From WikiChip
Editing x86/sme
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
This page supports semantic in-text annotations (e.g. "[[Is specified as::World Heritage Site]]") to build structured and queryable content provided by Semantic MediaWiki. For a comprehensive description on how to use annotations or the #ask parser function, please have a look at the getting started, in-text annotation, or inline queries help pages.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
{{x86 title|Secure Memory Encryption (SME)}}{{x86 isa main}} | {{x86 title|Secure Memory Encryption (SME)}}{{x86 isa main}} | ||
'''Secure Memory Encryption''' ('''SME''') is an [[x86]] [[instruction set]] {{x86|extension}} introduced by [[AMD]] for page-granular memory encryption support using a single ephemeral key. A subset of SME, '''Transparent SME''' ('''TSME'''), is a more limited form of SME used to transparently encrypt the full physical memory. '''Secure Encrypted Virtualization''' ('''SEV''') extends SME to {{x86|AMD-V}}, allowing individual VMs to run SME using their own secure keys. | '''Secure Memory Encryption''' ('''SME''') is an [[x86]] [[instruction set]] {{x86|extension}} introduced by [[AMD]] for page-granular memory encryption support using a single ephemeral key. A subset of SME, '''Transparent SME''' ('''TSME'''), is a more limited form of SME used to transparently encrypt the full physical memory. '''Secure Encrypted Virtualization''' ('''SEV''') extends SME to {{x86|AMD-V}}, allowing individual VMs to run SME using their own secure keys. | ||
− | |||
− | |||
== Motivation == | == Motivation == | ||
Line 13: | Line 11: | ||
== Secure Memory Encryption == | == Secure Memory Encryption == | ||
− | '''Secure Memory Encryption''' ('''SME''') provides the ability for software to | + | '''Secure Memory Encryption''' ('''SME''') provides the ability for software to market certain pages to be encrypted. Marked pages are automatically decrypted and encrypted upon software read and write. All pages are encrypted using a single 128-bit ephemeral AES key which is created randomly using a [[hardware random generator]] at each boot and is not accessible by software. A new key is generated by the processor on every boot. |
== Transparent SME == | == Transparent SME == | ||
− | '''Transparent SME''' ('''TSME''') as the name implies is a stricter subset of SME that requires no software intervention. Under TSME, all memory pages are encrypted regardless of the C-bit value. TSME is designed for legacy OS and hypervisor software that cannot be modified. Note that when TSME is enabled, standard SME as well as SEV are | + | '''Transparent SME''' ('''TSME''') as the name implies is a stricter subset of SME that requires no software intervention. Under TSME, all memory pages are encrypted regardless of the C-bit value. TSME is designed for legacy OS and hypervisor software that cannot be modified. Note that when TSME is enabled, standard SME as well as SEV are no longer available. |
== Secure Encrypted Virtualization == | == Secure Encrypted Virtualization == | ||
Line 46: | Line 44: | ||
| Nested page table access || {{tchk|yes}} || {{tchk|yes}} || {{tchk|yes}} || Optional || Host Key || Determined by nested page tables C-bit | | Nested page table access || {{tchk|yes}} || {{tchk|yes}} || {{tchk|yes}} || Optional || Host Key || Determined by nested page tables C-bit | ||
|- | |- | ||
− | | Data access || {{tchk|yes}} || {{tchk|yes}} || {{tchk|yes}} || Optional || Host/Guest Key || Determined by guest page tables and nested page tables C-bits | + | | Data access || {{tchk|yes}} || {{tchk|yes}} || {{tchk|yes}} || Optional || Host/Guest Key || Determined by guest page tables and and nested page tables C-bits |
|} | |} | ||