mem_encrypt= [X86-64] AMD Secure Memory Encryption (SME) control
Valid arguments: on, off
Default (depends on kernel configuration option):
on (CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT=y)
off (CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT=n)
mem_encrypt=on: Activate SME
mem_encrypt=off: Do not activate SME
Refer to Documentation/virt/kvm/amd-memory-encryption.rst
for details on when memory encryption can be activated.
No, the current implementation in the kernel is incomplete/buggy and it can prevent some devices from booting.
Kinda. The attacker can siphon the encryption keys out of the CPU or dump the memory before it’s encrypted but that would be hard. If they can’t do either of those though, memory would be remain encrypted to the attacker, thus defeating a cold boot attack.
Kinda. The attacker can siphon the encryption keys out of the CPU or dump the memory before it’s encrypted but that would be hard. If they can’t do either of those though, memory would be remain encrypted to the attacker, thus defeating a cold boot attack.
I haven’t seen any reports of anyone dissecting any modern CPU and
extracting data from in. In theory, of course, it’s conceivable. I guess
that was the idea of TRESOR - Wikipedia - RAM was
vulnerable to information disclosure but for CPU’s nobody announced
managing that yet.
Indeed, encrypting RAM is nice and we should enable it if there were no
major downsides such as the ones linked above, but wiping RAM is better.
Should do both if possible.
Pass. This feature is useless because it is tied to an encryption key hardcoded into the machine by the CPU manufacturer, I’ve also read security attacks against it over the years so never bothered following it much.