On 10/28/21 11:10 AM, Borislav Petkov wrote: >> and even if it is activated you will need to be sure that you are >> storing your data in a region flagged with this new attribute. > Can you have a system where some of the memory is crypto-capable and > some of it is not? I've never heard about such a system. At least, on > AMD SME, all your memory gets encrypted... Yes, unfortunately. As an example, an Intel system with TME support will *not* encrypt data going to Optane (aka. pmem). That pmem might be online and being used by the kernel as normal RAM with my fancy "kmem" DAX driver. CXL devices will have normal RAM on them, be exposed as "System RAM" and they won't have encryption capabilities. I think these devices were probably the main motivation for EFI_MEMORY_CPU_CRYPTO.
