From 99e993b885ca1fa30a871120b545f9334371cd5a Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Sat, 15 Nov 2025 03:16:07 +0000
Subject: [PATCH 1/2] Provide options to enable AMD SME and SEV

---
 README.md                                     |  3 +++
 ..._kernel_hardening.cfg#security-misc-shared | 21 +++++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/README.md b/README.md
index 8c232ae..3596f74 100644
--- a/README.md
+++ b/README.md
@@ -238,6 +238,9 @@ Kernel space:
 - Disable the EFI persistent storage feature which prevents the kernel from writing crash logs
   and other persistent data to either the UEFI variable storage or ACPI ERST backends.
 
+- Optional - On compatible AMD CPUs enable Secure Memory Encryption (SME) to protect against
+  cold boot attacks and Secure Encrypted Virtualization (SEV) for further guest memory isolation.
+
 Direct memory access:
 
 - Enable strict IOMMU translation to protect against some DMA attacks via the use
diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
index 2eef877..962e37d 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
+++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
@@ -237,6 +237,27 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi_pstore.pstore_disable=1"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable"
 
+## Enable AMD Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV).
+## SME encrypts memory with a single key at the kernel level to protect against cold boot attacks.
+## SEV extends SME to VMs by encrypting the memory of each with a unique key for guest isolation.
+## This is hardware-based encryption managed by the proprietary and closed-source AMD Platform Security Processor (PSP).
+## Both require a compatible AMD CPU and support for SME to first be enabled in the BIOS/UEFI.
+## Likely unavailable in consumer-grade AMD CPUs where Transparent SME (TSME) can be enabled in the BIOS/UEFI to achieve SME.
+## May cause boot failure on certain hardware with incompatible DMA masks.
+##
+## https://www.kernel.org/doc/html/next/x86/amd-memory-encryption.html
+## https://www.kernel.org/doc/html/latest/virt/kvm/x86/amd-memory-encryption.html
+## https://docs.amd.com/v/u/en-US/memory-encryption-white-paper
+## https://docs.amd.com/v/u/en-US/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more
+## https://en.wikichip.org/wiki/x86/sme
+## https://lore.kernel.org/lkml/YWvy9bSRaC+m1sV+@zn.tnic/T/#m01bcb37040b6b0d119d385d9a34b9c7ac4ce5f84
+## https://mricher.fr/post/amd-memory-encryption/
+## https://www.kicksecure.com/wiki/Dev/confidential_computing#AMD
+## https://forums.whonix.org/t/enable-secure-memory-encryption-sme-kernel-parameter-mem-encrypt-by-default/10393
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mem_encrypt=on"
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm_amd.sev=1"
+
 ## 2. Direct Memory Access:
 ##
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks

From 62dc2d448366d190812773ec9eeadd38e1223cbc Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Tue, 18 Nov 2025 20:31:46 +1100
Subject: [PATCH 2/2] Add note about Intel TME

---
 etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared | 1 +
 1 file changed, 1 insertion(+)

diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
index 962e37d..61aad7c 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
+++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
@@ -243,6 +243,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable"
 ## This is hardware-based encryption managed by the proprietary and closed-source AMD Platform Security Processor (PSP).
 ## Both require a compatible AMD CPU and support for SME to first be enabled in the BIOS/UEFI.
 ## Likely unavailable in consumer-grade AMD CPUs where Transparent SME (TSME) can be enabled in the BIOS/UEFI to achieve SME.
+## Note the corresponding Intel Total Memory Encryption (TME) can also be enabled via the BIOS/UEFI.
 ## May cause boot failure on certain hardware with incompatible DMA masks.
 ##
 ## https://www.kernel.org/doc/html/next/x86/amd-memory-encryption.html