From patchwork Tue Apr 18 21:16:25 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tom Lendacky X-Patchwork-Id: 9686335 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id D16B8602C2 for ; Tue, 18 Apr 2017 21:16:56 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C2C8B201BC for ; Tue, 18 Apr 2017 21:16:56 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id B71D02582C; Tue, 18 Apr 2017 21:16:56 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 476A6201BC for ; Tue, 18 Apr 2017 21:16:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757437AbdDRVQl (ORCPT ); Tue, 18 Apr 2017 17:16:41 -0400 Received: from mail-sn1nam02on0056.outbound.protection.outlook.com ([104.47.36.56]:65072 "EHLO NAM02-SN1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1757830AbdDRVQf (ORCPT ); Tue, 18 Apr 2017 17:16:35 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amdcloud.onmicrosoft.com; s=selector1-amd-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=pTHkhcoKpenmcVFK8RCZjSlyJJUcVMdswarSr2JhSQk=; b=syJhQ5Cy46oG4NPiaPOX9aQhRlx1+ZVCVVl1dejty+Cj1U2E8sniveO5xC3I+7ND7gJ6Apkp1QM0TTRYsfTIzIwJxTPWLwxoc32eRtq5HHxNLNoeqglnPi6B2aXe+n7spVe32SgM97J/Xg2sNJHIkWEb2sWMbcYe5mDBcHzMztE= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none; vger.kernel.org; dmarc=none action=none header.from=amd.com; Received: from tlendack-t1.amdoffice.net (165.204.77.1) by DM5PR12MB1146.namprd12.prod.outlook.com (10.168.236.141) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1034.10; Tue, 18 Apr 2017 21:16:29 +0000 From: Tom Lendacky Subject: [PATCH v5 01/32] x86: Documentation for AMD Secure Memory Encryption (SME) To: , , , , , , , , , CC: Rik van Riel , Radim =?utf-8?b?S3LEjW3DocWZ?= , Toshimitsu Kani , Arnd Bergmann , Jonathan Corbet , Matt Fleming , "Michael S. Tsirkin" , Joerg Roedel , Konrad Rzeszutek Wilk , Paolo Bonzini , Larry Woodman , Brijesh Singh , Ingo Molnar , Borislav Petkov , Andy Lutomirski , "H. Peter Anvin" , Andrey Ryabinin , Alexander Potapenko , Dave Young , Thomas Gleixner , Dmitry Vyukov Date: Tue, 18 Apr 2017 16:16:25 -0500 Message-ID: <20170418211625.10190.52568.stgit@tlendack-t1.amdoffice.net> In-Reply-To: <20170418211612.10190.82788.stgit@tlendack-t1.amdoffice.net> References: <20170418211612.10190.82788.stgit@tlendack-t1.amdoffice.net> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: MWHPR17CA0056.namprd17.prod.outlook.com (10.173.106.146) To DM5PR12MB1146.namprd12.prod.outlook.com (10.168.236.141) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 02c45918-ec8b-4184-caaa-08d486a02fe9 X-MS-Office365-Filtering-HT: Tenant X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081)(201703131423075)(201703031133081); SRVR:DM5PR12MB1146; X-Microsoft-Exchange-Diagnostics: 1; DM5PR12MB1146; 