[PATCH -v2] x86/Kconfig: Do not enable AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT automatically

Tom Lendacky thomas.lendacky at amd.com
Mon Oct 11 16:29:46 UTC 2021 

On 10/11/21 11:03 AM, Borislav Petkov wrote:
> Ok,
> 
> here's v2, I've added "however" number 3 below which should summarize
> Christian's note about coherent and concurrent use of memory by the GPU
> and CPU, which obviously cannot work with bounce buffers.
> 
> I'll send it to Linus next week if there are no more complaints.
> 
> Thx.
> 
> ---
> From: Borislav Petkov <bp at suse.de>
> 
> This Kconfig option was added initially so that memory encryption is
> enabled by default on machines which support it.
> 
> However, devices which have DMA masks that are less than the bit
> position of the encryption bit, aka C-bit, require the use of an IOMMU
> or the use of SWIOTLB.
> 
> If the IOMMU is disabled or in passthrough mode, the kernel would switch
> to SWIOTLB bounce-buffering for those transfers.
> 
> In order to avoid that,
> 
>    2cc13bb4f59f ("iommu: Disable passthrough mode when SME is active")
> 
> disables the default IOMMU passthrough mode so that devices for which the
> default 256K DMA is insufficient, can use the IOMMU instead.
> 
> However 2, there are cases where the IOMMU is disabled in the BIOS, etc.
> (think the usual hardware folk "oops, I dropped the ball there" cases) or a
> driver doesn't properly use the DMA APIs or a device has a firmware or
> hardware bug, e.g.:
> 
>    ea68573d408f ("drm/amdgpu: Fail to load on RAVEN if SME is active")
> 
> However 3, in the above GPU use case, there are APIs like Vulkan and
> some OpenGL/OpenCL extensions which are under the assumption that
> user-allocated memory can be passed in to the kernel driver and both the
> GPU and CPU can do coherent and concurrent access to the same memory.
> That cannot work with SWIOTLB bounce buffers, of course.
> 
> So, in order for those devices to function, drop the "default y" for the
> SME by default active option so that users who want to have SME enabled,
> will need to either enable it in their config or use "mem_encrypt=on" on
> the kernel command line.
> 
>   [ tlendacky: Generalize commit message. ]
> 
> Fixes: 7744ccdbc16f ("x86/mm: Add Secure Memory Encryption (SME) support")
> Reported-by: Paul Menzel <pmenzel at molgen.mpg.de>
> Signed-off-by: Borislav Petkov <bp at suse.de>

Acked-by: Tom Lendacky <thomas.lendacky at amd.com>

> Cc: <stable at vger.kernel.org>
> Link: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flkml.kernel.org%2Fr%2F8bbacd0e-4580-3194-19d2-a0ecad7df09c%40molgen.mpg.de&data=04%7C01%7Cthomas.lendacky%40amd.com%7Cf9321f8ec7ba426182f908d98cd09ef0%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637695649962742668%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=TybLSD8uU84WT4%2BRQbdL4unTJMQm5gDH4ykXaG8Dg1s%3D&reserved=0
> ---
>   arch/x86/Kconfig | 1 -
>   1 file changed, 1 deletion(-)
> 
> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> index bd70e8a39fbf..d9830e7e1060 100644
> --- a/arch/x86/Kconfig
> +++ b/arch/x86/Kconfig
> @@ -1525,7 +1525,6 @@ config AMD_MEM_ENCRYPT
>   
>   config AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT
>   	bool "Activate AMD Secure Memory Encryption (SME) by default"
> -	default y
>   	depends on AMD_MEM_ENCRYPT
>   	help
>   	  Say yes to have system memory encrypted by default if running on
>

More information about the amd-gfx mailing list