[PATCH v9 00/38] x86: Secure Memory Encryption (AMD)
thomas.lendacky at amd.com
Mon Jul 10 11:04:11 PDT 2017
On 7/8/2017 4:24 AM, Ingo Molnar wrote:
> * Tom Lendacky <thomas.lendacky at amd.com> wrote:
>> This patch series provides support for AMD's new Secure Memory Encryption (SME)
> I'm wondering, what's the typical performance hit to DRAM access latency when SME
> is enabled?
It's about an extra 10 cycles of DRAM latency when performing an
encryption or decryption operation.
> On that same note, if the performance hit is noticeable I'd expect SME to not be
> enabled in native kernels typically - but still it looks like a useful hardware
In some internal testing we've seen about 1.5% or less reduction in
performance. Of course it all depends on the workload: the number of
memory accesses, cache friendliness, etc.
> feature. Since it's controlled at the page table level, have you considered
> allowing SME-activated vmas via mmap(), even on kernels that are otherwise not
> using encrypted DRAM?
That is definitely something to consider as an additional SME-related
feature and something I can look into after this.
> One would think that putting encryption keys into such encrypted RAM regions would
> generally improve robustness against various physical space attacks that want to
> extract keys but don't have full control of the CPU.
More information about the kexec