[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v9 00/38] x86: Secure Memory Encryption (AMD)

To: Ingo Molnar <mingo@xxxxxxxxxx>
From: Tom Lendacky <thomas.lendacky@xxxxxxx>
Date: Mon, 10 Jul 2017 13:04:11 -0500
Cc: linux-efi@xxxxxxxxxxxxxxx, Brijesh Singh <brijesh.singh@xxxxxxx>, Toshimitsu Kani <toshi.kani@xxxxxxx>, linux-doc@xxxxxxxxxxxxxxx, Matt Fleming <matt@xxxxxxxxxxxxxxxxxxx>, x86@xxxxxxxxxx, linux-mm@xxxxxxxxx, Radim Krčmář <rkrcmar@xxxxxxxxxx>, Alexander Potapenko <glider@xxxxxxxxxx>, "H. Peter Anvin" <hpa@xxxxxxxxx>, Larry Woodman <lwoodman@xxxxxxxxxx>, linux-arch@xxxxxxxxxxxxxxx, kvm@xxxxxxxxxxxxxxx, Jonathan Corbet <corbet@xxxxxxx>, Joerg Roedel <joro@xxxxxxxxxx>, "Michael S. Tsirkin" <mst@xxxxxxxxxx>, kasan-dev@xxxxxxxxxxxxxxxx, Ingo Molnar <mingo@xxxxxxxxxx>, Andrey Ryabinin <aryabinin@xxxxxxxxxxxxx>, Dave Young <dyoung@xxxxxxxxxx>, Rik van Riel <riel@xxxxxxxxxx>, Arnd Bergmann <arnd@xxxxxxxx>, Borislav Petkov <bp@xxxxxxxxx>, Andy Lutomirski <luto@xxxxxxxxxx>, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>, Dmitry Vyukov <dvyukov@xxxxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>, kexec@xxxxxxxxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxx, iommu@xxxxxxxxxxxxxxxxxxxxxxxxxx, Thomas Gleixner <tglx@xxxxxxxxxxxxx>, Paolo Bonzini <pbonzini@xxxxxxxxxx>
Delivery-date: Mon, 10 Jul 2017 18:04:46 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>
Spamdiagnosticmetadata: NSPM
Spamdiagnosticoutput: 1:99



On 7/8/2017 4:24 AM, Ingo Molnar wrote:


* Tom Lendacky <thomas.lendacky@xxxxxxx> wrote:

This patch series provides support for AMD's new Secure Memory Encryption (SME)
feature.


I'm wondering, what's the typical performance hit to DRAM access latency when 
SME
is enabled?


It's about an extra 10 cycles of DRAM latency when performing an
encryption or decryption operation.


On that same note, if the performance hit is noticeable I'd expect SME to not be
enabled in native kernels typically - but still it looks like a useful hardware


In some internal testing we've seen about 1.5% or less reduction in
performance. Of course it all depends on the workload: the number of
memory accesses, cache friendliness, etc.

feature. Since it's controlled at the page table level, have you considered
allowing SME-activated vmas via mmap(), even on kernels that are otherwise not
using encrypted DRAM?


That is definitely something to consider as an additional SME-related
feature and something I can look into after this.

Thanks,
Tom


One would think that putting encryption keys into such encrypted RAM regions 
would
generally improve robustness against various physical space attacks that want to
extract keys but don't have full control of the CPU.

Thanks,

        Ingo


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

References:
- [Xen-devel] [PATCH v9 00/38] x86: Secure Memory Encryption (AMD)
  - From: Tom Lendacky
- Re: [Xen-devel] [PATCH v9 00/38] x86: Secure Memory Encryption (AMD)
  - From: Ingo Molnar

Prev by Date: [Xen-devel] [PATCH] x86/monitor: Notify monitor if an emulation fails.
Next by Date: Re: [Xen-devel] [PATCH] x86/monitor: Notify monitor if an emulation fails.
Previous by thread: Re: [Xen-devel] [PATCH v9 00/38] x86: Secure Memory Encryption (AMD)
Next by thread: Re: [Xen-devel] [PATCH 13/17 v5] xen/arm: vpl011: Modify xenconsole to support multiple consoles
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.