7PWklnyov+8HZWTY+hCAU6Sk06ZG9KZ30n931maIW7WCtybNpgRFLgBGC chKg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=E7SNTJCtxzOhIsXJRUX+NnevPkaymXEPx4Zlw8OpcCk=; b=ReK8ZJMBgsAoyITpTr79KfVDMYJ8OzJOWWFvS4teM6w4TcdrdF2t4hDh9B2g73TfF2 3RNWHJvjKoZSVfPhlHSw6p3PLBabg54eq7s6lwlsTi1n+TGejrcXZPFa4O4rHDz6KQk4 55XMNh6Gr0etyoSsqQC306kL71ApYeErkMtzRn9XNngUTGHbGUso0pJf48Ce/VNmH3FI 2mHqik4HS9Aqy7ZgfieAdoS66KqUd91yhEO7fYcCyv83FCwZ41r8CTC341WwXF/UFqtN LrOG6MSdEsP4lXWUwW34Czv37uH2vUFvOvqr1JAfQTAN1BY9wu7KKTepkWKnh4evg6Ih u6bg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e10-v6si23976157pfc.51.2018.08.15.00.49.05; Wed, 15 Aug 2018 00:49:22 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728586AbeHOKjU (ORCPT + 99 others); Wed, 15 Aug 2018 06:39:20 -0400 Received: from atrey.karlin.mff.cuni.cz ([195.113.26.193]:48233 "EHLO atrey.karlin.mff.cuni.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725898AbeHOKjU (ORCPT ); Wed, 15 Aug 2018 06:39:20 -0400 Received: by atrey.karlin.mff.cuni.cz (Postfix, from userid 512) id 9699A8064D; Wed, 15 Aug 2018 09:48:13 +0200 (CEST) Date: Wed, 15 Aug 2018 09:48:12 +0200 From: Pavel Machek To: "Kirill A. Shutemov" Cc: Ingo Molnar , x86@kernel.org, Thomas Gleixner , "H. Peter Anvin" , Tom Lendacky , Dave Hansen , Kai Huang , Jacob Pan , linux-kernel@vger.kernel.org, linux-mm@kvack.org Subject: Re: [PATCHv5 19/19] x86: Introduce CONFIG_X86_INTEL_MKTME Message-ID: <20180815074812.GB28093@xo-6d-61-c0.localdomain> References: <20180717112029.42378-1-kirill.shutemov@linux.intel.com> <20180717112029.42378-20-kirill.shutemov@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180717112029.42378-20-kirill.shutemov@linux.intel.com> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi! > Add new config option to enabled/disable Multi-Key Total Memory > Encryption support. > > MKTME uses MEMORY_PHYSICAL_PADDING to reserve enough space in per-KeyID > direct mappings for memory hotplug. > > Signed-off-by: Kirill A. Shutemov > --- > arch/x86/Kconfig | 19 ++++++++++++++++++- > 1 file changed, 18 insertions(+), 1 deletion(-) > > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig > index b6f1785c2176..023a22568c06 100644 > --- a/arch/x86/Kconfig > +++ b/arch/x86/Kconfig > @@ -1523,6 +1523,23 @@ config ARCH_USE_MEMREMAP_PROT > def_bool y > depends on AMD_MEM_ENCRYPT > > +config X86_INTEL_MKTME > + bool "Intel Multi-Key Total Memory Encryption" > + select DYNAMIC_PHYSICAL_MASK > + select PAGE_EXTENSION > + depends on X86_64 && CPU_SUP_INTEL > + ---help--- > + Say yes to enable support for Multi-Key Total Memory Encryption. > + This requires an Intel processor that has support of the feature. > + > + Multikey Total Memory Encryption (MKTME) is a technology that allows > + transparent memory encryption in upcoming Intel platforms. > + > + MKTME is built on top of TME. TME allows encryption of the entirety > + of system memory using a single key. MKTME allows having multiple > + encryption domains, each having own key -- different memory pages can > + be encrypted with different keys. > + > # Common NUMA Features > config NUMA > bool "Numa Memory Allocation and Scheduler Support" Would it be good to provide documentation, or link to documentation, explaining what security guarantees this is supposed to provide, and what disadvantages (if any) it has? I guess it costs a bit of performance... I see that TME helps with cold boot attacks. Pavel -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html