[PATCH v9 00/38] x86: Secure Memory Encryption (AMD)

Tom Lendacky thomas.lendacky at amd.com
Mon Jul 10 11:04:11 PDT 2017

On 7/8/2017 4:24 AM, Ingo Molnar wrote:
> * Tom Lendacky <thomas.lendacky at amd.com> wrote:
>> This patch series provides support for AMD's new Secure Memory Encryption (SME)
>> feature.
> I'm wondering, what's the typical performance hit to DRAM access latency when SME
> is enabled?

It's about an extra 10 cycles of DRAM latency when performing an
encryption or decryption operation.

> On that same note, if the performance hit is noticeable I'd expect SME to not be
> enabled in native kernels typically - but still it looks like a useful hardware

In some internal testing we've seen about 1.5% or less reduction in
performance. Of course it all depends on the workload: the number of
memory accesses, cache friendliness, etc.

> feature. Since it's controlled at the page table level, have you considered
> allowing SME-activated vmas via mmap(), even on kernels that are otherwise not
> using encrypted DRAM?

That is definitely something to consider as an additional SME-related
feature and something I can look into after this.


> One would think that putting encryption keys into such encrypted RAM regions would
> generally improve robustness against various physical space attacks that want to
> extract keys but don't have full control of the CPU.
> Thanks,
> 	Ingo

More information about the kexec mailing list