3:KlJk/LF1fmZlT/n8EMWNLQUPJBeyab0x67NKIRfMEhKICGQL3SM2XrHfBNdTPlW7dDAaqMpTMQs70woQ9CV0SfEnNiyWuFB6XuUBrLeCs2tip+oHBl5dTD3qz5HX9PYh/F1gKO8EW9aY3yxvk0paWtEkgnEsF/GpuwCpOb986znAWARaaV6uN8Xpy2wyx/A8k6D/4ablbyPsJhFzckIiVpqvVxoEubne6S8rvkGxfoG152hBZyXT/L0pG1Y+jqI/ck9eeH8eeCt+6kSuZRGoFKmrwhqxYAOKjNZzuX2FcQuqyeGz2BMAErLvwVNCYJe7akbt4dS96eXqyeaRFA0Jo0+ZzsWbLwON5D07oEUqq6I=; 25:LXeJQ7FMqbrw2F8c6JDz2g6NHGy8Baqo+2l7qFvle9FNT7FIcfQf3dpZMcFjRjK2SfTaWcSz4GMTquSpNnzjsUdSGkiE0IDtauKBcsTqPo2hMgVg2Ezj3bP9ABhYlKAEwRcATfq69G/wjhUYGR9Mpo+hPIWYI3COsd3rFvjLm1qReD/3KV0d3OAmMBZhwdpXUNEVVSWUYcgIzG3fLccGm8cq1XpAfwhAztdVfJMAs4wHtifLSuxs6F5Y+kwYSeozgjXoKv34R/Elwf3ln+Z8wjbGY9+DjxzBQs2JUsIZRd+QeKRRII2/W0oFgXzwzmwh0JbEgw3e1S1rBgFlYmnIOrDh+UzejjA+pBFIDnXeJnR3XOcNriYNxrLYQcGnBbODr5I0i+kX5coS9UqqBKTR/zbH6RiCUab0EORKF7SXPQSebV4r8eh5z3oZJDJZcMEeUkfYFll9OYPm6EN8uOuFVg== X-Microsoft-Exchange-Diagnostics: 1; DM5PR12MB1146; 31:qlZMcXi/kY6FnCVxinw9CGn8fOB/bCtKvwZLhWDxTpr1hHo7XfpxrlWnEml9SfHjyp1RDWqmmbpkXJh5gQ76ds8Iw89mE++/qggc8uhnwXCJYQRJCD3T6zxiFzuGNXT9kp6VhrKovqhE77xmUaKsVkvpVCS20hydrcX2P18vR3NdQGkDajHrVNP1hHDpEmdhsYAw9tMRa4YfaOwS9qCkEY4Et7r6CGilGBmpqgYPF8BqlH7B6p3SQj3GN6wng8DN; 20:PHt4epKhnF2jlndG51Pdknuktr+vbj1CwlDD1RYdLByx0tbsuzT9TbPYXLN6U57OC3GruULK0LsENmHEKjufYmVUIo1U1KWkm8UKnFBEbQXoTUV8PvKt7aj/HfUQZBvJj0sJO3VHXoRK1deHp/z4JxM3+1eAAHc2ZZREqOX5w4viZFP4u3eZ4saRvKoW5pLGgOwbVm2prHcXvlOTgpiJEJhwFK1ulYDrS1mXtT//nknh6gSHGJ3bC/yn3PuydmXbwH5oHHLKDFTWuT9T1RCJqFLB/mkEYg35ErjGLSjhQrr1RMblsanB72DaR7yP6lQ/TPuiCKH6L04C+6QXQuuEWhnIXRRPd9XYuXf4fSrSjP8WV4pIvB1vq/SZuSiwQjFV85zvrZZyUq3DF2YCxUZRaTraqDItAY+XePlHQJXR7c6WA+7mFuZsMqGBzGOkLlGXhH62jF6aa0Iz8wbIiATJH82N5b8HvaM98EF2nw7WnPWN3lxrZ+bVn4NH7VCtM4hG X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(20558992708506)(767451399110); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040450)(601004)(2401047)(5005006)(8121501046)(93006095)(93001095)(3002001)(10201501046)(6055026)(6041248)(20161123560025)(20161123564025)(201703131423075)(201702281528075)(201703061421075)(20161123555025)(20161123562025)(6072148); SRVR:DM5PR12MB1146; BCL:0; PCL:0; RULEID:; SRVR:DM5PR12MB1146; X-Microsoft-Exchange-Diagnostics: 1; DM5PR12MB1146; 4:fpPi4134vWQ4p4EcY4ZWDvFG63/EQUPllT/L5nrRlf3mfy2oUOAKuGE8gRWpNXLPvem+27Bgb/moo7O4T+f7z3TrDoKsV9IsxwzfVgyApdaiwNyDEXRvXP6i3p3pu8xm4j0boXXOPUsswhXgzhNiJw89yvzhiPBQG8J0WCluWbz0VHZGXQXiCj/qTxt7CQJf8EiBkXbwRHPbfkCyEG/3HpkD5IFs+ypZJWXg7hYscnVl8OzFddUAQLBFvsf/lCMyrM3H+bXXEEhFmvJmqnQt2hWZEfZ9Bo6ij6hg5473PZ43YhcZizwEZrxDW2fdlTm0Pic8RAguQs2MCCb7PI6PEz2iKQ4v+3wCIBsJqoRu7Q8qFxw+BuJm0JeQx3kfeeF5cU3xQLtkTi2xR3rV0xhFx2ELLXAuk4gEAclfN2PNAyPdG1hjnxl0FJLuSgQFHDTsk6c7i16QduP+a+es2lc389kSKoJ6hl1HzLYzIQ4vU7zLwVkIETdQXYQ6Bg2yCAO6l8M030Sg/5qJWd2YDWHyNESXDuwvfMC3AKjtmEQtle7fz+LOXom6w4jC2gyOMKXz5xAJIZ3BIw3Zk/klhYf6DDxieL+PBY/MOQslLNeKjoZVIEksRZ6kAG9qiSQ8XXlQz9mQ0jPxoWSC0Y/mZlMuwpE1cQLs6oYjp5cb3c56NmvkaCe80KdCP6epZMVzhRK12y6HcP28rrzRo23vFXukM6e7J60f6ee2+YO0xzrjSF17xKBOBYsHlIIDmylj7RyzhU3DwKsaZS9Jb4I8QTJhTVIDvRf114nRlz+WepxToZSOr3D5SQtY5K0zduGzBHIJ X-Forefront-PRVS: 028166BF91 