amd-memory-encryption.rst - OpenGrok cross reference for /Linux-v6.1/Documentation/x86/amd-memory-encryption.rst

Lines Matching +full:in +full:- +full:memory
1 .. SPDX-License-Identifier: GPL-2.0
4 AMD Memory Encryption
7 Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV) are
10 SME provides the ability to mark individual pages of memory as encrypted using
16 SEV enables running encrypted virtual machines (VMs) in which the code and data
19 memory. Private memory is encrypted with the guest-specific key, while shared
20 memory may be encrypted with hypervisor key. When SME is enabled, the hypervisor
21 key is the same key which is used in SME.
25 specified in the cr3 register, allowing the PGD table to be encrypted. Each
27 bit in the page table entry that points to the next table. This allows the full
29 encryption bit is set in cr3, doesn't imply the full hierarchy is encrypted.
30 Each page table entry in the hierarchy needs to have the encryption bit set to
31 achieve that. So, theoretically, you could have the encryption bit set in cr3
32 so that the PGD is encrypted, but not set the encryption bit in the PGD entry
33 for a PUD which results in the PUD pointed to by that entry to not be
38 memory. Since the memory encryption bit is controlled by the guest OS when it
39 is operating in 64-bit or 32-bit PAE mode, in all other modes the SEV hardware
40 forces the memory encryption bit to 1.
49 		Bits[5:0]  pagetable bit number used to activate memory
51 		Bits[11:6] reduction in physical address space, in bits, when
52 			   memory encryption is enabled (this only affects
57 determine if SME is enabled and/or to enable memory encryption::
60 		Bit[23]   0 = memory encryption features are disabled
61 			  1 = memory encryption features are enabled
67 		Bit[0]	  0 = memory encryption is not active
68 			  1 = memory encryption is active
71 in the physical address space as a result of enabling memory encryption (see
74 Linux itself will not set it and memory encryption will not be possible.
76 The state of SME in the Linux kernel can be documented as follows:
78 	- Supported:
81 	- Enabled:
84 	- Active:
86 	  the encryption bit to page table entries (the SME mask in the
87 	  kernel is non-zero).
89 SME can also be enabled and activated in the BIOS. If SME is enabled and
90 activated in the BIOS, then all memory accesses will be encrypted and it will
91 not be necessary to activate the Linux memory encryption support.  If the BIOS
93 memory encryption by default (CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT=y) or
95 not enable SME, then Linux will not be able to activate memory encryption, even