Re: [PATCH] Ability to read the MKTME status from userspace

From: Dave Hansen
Date: Thu Jun 18 2020 - 19:52:27 EST

Next message: Joel Fernandes: "Re: [PATCH 2/7] rcu/trace: Add tracing for how segcb list changes"
Previous message: Joel Fernandes: "Re: [PATCH 3/7] rcu/trace: Add name of the source for gp_seq"
In reply to: Boris Petkov: "Re: [PATCH] Ability to read the MKTME status from userspace"
Next in thread: Borislav Petkov: "Re: [PATCH] Ability to read the MKTME status from userspace"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 6/18/20 2:26 PM, Daniel Gutson wrote:
> Red Hat and Eclypsium are working on a specification to assess
> firmware platform security. One of the inputs that the specification
> takes into consideration is whether MKTME is enabled or disabled.
> Exposing this value is necessary for tools checking the conformance
> of the specification.

What does TME's status on the platform tell you, though?

It doesn't tell you if your data is encrypted. It doesn't even tell you
if your mlock()'d "in RAM" data is encrypted.

So, what good is it?

Are we going to need another one of these when the TME encryption
algorithm changes? Do we need another driver when running in a SEV
guest to tell us about SEV's status?

Next message: Joel Fernandes: "Re: [PATCH 2/7] rcu/trace: Add tracing for how segcb list changes"
Previous message: Joel Fernandes: "Re: [PATCH 3/7] rcu/trace: Add name of the source for gp_seq"
In reply to: Boris Petkov: "Re: [PATCH] Ability to read the MKTME status from userspace"
Next in thread: Borislav Petkov: "Re: [PATCH] Ability to read the MKTME status from userspace"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]