Skip to content

Enable SME and SEV in supported AMD CPUs #343

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
raja-grewal wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Enable SME and SEV in supported AMD CPUs #343

raja-grewal wants to merge 1 commit into from
+6 −6

Conversation

@raja-grewal
Copy link
Contributor

@raja-grewal raja-grewal commented Dec 24, 2025

This pull request enables SME and SEV in supported AMD processors.

As per discussed in #338 and #341.

This has also been suggested by me and approved in secureblue/secureblue#1631.

Changes

Sets the following kernel boot parameters:

mem_encrypt=on
kvm_amd.sev=1
vm_amd.sev_es=1
vm_amd.sev_snp=1

Mandatory Checklist

  • Legal agreements accepted. By contributing to this organisation, you acknowledge you have read, understood, and agree to be bound by these these agreements:

Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

Optional Checklist

The following items are optional but might be requested in certain cases.

  • I have tested it locally
  • I have reviewed and updated any documentation if relevant
  • I am providing new code and test(s) for it

@ArrayBolt3
Copy link
Contributor

ArrayBolt3 commented Dec 30, 2025

This is a bit scary to me. While it does appear that the only really affected devices are Raven Ridge APUs (since they require the IOMMU to be in passthrough mode), there are very likely users still using hardware from 2018 with Kicksecure in the wild, so I don't think we can easily discount the number of users this could affect (especially since so many of them showed up in 2021 at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994453 when Debian got AMD SME enabled by default). As that bug report shows, the results of this can range anywhere from "framebuffer driver used instead of amdgpu" to "early boot kernel panic, system becomes impossible to use and one can't even see the panic message". If we enable this, it will affect all kernels, so a user who doesn't know what they're doing can't simply boot into an older kernel to recover. They have to know that AMD SME is the problem and disable it in the GRUB command line, which most users probably won't know and will have a hard time figuring out on their own.

If there was a way for us to detect at runtime whether a Raven Ridge GPU was in use or not, and enable this option if not, I would be a lot more comfortable with this. That would require some facility to detect extra hardening measures that the running system supports though, which we don't really have yet. @adrelanos Maybe that would be something we could add?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@raja-grewal @ArrayBolt3