Is Secure Memory Encryption supported on my AMD platform?

Updated -

AMD's SME (Secure Memory Encryption) feature was first enabled in Red Hat Enterprise Linux 7.5. This technology uses a single key to encrypt system memory which is generated by the AMD Secure Processor at boot.

SME requires enablement in either the system BIOS or operating system. When enabled in the BIOS, memory encryption is transparent and can be run with any operating system. However, this feature is turned off by default on all systems booting the Red Hat Enterprise Linux kernel and must be turned on with a kernel boot parameter.

At this time there are known issues when running SME on Red Hat Enterprise Linux 7 & 8. The kdump utility, RHEL’s kernel crash dumping mechanism, is currently incompatible with some systems running in SME enabled mode. It could be necessary to disable SME before attempting to capture a kdump for debugging purposes. Red Hat Quality Engineering has also seen issues with select storage controllers which can cause the system to encounter boot failures when SME is enabled. Due to the issues discovered on this technology, certification of systems with AMD Epyc processors was conducted with SME disabled. Once the AMD SME technology has stabilized, certification will be conducted with SME enabled.

Red Hat is committed to enabling the SME technology and is working with our partners AMD, Dell, and HPE to resolve these issues as quickly as possible. Until that time Red Hat recommends you do not enable SME on your production systems. If you experience SME related issues on your AMD Epyc systems you are encouraged to report them in the Red Hat Customer Portal so Red Hat Engineering and Quality Engineering Teams can work with our OEM partners to resolve them as quickly as possible.

To verify if SME is currently active on a system, use the following command:

# dmesg|grep -i sme

If SME is enabled and active, the following output should be seen:

[    0.000000] AMD Secure Memory Encryption (SME) active

To disable SME on affected systems, look for and remove the following kernel boot parameter:

mem_encrypt=on

Then reboot the system to disable Secure Memory Encryption. If SME is enabled in the system BIOS, contact your OEM provider for details on how to correctly disable the technology before attempting a kdump.