Multikey Total Memory Encryption (MKTME) is a technology that allows
transparent memory encryption in upcoming Intel platforms.
MKTME is built on top of TME. TME allows encryption of the entirety of
system memory using a single key. MKTME allows to have multiple encryption
domains, each having own key -- different memory pages can be encrypted
with different keys.
The patchset does some ground work for MKTME enabling:
- Adds two new cpufeatures: TME and PCONFIG;
- Detects if BIOS enabled TME and MKTME;
- Enumerates what PCONFIG targets are supported;
- Provides helper to program encryption keys into CPU;
As part of TME enumeration we check out how many bits from physical address
are claimed for encryption key ID. This may be critical as we or guest VM
must not use these bits for physical address.
Please review and consider applying.
- Address Dave's feedback;
- Fixes for TME enumeration;
- Add PCONFIG CPUID leaf support;
- Add MKTME_KEY_PROG helper;
Kirill A. Shutemov (5):
x86/cpufeatures: Add Intel Total Memory Encryption cpufeature
x86/tme: Detect if TME and MKTME is activated by BIOS
x86/cpufeatures: Add Intel PCONFIG cpufeature
x86/pconfig: Detect PCONFIG targets
x86/pconfig: Provide defines and helper to run MKTME_KEY_PROG leaf
arch/x86/include/asm/cpufeatures.h | 2 +
arch/x86/include/asm/intel_pconfig.h | 65 ++++++++++++++++++++++++++
arch/x86/kernel/cpu/Makefile | 2 +-
arch/x86/kernel/cpu/intel.c | 90 ++++++++++++++++++++++++++++++++++++
arch/x86/kernel/cpu/intel_pconfig.c | 82 ++++++++++++++++++++++++++++++++
5 files changed, 240 insertions(+), 1 deletion(-)
create mode 100644 arch/x86/include/asm/intel_pconfig.h
create mode 100644 arch/x86/kernel/cpu/intel_pconfig.c