X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(4630300001)(6009001)(39410400002)(39450400003)(39860400002)(39400400002)(39840400002)(39850400002)(97746001)(23676002)(47776003)(2906002)(1076002)(7416002)(189998001)(9686003)(54906002)(6506006)(7736002)(305945005)(76176999)(2201001)(54356999)(55016002)(4001350100001)(53936002)(50986999)(86362001)(7406005)(66066001)(8676002)(3846002)(25786009)(50466002)(5660300001)(4326008)(6116002)(83506001)(6666003)(230700001)(2950100002)(81166006)(53416004)(103116003)(38730400002)(33646002)(42186005)(921003)(71626007)(1121003); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR12MB1146; H:tlendack-t1.amdoffice.net; FPR:; SPF:None; MLV:sfv; LANG:en; X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtETTVQUjEyTUIxMTQ2OzIzOldRR0g5bkJxZlhiUlc5NXJjcVF1V0x5RDlm?= =?utf-8?B?Z0dqc0I2UU9CMVpjVmRzUEk0V2tXTXpheFJLd1Y3V1dNazZZVXhBREorNmZR?= =?utf-8?B?QmlPRENZb29ObkdWbVk1M1laRTJ2NEN1VURKSVJyRFNTRE9xTng3Mk56UkxN?= =?utf-8?B?STQ4SUFvTTg1ME9xTjQ3VFFmMU9BL0ZZYTJvK0M0MElaRzhFTHdOWFdmTzlH?= =?utf-8?B?djU5QkhFUkFFU2lnNURxL3V6enc5a1k2QVlNUTI2bmhNck5XRS80STV4UVIr?= =?utf-8?B?V2d4M0xJTmFBRnpmUFk3c1U1ckNKdGlmY3JsMTY2c05UcGR0YnAzaytxUnlr?= =?utf-8?B?VzY0RkNwRGFBUUMyaUZCR2dyMk1KTi9WRTNsUisyWWdOQXJrZk82d0NqbzUv?= =?utf-8?B?SlpLWmM1a0JqQ0o4OWhRNXYyM1ErNlRDZmV1ZTB6R0NZcFZpVjVYeHRPeWpo?= =?utf-8?B?am9XUVArUGk4R25qRitBNzBvUWF1dGoyakh4bTVEVmk4SzUzcTQzVHBuMFdV?= =?utf-8?B?NS8xVzdHc21TS3ZhUURwdXhTQnhWNnE5OHZBZkE1cFh0QWtRaXJDSW1zbWxE?= =?utf-8?B?WTY4dkxYMWRKYnFHL2dnRFYxUXZtV3ZCYi9QQTB2VFVOanBTT01LZU1idWJi?= =?utf-8?B?cEMyNjM5YXl6ZHQrWFZuZFZmOTg1R1RUWU9Dc2YyMEN0TklheXYwZmpieTJm?= =?utf-8?B?TWZ2YzZMV2pqMVorelR1UWQ0cDBIZXFEN1FTZFZhaUkxbUgwcmt3QUlqRzNk?= =?utf-8?B?N3liZ1UyNGtwUzd3ZzZNOXYyV2pZRXZHa0FQYkFKZVFYUDRza3FuMnBuSTUy?= =?utf-8?B?OWtLOXd5RHlIUTgxME94WWZQMk5JTis0Nm4wUm8zd1JkZ2FCeDA5MUFPMkJ6?= =?utf-8?B?cU1VUDU0cXVvRjQzNXUyLzFmUjZ2QVUwM0FpSmVqZ3Y2d0paUnhWTGg1TGV3?= =?utf-8?B?cWV3R0JMMW56T0RsUWJ3R1ZjZVo2bVN5N1Z4ZklHT2ZIYUVVaUZ5UXZoK2V6?= =?utf-8?B?ZVZRd2F0MXhndU92TDdBN290ZncyZFZtRVh2SVdIQzRvNEkrOW5JampkNEd6?= =?utf-8?B?QkZGWm16VFpwSXJvSjhaSWw4a0FieHZ2ZWloMzJmY0V6L29pZFVXaGNaVE8z?= =?utf-8?B?TWtzU3FwUkNFUDdxaDJ0elJLalRXUzFRS2RBTWFIb2xGYmdmK0x5VEd3T0dj?= =?utf-8?B?MjlkcUhSaUJObmJqS3F5QXcrckdYVUlvT04vbjNJQnVjeE5NVXpMNG9VTjMx?= =?utf-8?B?Ymk5S2loRncxMmNtRTFpcVUvazdQTjQzRDRqd20vT1N1ZFU3bWpVZXgxU0h3?= =?utf-8?B?ekQxdUxHMjNaNHFucCtKcEtXdE5hZmN3YTVpNVVibTlRWHVKTE41bVFZWmpK?= =?utf-8?B?ZjU5dzNyVUdsdlNndDdPemRlTGh6MVpLVVk5VXBRSlhWMjVxenBHMVk1TkhB?= =?utf-8?B?cnQ5dXpWcjhMTCtEWCsxVURzZlNqbkhtRldRbnhBZjB0UGlGZ3dIM0pUay9R?= =?utf-8?B?Y2swMWtLSXQ5SDJBcXIwT3NYM0lYWnZibHptblJVeTV4RVdnVk8wQjJFS0dP?= =?utf-8?B?Tk9FZjlEMkFQRnFKZFJDaXF5Y0gxSVZ0SzNEN29yeEhyNytCNGZrZ0crSmlw?= =?utf-8?B?ZmZ6L2FabmplQ0dERVVHY3NGQnpPOTJKaFNEOGlrM1A3WS9RQjBZcTNBPT0=?