1ff61f079SJonathan Corbet.. SPDX-License-Identifier: GPL-2.0 2ff61f079SJonathan Corbet 3ff61f079SJonathan Corbet===================== 4ff61f079SJonathan CorbetAMD Memory Encryption 5ff61f079SJonathan Corbet===================== 6ff61f079SJonathan Corbet 7ff61f079SJonathan CorbetSecure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV) are 8ff61f079SJonathan Corbetfeatures found on AMD processors. 9ff61f079SJonathan Corbet 10ff61f079SJonathan CorbetSME provides the ability to mark individual pages of memory as encrypted using 11ff61f079SJonathan Corbetthe standard x86 page tables. A page that is marked encrypted will be 12ff61f079SJonathan Corbetautomatically decrypted when read from DRAM and encrypted when written to 13ff61f079SJonathan CorbetDRAM. SME can therefore be used to protect the contents of DRAM from physical 14ff61f079SJonathan Corbetattacks on the system. 15ff61f079SJonathan Corbet 16ff61f079SJonathan CorbetSEV enables running encrypted virtual machines (VMs) in which the code and data 17ff61f079SJonathan Corbetof the guest VM are secured so that a decrypted version is available only 18ff61f079SJonathan Corbetwithin the VM itself. SEV guest VMs have the concept of private and shared 19ff61f079SJonathan Corbetmemory. Private memory is encrypted with the guest-specific key, while shared 20ff61f079SJonathan Corbetmemory may be encrypted with hypervisor key. When SME is enabled, the hypervisor 21ff61f079SJonathan Corbetkey is the same key which is used in SME. 22ff61f079SJonathan Corbet 23ff61f079SJonathan CorbetA page is encrypted when a page table entry has the encryption bit set (see 24ff61f079SJonathan Corbetbelow on how to determine its position). The encryption bit can also be 25ff61f079SJonathan Corbetspecified in the cr3 register, allowing the PGD table to be encrypted. Each 26ff61f079SJonathan Corbetsuccessive level of page tables can also be encrypted by setting the encryption 27ff61f079SJonathan Corbetbit in the page table entry that points to the next table. This allows the full 28ff61f079SJonathan Corbetpage table hierarchy to be encrypted. Note, this means that just because the 29ff61f079SJonathan Corbetencryption bit is set in cr3, doesn't imply the full hierarchy is encrypted. 30ff61f079SJonathan CorbetEach page table entry in the hierarchy needs to have the encryption bit set to 31ff61f079SJonathan Corbetachieve that. So, theoretically, you could have the encryption bit set in cr3 32ff61f079SJonathan Corbetso that the PGD is encrypted, but not set the encryption bit in the PGD entry 33ff61f079SJonathan Corbetfor a PUD which results in the PUD pointed to by that entry to not be 34ff61f079SJonathan Corbetencrypted. 35ff61f079SJonathan Corbet 36ff61f079SJonathan CorbetWhen SEV is enabled, instruction pages and guest page tables are always treated 37ff61f079SJonathan Corbetas private. All the DMA operations inside the guest must be performed on shared 38ff61f079SJonathan Corbetmemory. Since the memory encryption bit is controlled by the guest OS when it 39ff61f079SJonathan Corbetis operating in 64-bit or 32-bit PAE mode, in all other modes the SEV hardware 40ff61f079SJonathan Corbetforces the memory encryption bit to 1. 41ff61f079SJonathan Corbet 42ff61f079SJonathan CorbetSupport for SME and SEV can be determined through the CPUID instruction. The 43ff61f079SJonathan CorbetCPUID function 0x8000001f reports information related to SME:: 44ff61f079SJonathan Corbet 45ff61f079SJonathan Corbet 0x8000001f[eax]: 46ff61f079SJonathan Corbet Bit[0] indicates support for SME 47ff61f079SJonathan Corbet Bit[1] indicates support for SEV 48ff61f079SJonathan Corbet 0x8000001f[ebx]: 49ff61f079SJonathan Corbet Bits[5:0] pagetable bit number used to activate memory 50ff61f079SJonathan Corbet encryption 51ff61f079SJonathan Corbet Bits[11:6] reduction in physical address space, in bits, when 52ff61f079SJonathan Corbet memory encryption is enabled (this only affects 53ff61f079SJonathan Corbet system physical addresses, not guest physical 54ff61f079SJonathan Corbet addresses) 55ff61f079SJonathan Corbet 56ff61f079SJonathan CorbetIf support for SME is present, MSR 0xc00100010 (MSR_AMD64_SYSCFG) can be used to 57ff61f079SJonathan Corbetdetermine if SME is enabled and/or to enable memory encryption:: 58ff61f079SJonathan Corbet 59ff61f079SJonathan Corbet 0xc0010010: 60ff61f079SJonathan Corbet Bit[23] 0 = memory encryption features are disabled 61ff61f079SJonathan Corbet 1 = memory encryption features are enabled 62ff61f079SJonathan Corbet 63ff61f079SJonathan CorbetIf SEV is supported, MSR 0xc0010131 (MSR_AMD64_SEV) can be used to determine if 64ff61f079SJonathan CorbetSEV is active:: 65ff61f079SJonathan Corbet 66ff61f079SJonathan Corbet 0xc0010131: 67ff61f079SJonathan Corbet Bit[0] 0 = memory encryption is not active 68ff61f079SJonathan Corbet 1 = memory encryption is active 69ff61f079SJonathan Corbet 70ff61f079SJonathan CorbetLinux relies on BIOS to set this bit if BIOS has determined that the reduction 71ff61f079SJonathan Corbetin the physical address space as a result of enabling memory encryption (see 72ff61f079SJonathan CorbetCPUID information above) will not conflict with the address space resource 73ff61f079SJonathan Corbetrequirements for the system. If this bit is not set upon Linux startup then 74ff61f079SJonathan CorbetLinux itself will not set it and memory encryption will not be possible. 