On Wed, 2016-11-09 at 18:36 -0600, Tom Lendacky wrote: > Boot data (such as EFI related data) is not encrypted when the system > is booted and needs to be accessed unencrypted. Add support to apply > the proper attributes to the EFI page tables and to the > early_memremap and memremap APIs to identify the type of data being > accessed so that the proper encryption attribute can be applied. : > +static bool memremap_apply_encryption(resource_size_t phys_addr, > + unsigned long size) > +{ > + /* SME is not active, just return true */ > + if (!sme_me_mask) > + return true; > + > + /* Check if the address is part of the setup data */ > + if (memremap_setup_data(phys_addr, size)) > + return false; > + > + /* Check if the address is part of EFI boot/runtime data */ > + switch (efi_mem_type(phys_addr)) { > + case EFI_BOOT_SERVICES_DATA: > + case EFI_RUNTIME_SERVICES_DATA: > + return false; > + } > + > + /* Check if the address is outside kernel usable area */ > + switch (e820_get_entry_type(phys_addr, phys_addr + size - > 1)) { > + case E820_RESERVED: > + case E820_ACPI: > + case E820_NVS: > + case E820_UNUSABLE: > + return false; > + } > + > + return true; > +} Are you supporting encryption for E820_PMEM ranges? If so, this encryption will persist across a reboot and does not need to be encrypted again, right? Also, how do you keep a same key across a reboot? Thanks, -Toshi��.n������g����a����&ޖ)���)��h���&������梷�����Ǟ�m������)������^�����������v���O��zf������