Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp804494iob; Wed, 18 May 2022 13:25:43 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyOT+A/RyFsE4NfjRs19A4BS1nnMflky2BhQhBavpigPPZYp0BjqCp0Uh2CGaAp94+Eo9c3 X-Received: by 2002:a05:6a00:1a86:b0:50f:f4fd:c9a7 with SMTP id e6-20020a056a001a8600b0050ff4fdc9a7mr1095015pfv.46.1652905543149; Wed, 18 May 2022 13:25:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652905543; cv=none; d=google.com; s=arc-20160816; b=sL/dcvLA5nL8xpYsCOCh2gXg31PYhVR0hRPIbMkQlQncvGB1dStAB2BWWGv0yEz51h +tZdIUDC12yC+6H+nD96BVuJCePhLrITDGhzv6M819CJhqU6Uy5em4uGaLt1Arc+rDK+ 7BY5jbuAiTk0JXfB8obeXUlrrAowcjUVkQ3pdJvPzIku1RqjtnTqqenjGk7cte3kxDOe WHuSciXmjKROjthIvrv7nLW8ztJQr1JnVzjBIJ0vgs08H+YhKiqZMUIcevAJIfFmVvvD RRhfqoO3sW/WvKwWkmqu/A6oILZxROhfa2gnSZ6pLRzCNa76gK40MQ+MiAkIGbexJjUh Ca8Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=kiP3CsxtGQt01zP15K1kxQEOaD5Egp8vF87dwKeKYL8=; b=SoTOn49nNewAluiAsUy8twlrBs4I7J4rWVSA1uWv3DfMAqnQvv0iKE73VWyCW69zNH xrC5ymKt8IpJG9orYgCPrFc+IQWgQv0197WEgzpsECgqrQ+dUn3hhVU5fmfGJpHsLnIa SOmk3un2TLCCtClJd2ou/hgYHtxTytQlu8rm1kck1DPeB+BSIwCVjDn53bGe8rkalhsb q6+3VLCCEaAYMM78xRodo4gGGcGh6gyv8jSarbfCn/hjy3bu02FO71gweUtmRul7bqSW vqNzmVkq8EedZfY/0DJIvC3PEi0MiunB7bWJjgURqHRCdFJXswJgiqfimUBe/29CY7KT yaog== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@alien8.de header.s=dkim header.b=cfQxvj7S; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=alien8.de Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id 2-20020a630402000000b00399460d4a76si3511845pge.156.2022.05.18.13.25.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 18 May 2022 13:25:43 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@alien8.de header.s=dkim header.b=cfQxvj7S; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=alien8.de Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id A87FE245C55; Wed, 18 May 2022 13:23:17 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242533AbiERUXN (ORCPT + 99 others); Wed, 18 May 2022 16:23:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41578 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242489AbiERUXM (ORCPT ); Wed, 18 May 2022 16:23:12 -0400 Received: from mail.skyhub.de (mail.skyhub.de [IPv6:2a01:4f8:190:11c2::b:1457]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4328023F380; Wed, 18 May 2022 13:23:11 -0700 (PDT) Received: from zn.tnic (p200300ea974657d0329c23fffea6a903.dip0.t-ipconnect.de [IPv6:2003:ea:9746:57d0:329c:23ff:fea6:a903]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.skyhub.de (SuperMail on ZX Spectrum 128k) with ESMTPSA id 8A6DB1EC03AD; Wed, 18 May 2022 22:23:05 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alien8.de; s=dkim; t=1652905385; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references; bh=kiP3CsxtGQt01zP15K1kxQEOaD5Egp8vF87dwKeKYL8=; b=cfQxvj7SaeAWQCQZgNDAuheCGIvEi/o+BwUKpBXlQCx98/tzP4S1cxFICjF3KCwG83r3mO tMgfYDjND/mIZQ0JHd2wD1TBCBrPqUWd4BMCiw0dw8M3Gm2435TeQVnQPiM3tnaj4Ww1+6 C2VzC/gIXuOFBVRrGEMeRkVj1TG1SAw= Date: Wed, 18 May 2022 22:23:01 +0200 From: Borislav Petkov To: Dan Williams Cc: Richard Hughes , Dave Hansen , Martin Fernandez , Linux Kernel Mailing List , linux-efi , platform-driver-x86@vger.kernel.org, Linux MM , "H. Peter Anvin" , daniel.gutson@eclypsium.com, Darren Hart , Andy Shevchenko , Kees Cook , Andrew Morton , Ard Biesheuvel , Ingo Molnar , Thomas Gleixner , Dave Hansen , "Rafael J. Wysocki" , X86 ML , "Schofield, Alison" , alex.bazhaniuk@eclypsium.com, Greg KH , Mike Rapoport , Ben Widawsky , "Huang, Kai" Subject: Re: [PATCH v8 0/8] x86: Show in sysfs if a memory node is able to do encryption Message-ID: References: <6d90c832-af4a-7ed6-4f72-dae08bb69c37@intel.com> <47140A56-D3F8-4292-B355-5F92E3BA9F67@alien8.de> <6abea873-52a2-f506-b21b-4b567bee1874@intel.com> <4bc56567-e2ce-40ec-19ab-349c8de8d969@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 18, 2022 at 11:28:49AM -0700, Dan Williams wrote: > On Wed, May 18, 2022 at 12:53 AM Borislav Petkov wrote: > > > > On Mon, May 16, 2022 at 09:39:06AM +0100, Richard Hughes wrote: > > > This is still something consumers need; at the moment users have no > > > idea if data is *actually* being encrypted. > > > > As it was already pointed out - that's in /proc/cpuinfo. > > For TME you still need to compare it against the EFI memory map as > there are exclusion ranges for things like persistent memory. Given > that persistent memory can be forced into volatile "System RAM" > operation by various command line options and driver overrides, you > need to at least trim the assumptions of what is encrypted to the > default "conventional memory" conveyed by platform firmware / BIOS. So SME/SEV also has some exceptions to which memory is encrypted and which not. Doing device IO would be one example where you simply cannot encrypt. But that wasn't the original question - the original question is whether memory encryption is enabled on the system. Now, the nodes way of describing what is encrypted and what not is not enough either when you want to determine whether an arbitrary transaction is being done encrypted or not. You can do silly things as mapping a page decrypted even if the underlying hardware can do encryption and every other page is encrypted and still think that that page is encrypted too. But that would be a lie. So the whole problem space needs to be specified with a lot more detail as to what exact information userspace is going to need and how we can provide it to it. -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette