On 6/19/20 7:09 AM, Richard Hughes wrote: > On Fri, 19 Jun 2020 at 14:58, Dave Hansen <dave.han...@intel.com> wrote: >>> Right, but for the most part you'd agree that a machine with >>> functioning TME and encrypted swap partition is more secure than a >>> machine without TME? >> >> Nope. There might be zero memory connected to the memory controller >> that supports TME. > > So you're saying that a machine with TME available and enabled is not > considered more secure than a machine without TME?
Yes, it is not necessarily more secure. > What I want to do is have a sliding scale of TME not available < TME > available but disabled < TME available and enabled < TME available, > enabled and being used. The extra nugget of data gets me from state 2 > to state 3. I'd assert that availability tells you nothing if you don't pair it with use. Last night, I asked my kids if they brushed their teeth. They said: "Dad, my toothbrush was available." They argued that mere availability was a better situation than not *having* a toothbrush. They were logically right, of course, but they still got cavities. >>> Can I use TME if the CPU supports it, but the platform has disabled >>> it? How do I know that my system is actually *using* the benefits the >>> TME feature provides? >> >> You must have a system with UEFI 2.8, ensure TME is enabled, then make >> sure the OS parses EFI_MEMORY_CPU_CRYPTO, then ensure you request that >> you data be placed in a region marked with EFI_MEMORY_CPU_CRYPTO, and >> that it be *kept* there (hint: NUMA APIs don't do this). > > So my take-away from that is that it's currently impossible to > actually say if your system is *actually* using TME. Not in a generic way, and it can't be derived from cpuid or MSRs alone. Let's say I'm buying a fleet of servers. I know I'm buying some fancy Xeon with TME, I know I'm only using DRAM for storing user data, and I don't have any accelerators around. I control and enforce my BIOS settings. I'm pretty sure I'm using TME, but I didn't become sure from poking at sysfs.