= X-Microsoft-Exchange-Diagnostics: 1; DM5PR12MB1146; 6:QhshbFLAEbm+spM6xXGH4UXIB+6djQwtOReeI5CUK2lvdgNCcMoI+HbbdikugMCx2hQTYlS66PNJgUP4bsLaB/4hh8aDW0vBGIwG9kUH0xQ+QcnXFmlRwFEsb9CSkpvo/bAlhYi0FljUi+fnMW3v0/GZC2VE+yGKzR2BQRhNXC0UEw7B85wQK9hnxcXN10YHdCs10CU50/ARLpMftNu/GAi97PvwluGP7fKxaCQadBHeyLbCE008rO51E5/0UXN5smrCfEBJn9Mu1q2zGREhN3kfaVdQxWIv6aE5p29M8c15KmiGrrR8OfCs7xA4PFVwsbdUdFOQqG4bGn/mzmmpHOzKDnsBegQ1Z/Lqa3HXvxnAvWcGe+jSU5x3216UhQGGU37+/JY1hPhRu3GKYFhLIFhZGeLTVpMetR9SOsxuk8+Rp21+/mXPJ8U6h2iwMebZwaJ37quRduDjzLv3Rl9lJm3K2c7/KPoIX1ZL0B7QslFh4VcBwf7FpB/ji3MlK28BhZK8lXSaUPRs9iLYxP6I1NcGv4jr2ThJkD3kxAAV+Nk=; 5:s9ZlfkoxbVZe+AylcZ8DeF+mftQ6FVlszfl3WeJJcVFWgT5TYaAg8efMyE+JWoBfUmBmei2fMvj9MGGoWVTyJJ6fqEJvWVdhgewVSzwaSqLGk69h7JqzAIBb+P0KSO5TlSj4YlHlyp9wJ0e9H3CLbw==; 24:T708BcUCQzK3aKEVPdNWsTDgvU2Cb0C1gw30rKzMeJ8ON8IE+UmnMwnR94cjcW+EDzBk8/tYuTRVrEiCV0AfmpTj/8qsVprSivfh0X82qYw= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; DM5PR12MB1146; 7:DiOQvFlnYgnwUGjNExk+LInIwmzibLRoYgi4aa3gxheS1D1FgtvBdY8sG/3EzHnVYfXakDEqZj5J1KOpk5fpr9OIlzFiILXDI/hkhCx1IdG+VvzaFrij+E0HcJFLUJbzh5l0vKdgNVIGtLgAmtDQrze5vHM15Outewv1Qy8Tno/4UHxMJAvRnT0m9o6tsfL3sgUpksvFcLDbbp/ePN9inOf6iqhJJeZNbpT2KBIizWaKhJNx2zvfKeEIQc++9cW7TlyVN0umvpbElmfKjhnm80lPZ35TETmFIkz+qBUikSiAqYXCIhVP4xS0vyZAr1WkuGJ2eGnxng4ZjVOKboU+sw==; 20:BVFRmRzcvxI7JXUGQfPrjADxgGl/U+nGKHjWnx3et6b6jcz3bHsZ9DEcw5iEIpUTjMO1D72MXdEOeMrExgz6jci2RweamiEfcMkPGYLSZ5RYwvtzD4aLvdkKStnn4/FfNz1LGTkbkq1NQDV/z+cDYc/pHWwvfDxWeN1SI5WcfnNIrOr5ZSFB9vmJB3IKDNbuR4zxs4b4TgH8Euuz7991rKk5uto+4dGgMOKVEtyVvymZW2yR+2OG9jkI/luS8oPP X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Apr 2017 21:16:29.2267 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR12MB1146 Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Create a Documentation entry to describe the AMD Secure Memory Encryption (SME) feature and add documentation for the mem_encrypt= kernel parameter. Signed-off-by: Tom Lendacky Reviewed-by: Borislav Petkov --- Documentation/admin-guide/kernel-parameters.txt | 11 ++++ Documentation/x86/amd-memory-encryption.txt | 60 +++++++++++++++++++++++ 2 files changed, 71 insertions(+) create mode 100644 Documentation/x86/amd-memory-encryption.txt diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 3dd6d5d..84c5787 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -2165,6 +2165,17 @@ memory contents and reserves bad memory regions that are detected. + mem_encrypt= [X86-64] AMD Secure Memory Encryption (SME) control + Valid arguments: on, off + Default (depends on kernel configuration option): + on (CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT=y) + off (CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT=n) + mem_encrypt=on: Activate SME + mem_encrypt=off: Do not activate SME + + Refer to Documentation/x86/amd-memory-encryption.txt + for details on when memory encryption can be activated. + mem_sleep_default= [SUSPEND] Default system suspend mode: s2idle - Suspend-To-Idle shallow - Power-On Suspend or equivalent (if supported) diff --git a/Documentation/x86/amd-memory-encryption.txt b/Documentation/x86/amd-memory-encryption.txt new file mode 100644 