cancel
Showing results for 
Search instead for 
Did you mean: 

Server Gurus Discussions

glenntu
Journeyman III

EPYC SME

Jump to solution

Is there a way to demonstrate SME is in effect for my processor (EPYC 7000)  What if the Linux kernel is not supporting it?  How would I know?

0 Likes
1 Solution

Accepted Solutions
jesse_amd
Staff
Staff

Re: EPYC SME

Jump to solution

Hello glenntu,

I moved your question to AMD Server Gurus so we can help you.

Secure Memory Encryption (SME) requires Linux mainline kernel version 4.14 or that it is enabled directly in your BIOS. If you are using BIOS encryption, SME will be invisible to the OS. I would also recommend that you contact your OS vendor and ask them for a timeline of when their SME support is enabled.

View solution in original post

2 Replies
jesse_amd
Staff
Staff

Re: EPYC SME

Jump to solution

Hello glenntu,

I moved your question to AMD Server Gurus so we can help you.

Secure Memory Encryption (SME) requires Linux mainline kernel version 4.14 or that it is enabled directly in your BIOS. If you are using BIOS encryption, SME will be invisible to the OS. I would also recommend that you contact your OS vendor and ask them for a timeline of when their SME support is enabled.

View solution in original post

abucodonosor
Adept III

Re: EPYC SME

Jump to solution

@jesse_amd

I have SME and SVE enabled in BIOS and ofc an kernel with SME support and booted with SME enabled will show you that.

$ sudo journalctl -b  | grep -i '(SME)'

Apr 04 18:29:41 localhost kernel: AMD Secure Memory Encryption (SME) active
...

glemeur

Like jesse pointed out you need an kernel >= 4.14.x.

First check whatever your Distribution enabled that support:

zgrep CONFIG_AMD_MEM_ENCRYPT /proc/config.gz
CONFIG_AMD_MEM_ENCRYPT=y <-- support enabled
# CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT is not set <-- most will look like this so no worrie

If your kernel supports that next step is to enable it. For that simple append to your bootloader:

mem_encrypt=on

Once booted you can just run "  dmesg | grep -i '(SME)' " to see it is enabled or not.

Regards