75ff61f079SJonathan Corbet 76ff61f079SJonathan CorbetThe state of SME in the Linux kernel can be documented as follows: 77ff61f079SJonathan Corbet 78ff61f079SJonathan Corbet - Supported: 79ff61f079SJonathan Corbet The CPU supports SME (determined through CPUID instruction). 80ff61f079SJonathan Corbet 81ff61f079SJonathan Corbet - Enabled: 82ff61f079SJonathan Corbet Supported and bit 23 of MSR_AMD64_SYSCFG is set. 83ff61f079SJonathan Corbet 84ff61f079SJonathan Corbet - Active: 85ff61f079SJonathan Corbet Supported, Enabled and the Linux kernel is actively applying 86ff61f079SJonathan Corbet the encryption bit to page table entries (the SME mask in the 87ff61f079SJonathan Corbet kernel is non-zero). 88ff61f079SJonathan Corbet 89ff61f079SJonathan CorbetSME can also be enabled and activated in the BIOS. If SME is enabled and 90*ecd16da3SBorislav Petkov (AMD)activated in the BIOS, then all memory accesses will be encrypted and it 91*ecd16da3SBorislav Petkov (AMD)will not be necessary to activate the Linux memory encryption support. 92*ecd16da3SBorislav Petkov (AMD) 93*ecd16da3SBorislav Petkov (AMD)If the BIOS merely enables SME (sets bit 23 of the MSR_AMD64_SYSCFG), 94*ecd16da3SBorislav Petkov (AMD)then memory encryption can be enabled by supplying mem_encrypt=on on the 95*ecd16da3SBorislav Petkov (AMD)kernel command line. However, if BIOS does not enable SME, then Linux 96*ecd16da3SBorislav Petkov (AMD)will not be able to activate memory encryption, even if configured to do 97*ecd16da3SBorislav Petkov (AMD)so by default or the mem_encrypt=on command line parameter is specified. 98ff61f079SJonathan Corbet 99ff61f079SJonathan CorbetSecure Nested Paging (SNP) 100ff61f079SJonathan Corbet========================== 101ff61f079SJonathan Corbet 102ff61f079SJonathan CorbetSEV-SNP introduces new features (SEV_FEATURES[1:63]) which can be enabled 103ff61f079SJonathan Corbetby the hypervisor for security enhancements. Some of these features need 104ff61f079SJonathan Corbetguest side implementation to function correctly. The below table lists the 105ff61f079SJonathan Corbetexpected guest behavior with various possible scenarios of guest/hypervisor 106ff61f079SJonathan CorbetSNP feature support. 107ff61f079SJonathan Corbet 108ff61f079SJonathan Corbet+-----------------+---------------+---------------+------------------+ 109ff61f079SJonathan Corbet| Feature Enabled | Guest needs | Guest has | Guest boot | 110ff61f079SJonathan Corbet| by the HV | implementation| implementation| behaviour | 111ff61f079SJonathan Corbet+=================+===============+===============+==================+ 112ff61f079SJonathan Corbet| No | No | No | Boot | 113ff61f079SJonathan Corbet| | | | | 114ff61f079SJonathan Corbet+-----------------+---------------+---------------+------------------+ 115ff61f079SJonathan Corbet| No | Yes | No | Boot | 116ff61f079SJonathan Corbet| | | | | 117ff61f079SJonathan Corbet+-----------------+---------------+---------------+------------------+ 118ff61f079SJonathan Corbet| No | Yes | Yes | Boot | 119ff61f079SJonathan Corbet| | | | | 120ff61f079SJonathan Corbet+-----------------+---------------+---------------+------------------+ 121ff61f079SJonathan Corbet| Yes | No | No | Boot with | 122ff61f079SJonathan Corbet| | | | feature enabled | 123ff61f079SJonathan Corbet+-----------------+---------------+---------------+------------------+ 124ff61f079SJonathan Corbet| Yes | Yes | No | Graceful boot | 125ff61f079SJonathan Corbet| | | | failure | 126ff61f079SJonathan Corbet+-----------------+---------------+---------------+------------------+ 127ff61f079SJonathan Corbet| Yes | Yes | Yes | Boot with | 128ff61f079SJonathan Corbet| | | | feature enabled | 129ff61f079SJonathan Corbet+-----------------+---------------+---------------+------------------+ 130ff61f079SJonathan Corbet 131ff61f079SJonathan CorbetMore details in AMD64 APM[1] Vol 2: 15.34.10 SEV_STATUS MSR 132ff61f079SJonathan Corbet 133ff61f079SJonathan Corbet[1] https://www.amd.com/system/files/TechDocs/40332.pdf 134