4

More recent AMD CPUs have a feature named Secure Memory Encryption SME which if available can be explicitly be enabled by adding this parameter to linux' command line.

mem_encrypt=on

(according to https://libvirt.org/kbase/launch_security_sev.html)

I am unsure if my system (with an AMD EPYC cpu) has this feature enabled (i.e. if the feature might be default on anyway).

My question is how to check if the AMD SME feature is enabled?

Since https://www.kernel.org/doc/html/latest/x86/amd-memory-encryption.html suggests that:

If support for SME is present, MSR 0xc00100010 (MSR_K8_SYSCFG) can be used to determine if SME is enabled and/or to enable memory encryption:

I have run this commands (on a debian 10):

apt-get install msr-tools
rdmsr --raw 0xc0010010  | xxd -b

which presented me this output

00000000: 00000000 00000000 11110100 00000000 00000000 00000000  ......
00000006: 00000000 00000000

where according to the source quoted the 23rd bit indicates if SME is indeed enabled/active (=1) or not (=0).

If above is indeed the correct way to test this, a confirmation may be considered a valid answer, ideally of course providing some background. Else again I would be very happy to be able to check the state of SME on a running linux system.

fraleone
  • 797

1 Answers1

5

If SME is supported (CPUID shows the corresponding bit set) and enabled (the appropriate MSR bit is set), /proc/cpuinfo will contain the sme flag. You can verify this by looking at the kernel code which detects SME: the SME feature, which is reflected directly in /proc/cpuinfo, is cleared if SME isn’t fully enabled.

You should also see corresponding messages in the kernel boot logs:

AMD Memory Encryption Features active: SME

if SME is active,

AMD Memory Encryption Features active: SEV SEV-ES

if SEV and/or SEV-ES are active.

See also What do the flags in /proc/cpuinfo mean?

Stephen Kitt
  • 434,908
  • 1
    Thanks for linking to a source code. Odly on the debian10 4.19.0-13-amd64 kernel kernel logs displayed via dmesg do not repo the output about SME enabled. Yet odly grep sme /proc/cpuinfo shows up. Did I understand your answer incorrectly or should both not concur? A – humanityANDpeace Jan 06 '21 at 16:19
  • In 4.19, the messages were different; you should see “AMD Secure Memory Encryption (SME) active”. – Stephen Kitt Jan 06 '21 at 16:32
  • I did dmesg | grep -i sme | wc -l for not being certain about upper/lowercase sme/Sme/SME if the kernel log output would be 100% exactly the same. Yet still the result 0 leaves me a little puzzled. Thanks for responding :) – humanityANDpeace Jan 06 '21 at 19:28
  • Does your dmesg output still contain the early boot messages? – Stephen Kitt Jan 07 '21 at 06:37
  • 1
    dmesg | head -n 2 yields this [ 0.000000] Linux version 4.19.0-13-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.160-2 (2020-11-28) [ 0.000000] Command line: BOOT_IMAGE=/vmlinuz-4.19.0-13-amd64 root=/dev/mapper/vg-root ro mem_encrypt=on. I will attempt to find out how early that is. I was not aware that dmesg might have different levels of earlyness. thanks for the hint – humanityANDpeace Jan 07 '21 at 10:45
  • 1
    That’s the very first log message, so early enough ;-). The issue with dmesg is that it shows the kernel log, which is a circular buffer — so on systems that have been up for a while, or that have lots of kernel logs, the start can be lost. – Stephen Kitt Jan 07 '21 at 10:54