From 969d4d82139b1c1793786b7a24c9eee3f4a1101c Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Tue, 16 Dec 2025 11:49:21 +1100 Subject: [PATCH] Add references for AMD SME --- .../grub.d/40_kernel_hardening.cfg#security-misc-shared | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index ad4169a..279463c 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -261,7 +261,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable" ## Both require a compatible AMD CPU and support for SME to first be enabled in the BIOS/UEFI. ## Likely unavailable in consumer-grade AMD CPUs where Transparent SME (TSME) can be enabled in the BIOS/UEFI to achieve SME. ## Note the corresponding Intel Total Memory Encryption (TME) can also be enabled via the BIOS/UEFI. -## May cause boot failure on certain hardware with incompatible DMA masks. +## May cause boot failure on certain hardware with incompatible DMA masks especially if IOMMU is disabled. ## ## https://www.kernel.org/doc/html/next/x86/amd-memory-encryption.html ## https://www.kernel.org/doc/html/latest/virt/kvm/x86/amd-memory-encryption.html @@ -269,9 +269,11 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable" ## https://docs.amd.com/v/u/en-US/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more ## https://github.com/AMDESE/AMDSEV ## https://en.wikichip.org/wiki/x86/sme +## https://lore.kernel.org/all/YWRgN63FOrQGO8jS@zn.tnic/ ## https://lore.kernel.org/lkml/YWvy9bSRaC+m1sV+@zn.tnic/T/#m01bcb37040b6b0d119d385d9a34b9c7ac4ce5f84 ## https://mricher.fr/post/amd-memory-encryption/ ## https://www.kicksecure.com/wiki/Dev/confidential_computing#AMD +## https://github.com/secureblue/secureblue/pull/1631#issuecomment-3655501478 ## https://forums.whonix.org/t/enable-secure-memory-encryption-sme-kernel-parameter-mem-encrypt-by-default/10393 ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mem_encrypt=on"