On Thu, Oct 13, 2022 at 06:00:58PM -0300, Martin Fernandez wrote:
> That's bad, because it would be nice if that attribute only depended
> on the hardware and not on some setting.
Why would that be bad?
You want to be able to disable encryption for whatever reason sometimes.
> The plan of this patch was, as you mentioned just to report
> EFI_MEMORY_CPU_CRYPTO in a per node level.
>
> Now, I think I will need to check for tme/sme and only if those are
> active then show the file in sysfs, otherwise not show it at all,
> because it would be misleading. Any other idea?
Well, I still think this is not going to work in all cases. SME/TME can
be enabled but the kernel can go - and for whatever reason - map a bunch
of memory unencrypted.
So I don't know what the goal of this fwupd checking whether users have
configured memory encryption properly is. It might end up giving that
false sense of security...
> You mean that EFI_MEMORY_CPU_CRYPTO means nothing on an AMD system?
I mean, you still can disable memory encryption.
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette
