On Fri, 2021-11-05 at 18:27 -0300, Martin Fernandez wrote: > Show for each node if every memory descriptor in that node has the > EFI_MEMORY_CPU_CRYPTO attribute. The problem I have with EFI_MEMORY_CPU_CRYPTO is it that is vague what memory encryption technology is deployed and does not tell you anything about whether it is in effect or not. If this is just for basic inventory for determining if one platform might be more secure than another then maybe it is ok, but I don't know how well this will dovetail with CXL that can dynamically define memory ranges. To date I've only seen a specification for CXL Link encryption, data at rest encryption for CXL PMEM. I imagine one day it will gain encryption capabilities, but that won't be something the platform firmware will always be involved estabishing. > > fwupd project plans to use it as part of a check to see if the users > have properly configured memory hardware encryption capabilities. It's > planned to make it part of a specification that can be passed to > people purchasing hardware. It's called Host Security ID: > https://fwupd.github.io/libfwupdplugin/hsi.html > > This also can be useful in the future if NUMA decides to prioritize > nodes that are able to do encryption. I'd feel better if this one one step indirected from the raw EFI attribute and let architectures indicate whether traffic going over the memory bus (DDR / DDR-T / CXL etc) is known to be encrypted or not. EFI_MEMORY_CPU_CRYPTO does not communicate that property. > > Martin Fernandez (5): > Extend memblock to support memory encryption > Extend pg_data_t to hold information about memory encryption > Extend e820_table to hold information about memory encryption > Mark e820_entries as crypto capable from EFI memmap > Show in sysfs if a memory node is able to do encryption > > Documentation/ABI/testing/sysfs-devices-node | 10 ++ > arch/x86/include/asm/e820/api.h | 2 + > arch/x86/include/asm/e820/types.h | 1 + > arch/x86/kernel/e820.c | 32 +++++- > arch/x86/platform/efi/efi.c | 109 +++++++++++++++++++ > drivers/base/node.c | 10 ++ > include/linux/memblock.h | 6 + > include/linux/mmzone.h | 2 + > mm/memblock.c | 74 +++++++++++++ > mm/page_alloc.c | 1 + > 10 files changed, 245 insertions(+), 2 deletions(-) > create mode 100644 Documentation/ABI/testing/sysfs-devices-node > > > base-commit: 3906fe9bb7f1a2c8667ae54e967dc8690824f4ea > -- > 2.30.2 >
