How to Check if AMD CPU’s SME Feature is Enabled

amdcpuencryptionmemory

More recent AMD CPUs have a feature named Secure Memory Encryption SME which if available can be explicitly be enabled by adding this parameter to linux' command line.

mem_encrypt=on

(according to https://libvirt.org/kbase/launch_security_sev.html)

I am unsure if my system (with an AMD EPYC cpu) has this feature enabled (i.e. if the feature might be default on anyway).

My question is how to check if the AMD SME feature is enabled?

Since https://www.kernel.org/doc/html/latest/x86/amd-memory-encryption.html suggests that:

If support for SME is present, MSR 0xc00100010 (MSR_K8_SYSCFG) can be
used to determine if SME is enabled and/or to enable memory
encryption:

I have run this commands (on a debian 10):

apt-get install msr-tools
rdmsr --raw 0xc0010010  | xxd -b

which presented me this output

00000000: 00000000 00000000 11110100 00000000 00000000 00000000  ......
00000006: 00000000 00000000

where according to the source quoted the 23rd bit indicates if SME is indeed enabled/active (=1) or not (=0).

If above is indeed the correct way to test this, a confirmation may be considered a valid answer, ideally of course providing some background.
Else again I would be very happy to be able to check the state of SME on a running linux system.

Best Answer

If SME is supported (CPUID shows the corresponding bit set) and enabled (the appropriate MSR bit is set), /proc/cpuinfo will contain the sme flag. You can verify this by looking at the kernel code which detects SME: the SME feature, which is reflected directly in /proc/cpuinfo, is cleared if SME isn’t fully enabled.

You should also see corresponding messages in the kernel boot logs:

AMD Memory Encryption Features active: SME

if SME is active,

AMD Memory Encryption Features active: SEV SEV-ES

if SEV and/or SEV-ES are active.

See also What do the flags in /proc/cpuinfo mean?

Related Question