index 0000000..0b72ff2 --- /dev/null +++ b/Documentation/x86/amd-memory-encryption.txt @@ -0,0 +1,60 @@ +Secure Memory Encryption (SME) is a feature found on AMD processors. + +SME provides the ability to mark individual pages of memory as encrypted using +the standard x86 page tables. A page that is marked encrypted will be +automatically decrypted when read from DRAM and encrypted when written to +DRAM. SME can therefore be used to protect the contents of DRAM from physical +attacks on the system. + +A page is encrypted when a page table entry has the encryption bit set (see +below on how to determine its position). The encryption bit can be specified +in the cr3 register, allowing the PGD table to be encrypted. Each successive +level of page tables can also be encrypted. + +Support for SME can be determined through the CPUID instruction. The CPUID +function 0x8000001f reports information related to SME: + + 0x8000001f[eax]: + Bit[0] indicates support for SME + 0x8000001f[ebx]: + Bits[5:0] pagetable bit number used to activate memory + encryption + Bits[11:6] reduction in physical address space, in bits, when + memory encryption is enabled (this only affects + system physical addresses, not guest physical + addresses) + +If support for SME is present, MSR 0xc00100010 (MSR_K8_SYSCFG) can be used to +determine if SME is enabled and/or to enable memory encryption: + + 0xc0010010: + Bit[23] 0 = memory encryption features are disabled + 1 = memory encryption features are enabled + +Linux relies on BIOS to set this bit if BIOS has determined that the reduction +in the physical address space as a result of enabling memory encryption (see +CPUID information above) will not conflict with the address space resource +requirements for the system. If this bit is not set upon Linux startup then +Linux itself will not set it and memory encryption will not be possible. + +The state of SME in the Linux kernel can be documented as follows: + - Supported: + The CPU supports SME (determined through CPUID instruction). + + - Enabled: + Supported and bit 23 of MSR_K8_SYSCFG is set. + + - Active: + Supported, Enabled and the Linux kernel is actively applying + the encryption bit to page table entries (the SME mask in the + kernel is non-zero). + +SME can also be enabled and activated in the BIOS. If SME is enabled and +activated in the BIOS, then all memory accesses will be encrypted and it will +not be necessary to activate the Linux memory encryption support. If the BIOS +merely enables SME (sets bit 23 of the MSR_K8_SYSCFG), then Linux can activate +memory encryption by default (CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT=y) or +by supplying mem_encrypt=on on the kernel command line. However, if BIOS does +not enable SME, then Linux will not be able to activate memory encryption, even +if configured to do so by default or the mem_encrypt=on command line parameter +is specified.