Re: [PATCH 0/5] x86: Show in sysfs if a memory node is able to do encryption

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2021-11-05 at 18:27 -0300, Martin Fernandez wrote:
> Show for each node if every memory descriptor in that node has the
> EFI_MEMORY_CPU_CRYPTO attribute.

The problem I have with EFI_MEMORY_CPU_CRYPTO is it that is vague what
memory encryption technology is deployed and does not tell you anything
about whether it is in effect or not.

If this is just for basic inventory for determining if one platform
might be more secure than another then maybe it is ok, but I don't know
how well this will dovetail with CXL that can dynamically define memory
ranges. To date I've only seen a specification for CXL Link encryption,
data at rest encryption for CXL PMEM. I imagine one day it will gain
encryption capabilities, but that won't be something the platform
firmware will always be involved estabishing.

> 
> fwupd project plans to use it as part of a check to see if the users
> have properly configured memory hardware encryption capabilities. It's
> planned to make it part of a specification that can be passed to
> people purchasing hardware. It's called Host Security ID:
> https://fwupd.github.io/libfwupdplugin/hsi.html
> 
> This also can be useful in the future if NUMA decides to prioritize
> nodes that are able to do encryption.

I'd feel better if this one one step indirected from the raw EFI
attribute and let architectures indicate whether traffic going over the
memory bus (DDR / DDR-T / CXL etc) is known to be encrypted or not.
EFI_MEMORY_CPU_CRYPTO does not communicate that property.

> 
> Martin Fernandez (5):
>   Extend memblock to support memory encryption
>   Extend pg_data_t to hold information about memory encryption
>   Extend e820_table to hold information about memory encryption
>   Mark e820_entries as crypto capable from EFI memmap
>   Show in sysfs if a memory node is able to do encryption
> 
>  Documentation/ABI/testing/sysfs-devices-node |  10 ++
>  arch/x86/include/asm/e820/api.h              |   2 +
>  arch/x86/include/asm/e820/types.h            |   1 +
>  arch/x86/kernel/e820.c                       |  32 +++++-
>  arch/x86/platform/efi/efi.c                  | 109 +++++++++++++++++++
>  drivers/base/node.c                          |  10 ++
>  include/linux/memblock.h                     |   6 +
>  include/linux/mmzone.h                       |   2 +
>  mm/memblock.c                                |  74 +++++++++++++
>  mm/page_alloc.c                              |   1 +
>  10 files changed, 245 insertions(+), 2 deletions(-)
>  create mode 100644 Documentation/ABI/testing/sysfs-devices-node
> 
> 
> base-commit: 3906fe9bb7f1a2c8667ae54e967dc8690824f4ea
> --
> 2.30.2
> 





[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux