Hi there, does anyone have an opinion on AMD's "Secure Memory Encryption"? This transparently encrypts all/most RAM pages. Looking at some tech docs, this seems fairly easy to implement. I was wondering if someone has attempted that already, or knows of reasons why not to. Thanks, Johannes
> does anyone have an opinion on AMD's "Secure Memory Encryption"? This > transparently encrypts all/most RAM pages. > Looking at some tech docs, this seems fairly easy to implement. > I was wondering if someone has attempted that already, or knows of > reasons why not to.Consider applications to rowhammer, cold boot attacks, shared hosting, VM, poison, etc... there are papers on some use cases. AMD SME has some different levels with EPYC being full featured, TR and PRO differently, than even consumer cpu last. FreeBSD should also implement sysctl that writes random to all memory (even over kernel) just before halt / reboot call. Similar for unallocated upon sleep, upon alloc release, and as background scrub. User can already choose random upon alloc with malloc.conf but that is different than above. Also: memtest86[+] integration.
On 10/01/2021 15:33, Johannes Totz wrote:> Hi there, > > does anyone have an opinion on AMD's "Secure Memory Encryption"? This > transparently encrypts all/most RAM pages. > Looking at some tech docs, this seems fairly easy to implement.I took a stab at it https://reviews.freebsd.org/D28635 Doesn't work, haha. Anyone wanna take a look at let me know what I'm missing? I don't know how physical pages move around in the VM system. Thought I'd try to enable encryption for user-mode pages first. But that assumes those never transition to/from kernel-mode.> I was wondering if someone has attempted that already, or knows of > reasons why not to. > > > Thanks, > > Johannes > > _______________________________________________ > freebsd-security at freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org" >