Total Memory Encryption #175
Comments
|
We can add some references. Is it this one: https://www.intel.pl/content/www/pl/pl/architecture-and-technology/total-memory-encryption-security-paper.html ? |
|
coreboot enables TME by default. |
What does it mean — should it work in Dasharo without a problem then? It doesn't seem to right now. |
It means that coreboot tells FSP to enable TME by default. It should work with Dasharo.
How can you tell? |
|
Right at the start of boot process, after selecting GRUB menu option, first message in the log IIRC: |
|
Also on Arch Linux (July Archiso LiveCD): dmesg | grep tme x86/tme: enabled by BIOS I have no idea how it is supposed to work. |
|
It is just that Linux kernel is not yet prepared to support MKTME on ADL. This technology is too new and Linux does not keep up. For now on master branch Linux supports only AES XTS 128 encryption algorithm.
The above values say that ADL MKTME uses AES XTS 256 which Linux does not yet know of. FSP enables MKTME correctly, but it is not firmware fault that OS does not know how to use it... |
|
Maybe our Embedded Systems Team could think about use of MKTME. @TomaszAIR this feature is definitely useful for Windows, so question is what are the plans and where are the patches for using MKTME in Linux? |
|
Quick googling give me this: https://lwn.net/Articles/787852/ |
Quick look at this gives me: |
|
That's fine, but it is in interest of Intel to support that, so maybe there are some patches somewhere that support ADL. |
|
MKTME was supposedly to be used for VM encryption: However, I have no idea whatsover about whenever enabling TME in Firmware means that there is even a single thing that you can use it with, or if the feature itself can be considered orphaned. The fact than the Linux Kernel isn't fully aware of it is not promising, maybe Xen or QEMU-KVM are. No idea about Windows. Note than according to this: https://en.wikichip.org/wiki/x86/tme |
|
Wasn't TME supposed to provide just the protection of memory contents? It provides protection over attacks where you remove RAM from the PC and freeze it to retrieve encryption keys contained inside. With TME, it's not possible, as (IIRC) encryption key to the TME are stored in CPU cache. |
|
I beleive we should look at this and think how open version could look like. |
|
@pietrushnic I believe we are, but it's not actually supported on certain SKUs: #464 |
|
@pietrushnic I was expecting the issue to be closed after this comment: #175 (comment) but it is up to the issue creator to do this if he is satisfied with the results/answer |
|
@mkopec I guess if coreboot enables TME by default, then the only thing we can do is expose proof it really does, but that should happen through @macpijan WDYT? |
The problem you're addressing (if any)
Enable Total Memory Encryption on plaftforms that support it (e.g. TigerLake laptops)
Describe the solution you'd like
TME enabled by default where possible
Where is the value to a user, and who might that user be?
Better security in certain scenarios
Describe alternatives you've considered
n/a
Additional context
Certain enterprise laptops have this feature supported in the BIOS.
The text was updated successfully, but these errors were encountered: