HARDWARE MEMORY ENCRYPTION – HW SUPPORT

•Hardware AES engine located in the memory controller performs inline encryption/decryption of DRAM

• Minimal performance impact ‒ Extra latency only taken for encrypted pages

• No application changes required

• Encryption keys are managed by the AMD Secure Processor and are hardware isolated ‒ not known to any software on the CPU

AMD SECURE PROCESSOR

• AMD Secure Processor integrated within SoC ‒ 32-bit microcontroller (ARM Cortex-A5)

• Runs a secure OS/kernel

• Secure off-chip NV storage for firmware and data (i.e., SPI ROM)

• Provides cryptographic functionality for secure key generation and key management

• Enables Secure Platform boot (Hardware validated boot) Hardware root of trust provides foundation for platform security

 

HW MEMORY ENCRYPTION – SECURE MEMORY ENCRYPTION (SME)

• Protects against physical memory attacks

• Single key is used for encryption of system memory – Can be used on systems with VMs or Containers

• OS/Hypervisor chooses pages to encrypt via page tables

• Support for hardware devices (network, storage, graphics cards) to access encrypted pages seamlessly through DMA

SME – TECHNICAL DETAILS
1. Call CPUID Fn8000_001F to get information on memory encryption support

2. During boot, enable MemEncryptionModEn (SYSCFG[23])

3. Set the C-bit (enCrypted) on pages to be encrypted

 Notes:

‒ C-bit location determined by CPUID call (example: address bit 47)

‒ C-bit is only supported when CR4.PAE=1 and paging is enabled

‒ Some address bits may be reserved in this mode, see CPUID

HW MEMORY ENCRYPTION – SECURE ENCRYPTED VIRTUALIZATION (SEV)
• Protects VMs/Containers from each other, administrator tampering, and untrusted Hypervisor

• One key for Hypervisor and one key per VM, groups of VMs, or VM/Sandbox with multiple containers

• Cryptographically isolates the hypervisor from the guest VMs

• Integrates with existing AMD-V technology

• System can also run unsecure VMs

 

Download:

AMD Secure Encrypted Virtualization Git Repository