On 24/08/2018 17:41, Brijesh Singh wrote: >>> >>> Wouldn't that result in exposing/leaking whatever code/data happened >>> to reside on the same 2M page (or corrupting it if the entire page >>> isn't decrypted)? Or are you suggesting that we'd also leave the >>> encrypted mapping intact? >> >> Yes, exactly the latter, because... > > > Hardware does not enforce coherency between the encrypted and > unencrypted mapping for the same physical page. So, creating a > two mapping of same physical address will lead a possible data > corruption. > > Note, SME creates two mapping of the same physical address to perform > in-place encryption of kernel and initrd images; this is a special case > and APM documents steps on how to do this. Ah, so that's what I was thinking about. But a single cache line would never be used both encrypted and unencrypted, would it? Paolo
