[RFC v2 00/13] Multi-Key Total Memory Encryption API (MKTME)

Dave Hansen dave.hansen at intel.com
Sat Dec 8 01:11:58 UTC 2018


On 12/7/18 3:53 PM, Andy Lutomirski wrote:
> The third problem is the real show-stopper, though: this scheme
> requires that the ciphertext go into predetermined physical
> addresses, which would be a giant mess.

There's a more fundamental problem than that.  The tweak fed into the
actual AES-XTS operation is determined by the firmware, programmed into
the memory controller, and is not visible to software.  So, not only
would you need to put stuff at a fixed physical address, the tweaks can
change from boot-to-boot, so whatever you did would only be good for one
boot.



More information about the Linux-security-module-archive mailing list