Announcement

Collapse
No announcement yet.

Linux To No Longer Enable AMD SME Usage By Default Due To Problems With Some Hardware

Collapse
X
Collapse
 
  • Page of 3
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 3 template Next
  • #1

    Linux To No Longer Enable AMD SME Usage By Default Due To Problems With Some Hardware

    Phoronix: Linux To No Longer Enable AMD SME Usage By Default Due To Problems With Some Hardware

    Being sent in as a fix for the Linux 5.15 kernel this morning and to be back-ported to existing stable series is a behavior change that the Linux kernel will no longer use AMD Secure Memory Encryption (SME) by default on supported hardware but rather making it now opt-in due to shortcomings of some platforms...

    Linux To No Longer Enable AMD SME Usage By Default Due To Problems With Some Hardware - Phoronix
    https://www.phoronix.com/scan.php?page=news_item&px=Linux-SME-No-Default-Use
    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite
    Tags: None
  • #2
    due to shortcomings of some platforms
    1. Well that commit message
    2. is extremely helpful
    3. and lets me know if I need
    4. to tweak some settings with
    5. my Zen 2 B550 setup or not.
    6. If only a way existed to
    7. show those platforms in
    8. an easy to read manner.
    • I suppose the
    • world will never
    • know what
    • platforms need
    • manual intervention
    • or not.
    • Likes 6

    Comment

    • #3
      Originally posted by skeevy420 View Post
      1. and lets me know if I need
      2. to tweak some settings with
      3. my Zen 2 B550 setup or not.
      Most likely no, as far as I know SME is only available on EPYCs, while Ryzen PRO platforms have TSME (which doesn't require kernel support) as an optional feature.

      Edit: the above doesn't seem to be the case. According to this answer and my tests normal Ryzens do support SME, but not SEV which is EPYC-exclusive. None of my systems seem to be activating it by default (no dmesg message). When tested on latest Proxmox 7 kernel 5.11.22-5-pve it activated with a 3700X only after adding mem_encrypt=on.
      Last edited by numacross; 17 October 2021, 11:46 AM.
      • Likes 1

      Comment

      • #4
        Looks like this bug has been brewing since July 2019: https://lists.linuxfoundation.org/pi...ly/037234.html

        Comment

        • #5
          When 5.14 kernel first appeared in Debian Sid, I had to add the "mem_encrypt=no" kernel parameter during boot. Now it is no longer necessary.

          Debian User Forums - Information
          https://forums.debian.net/viewtopic.php?f=19&t=150348&p=743948&sid=08b3132256c1d6f565a61d32510f8b70#p743948

          Comment

          • #6
            I'm not surprised by this at all. New feature, very bug prone due to breaking lots of assumptions.

            Hopefully they can add some later indication of whether it's safe to enable it.

            I don't really care though. I'll never need this and frankly, the whole idea that you could not trust the host is absurd. If you're that worried that your host could be malicious, you should be buying your own servers not relying on the silicon to keep them honest.
            • Likes 2

            Comment

            • #7
              Sigh. As much as I've enjoyed the performance & value of AMD platforms over the years, IOMMU support continues to be hot garbage.
              • Likes 1

              Comment

              • #8
                I wonder how does Windows manage to overcome this issue. Because I guess it supports SME by default, right?

                Comment

                • #9
                  Originally posted by Developer12 View Post
                  I'm not surprised by this at all. New feature, very bug prone due to breaking lots of assumptions.

                  Hopefully they can add some later indication of whether it's safe to enable it.

                  I don't really care though. I'll never need this and frankly, the whole idea that you could not trust the host is absurd. If you're that worried that your host could be malicious, you should be buying your own servers not relying on the silicon to keep them honest.
                  Nevertheless for people that use VMs either in the cloud or in an in premises cloud, or merely security concious like a bank should be, encrypted mem is valuable.
                  • Likes 1

                  Comment

                  • #10
                    I do not follow.

                    The issue seems to be SME not working welI in machines where IOMMU is disabled.

                    If both IOMMU and SME are available, what's the reason not to enable SME? Is there even any?
                    • Likes 1

                    Comment

                    Previous 1 2 3 template Next
                    Working...
                    X