lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 19 Jun 2020 06:33:34 -0700
From:   Dave Hansen <dave.hansen@...el.com>
To:     Richard Hughes <hughsient@...il.com>
Cc:     Daniel Gutson <daniel@...ypsium.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
        x86@...nel.org, "H. Peter Anvin" <hpa@...or.com>,
        Arnd Bergmann <arnd@...db.de>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Peter Zijlstra <peterz@...radead.org>,
        "David S. Miller" <davem@...emloft.net>,
        Rob Herring <robh@...nel.org>, Tony Luck <tony.luck@...el.com>,
        Rahul Tanwar <rahul.tanwar@...ux.intel.com>,
        Xiaoyao Li <xiaoyao.li@...el.com>,
        Sean Christopherson <sean.j.christopherson@...el.com>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        linux-kernel <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] Ability to read the MKTME status from userspace

On 6/19/20 6:25 AM, Richard Hughes wrote:
> On Fri, 19 Jun 2020 at 00:52, Dave Hansen <dave.hansen@...el.com> wrote:
>> It doesn't tell you if your data is encrypted.
> Sorry for the perhaps naive question, but I thought MKTME was
> essentially full physical memory encryption?

Nope.

It means there is some encryption available.  But, it doesn't tell you
that your data is encrypted.  There is persistent memory which isn't
protected by TME, or necessarily protected by MKTME.  There can be
memory on accelerators attached by Compute Express Link which isn't
encrypted.  There's even an entire bit in the UEFI memory map to tell
the OS which memory can be encrypted or not.

On top of that, the kernel can just swap data out to unencrypted storage.

So, I really wonder what folks want from this flag in the first place.
It really tells you _nothing_.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