Re: [PATCH v9 00/38] x86: Secure Memory Encryption (AMD)

2017-07-10 Thread Tom Lendacky 



On 7/8/2017 4:24 AM, Ingo Molnar wrote:


* Tom Lendacky  wrote:


This patch series provides support for AMD's new Secure Memory Encryption (SME)
feature.


I'm wondering, what's the typical performance hit to DRAM access latency when 
SME
is enabled?


It's about an extra 10 cycles of DRAM latency when performing an
encryption or decryption operation.



On that same note, if the performance hit is noticeable I'd expect SME to not be
enabled in native kernels typically - but still it looks like a useful hardware


In some internal testing we've seen about 1.5% or less reduction in
performance. Of course it all depends on the workload: the number of
memory accesses, cache friendliness, etc.


feature. Since it's controlled at the page table level, have you considered
allowing SME-activated vmas via mmap(), even on kernels that are otherwise not
using encrypted DRAM?


That is definitely something to consider as an additional SME-related
feature and something I can look into after this.

Thanks,
Tom



One would think that putting encryption keys into such encrypted RAM regions 
would
generally improve robustness against various physical space attacks that want to
extract keys but don't have full control of the CPU.

Thanks,

Ingo



___
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

Re: [PATCH v9 00/38] x86: Secure Memory Encryption (AMD)

2017-07-08 Thread Ingo Molnar 

* Tom Lendacky  wrote:

> This patch series provides support for AMD's new Secure Memory Encryption 
> (SME)
> feature.

I'm wondering, what's the typical performance hit to DRAM access latency when 
SME 
is enabled?

On that same note, if the performance hit is noticeable I'd expect SME to not 
be 
enabled in native kernels typically - but still it looks like a useful hardware 
feature. Since it's controlled at the page table level, have you considered 
allowing SME-activated vmas via mmap(), even on kernels that are otherwise not 
using encrypted DRAM?

One would think that putting encryption keys into such encrypted RAM regions 
would 
generally improve robustness against various physical space attacks that want 
to 
extract keys but don't have full control of the CPU.

Thanks,

Ingo

___
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec