From WikiChip
Difference between revisions of "x86/tme"
< x86

(Overview: added more specific on where it's actually encrypted)
Line 8: Line 8:
 
== Overview ==
 
== Overview ==
 
TME and MKTME are a planned [[x86]] instruction set {{x86|extension}} that provides full physical memory encryption support for [[DRAM]] and [[NVRAM]]. TME is the base extension which adds the base capabilities for a single ephemeral key. MKTME is a further enhancement of TME that provides support for page granular memory encryption through support for multiple encryption keys.
 
TME and MKTME are a planned [[x86]] instruction set {{x86|extension}} that provides full physical memory encryption support for [[DRAM]] and [[NVRAM]]. TME is the base extension which adds the base capabilities for a single ephemeral key. MKTME is a further enhancement of TME that provides support for page granular memory encryption through support for multiple encryption keys.
 +
 +
Inside the chip itself (e.g., [[registers]] and [[caches]]) the data remains in plain text. This is done in order to maintain compatibility with all existing software and I/O models. An [[AES-XTS]] encryption engine is physically located directly on the data paths to external memory buses ensuring all data entering and leaving the chip is encrypted.
  
 
== Total Memory Encryption  ==
 
== Total Memory Encryption  ==

Revision as of 11:13, 16 December 2017

Total Memory Encryption (TME) is a planned x86 instruction set extension for a full physical memory encryption for DRAM and NVRAM with a single ephemeral key. Multi-Key Total Memory Encryption (MKTME) refers to an enhanced support that builds on top of TME and adds multiple encryption keys.


Symbol version future.svg Preliminary Data! Information presented in this article deal with future products, data, features, and specifications that have yet to be finalized, announced, or released. Information may be incomplete and can change by final release.


Overview

TME and MKTME are a planned x86 instruction set extension that provides full physical memory encryption support for DRAM and NVRAM. TME is the base extension which adds the base capabilities for a single ephemeral key. MKTME is a further enhancement of TME that provides support for page granular memory encryption through support for multiple encryption keys.

Inside the chip itself (e.g., registers and caches) the data remains in plain text. This is done in order to maintain compatibility with all existing software and I/O models. An AES-XTS encryption engine is physically located directly on the data paths to external memory buses ensuring all data entering and leaving the chip is encrypted.

Total Memory Encryption

The Total Memory Encryption (TME) provides the base functionality to allow for full physical memory encryption. The extension is designed to work with unmodified existing software applications and systems. This feature is enabled via the BIOS during the initial boot process with very minor modifications. Once activated, all data sent on the external memory buses of the chip are encrypted using the standard NIST AES-XTS algorithm (although support for additional encryption scheme is possible in the future). The implementation uses a hardware random generator to generate the 128-bit key and is not accessible by software or through any external interface.

Multi-Key Total Memory Encryption

Multi-Key Total Memory Encryption (MKTME) is an extension of TME that adds support for multiple keys. A fixed number of encryption keys are supported. Software can then configure the chip to use any subset of the available keys to encrypt any page of the memory. This functionality is available on a per-page basis.

Unless otherwise specified by software, MKTME uses the hardware-generated ephemeral key by default which is inaccessible by software or external interfaces. Alternatively, MKTME also supports software-provided keys. This mean MKTME can effectively work with non-volatile memory, various attestation mechanisms, or other key provisioning services. For virtualized workloads, a hypervisor can manage the keys to transparently provide memory encryption support for legacy operating systems without any modifications.

Note that operating systems can also take advantage of MKTME to provide support in native and virtualized environment. For example, each guest OS in a virtualized environment can take advantage of MKTME for itself and encrypt its own data.

Performance

The exact performance impact will greatly depend on the workload, but overall the performance impact should be minimal.