Semiconductor & Computer Engineering
(sme) |
|||
| Line 1: | Line 1: | ||
{{x86 title|Secure Memory Encryption (SME)}}{{x86 isa main}} | {{x86 title|Secure Memory Encryption (SME)}}{{x86 isa main}} | ||
| − | '''Secure Memory Encryption''' ('''SME''') is an [[x86]] [[instruction set]] {{x86|extension}} introduced by [[AMD]] for page-granular memory encryption support using a single ephemeral key. A subset of SME, '''Transparent SME''' ('''SME'''), is a more limited form of SME used to transparently encrypt the full physical memory. | + | '''Secure Memory Encryption''' ('''SME''') is an [[x86]] [[instruction set]] {{x86|extension}} introduced by [[AMD]] for page-granular memory encryption support using a single ephemeral key. A subset of SME, '''Transparent SME''' ('''SME'''), is a more limited form of SME used to transparently encrypt the full physical memory. '''Secure Encrypted Virtualization''' ('''SEV''') extends SME to {{x86|AMD-V}}, allowing individual VMs to run SME using their own secure keys. |
| + | |||
| + | == Overview == | ||
| + | SME was proposed by [[AMD]] in their white paper in April 2016. SME adds the ability to mark individual pages of memory as encrypted through the [[page tables]]. Any marked page will automatically be encrypted on write and decrypted back when read by software. | ||
| + | |||
| + | == Secure Memory Encryption == | ||
| + | '''Secure Memory Encryption''' ('''SME''') provides the ability for software to market certain pages to be encrypted. Marked pages are automatically decrypted and encrypted upon software read and write. All pages are encrypted using a single 128-bit ephemeral AES key which is created randomly using a [[hardware random generator]] at each boot and is not accessible by software. A new key is generated by the processor on every boot. | ||
| + | |||
| + | == Transparent SME == | ||
| + | '''Transparent SME''' ('''TSME''') as the name implies is a stricter subset of SME that requires no software intervention. Under TSME, all memory pages are encrypted regardless of the C-bit value. TSME is designed for legacy OS and hypervisor software that cannot be modified. Note that when TSME is enabled, standard SME as well as SEV are no longer available. | ||
| + | |||
| + | == Secure Encrypted Virtualization == | ||
| + | '''Secure Encrypted Virtualization''' ('''SEV''') is an extension of SME that effectively enables a per-virtual machine SME. In other words, SEV enables running encrypted virtual machines in which the code and data of the VM are private to the VM and may only be decrypted within the VM itself. | ||
Revision as of 00:23, 17 December 2017
Instruction Set Architecture
- Instructions
- Addressing Modes
- Registers
- Model-Specific Register
- Assembly
- Interrupts
- Micro-Ops
- Timer
- Calling Convention
- Microarchitectures
- CPUID
Secure Memory Encryption (SME) is an x86 instruction set extension introduced by AMD for page-granular memory encryption support using a single ephemeral key. A subset of SME, Transparent SME (SME), is a more limited form of SME used to transparently encrypt the full physical memory. Secure Encrypted Virtualization (SEV) extends SME to AMD-V, allowing individual VMs to run SME using their own secure keys.
Overview
SME was proposed by AMD in their white paper in April 2016. SME adds the ability to mark individual pages of memory as encrypted through the page tables. Any marked page will automatically be encrypted on write and decrypted back when read by software.
Secure Memory Encryption
Secure Memory Encryption (SME) provides the ability for software to market certain pages to be encrypted. Marked pages are automatically decrypted and encrypted upon software read and write. All pages are encrypted using a single 128-bit ephemeral AES key which is created randomly using a hardware random generator at each boot and is not accessible by software. A new key is generated by the processor on every boot.
Transparent SME
Transparent SME (TSME) as the name implies is a stricter subset of SME that requires no software intervention. Under TSME, all memory pages are encrypted regardless of the C-bit value. TSME is designed for legacy OS and hypervisor software that cannot be modified. Note that when TSME is enabled, standard SME as well as SEV are no longer available.
Secure Encrypted Virtualization
Secure Encrypted Virtualization (SEV) is an extension of SME that effectively enables a per-virtual machine SME. In other words, SEV enables running encrypted virtual machines in which the code and data of the VM are private to the VM and may only be decrypted within the VM itself.