Hi guys, I've been working on a patch [1] to show in sysfs the status of the memory encryption. One of the parts involved in reporting the status is that the platform is capable of doing encryption. In this case I focused on x86 EFI systems, where this is reported as a flag in the EFI memory map: EFI_MEMORY_CPU_CRYPTO. >From the UEFI spec: The memory region is capable of being protected with CPU's capabilities if and only if the flag is set. After some discussion we decided that it would be nice to show if this flag is set per memory node, ie, add a new file in the nodeX directory where it will have a 1 if all the memory in that node is able to do encryption (has the flag for x86 EFI systems) or 0 otherwise. The idea is to determine, in conjunction with checking that the CPU is actually able to do encryption (checking that TME/MKTME is enabled for example), that a system is actively encryption its memory. Currently fwupd is looking for something like this, in order to do some security checks at boot time (more details on the use case on [1]). More discussion on [2]. Please provide feedback on how this could be improved or new use cases that could come up. Thank you. Martin. [1] https://lore.kernel.org/linux-efi/20220704135833.1496303-1-martin.fernandez@xxxxxxxxxxxxx/ [2] https://lore.kernel.org/all/20200618210215.23602-1-daniel.gutson@xxxxxxxxxxxxx/
