Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1540 Discussions

How do we enable Intel TME (Total Memory Encryption) and evaluate its effectiveness?"

Bronze_me
Novice
‎12-27-2024 02:54 AM
2,068 Views

Is there a guide or a demo showing the steps for enabling TME in BIOS and then evaluating whether the DRAM is encrypted correctly?

https://www.intel.com/content/www/us/en/architecture-and-technology/vpro/hardware-shield/total-memory-encrpytion.html

 

The following picture shows that when 'Total Memory Encryption Bypass' is disabled, it indicates that TME is enabled. Is right?

da313c6a-6c47-471a-b1e5-d8da60a10e9f.png

0 Kudos

Link Copied

2 Replies
Scott_R_Intel
Moderator
‎01-06-2025 07:14 AM
1,911 Views

The TME Bypass feature is used to allow non-trusted software (ie. standard, non-confidential VMs that aren't utilizing Intel TDX) to automatically bypass the memory encryption flows in the memory subsystem/controller.  You can read a bit more about it at this link:  Performance Considerations: Intel® Trust Domain Extensions

0 Kudos
Copy link
Bronze_me
Novice
‎01-09-2025 01:38 AM
1,870 Views
In response to Scott_R_Intel

Thank you very much for your response. Our application scenario is as follows:

  1. User A will deploy their Intel server (which supports Intel TME) in User B's local area network data center.
  2. User A will deploy an application developed by A (such as a web service) on the server, and User A will deploy their data and code on the Intel server in B's data center.
  3. User A will only provide B with an HTTPS interface, and User A will independently maintain the Intel server, with only A having login access.
  4. Based on the above description, A wishes to use the Intel TME mechanism to encrypt memory to defend against physical attacks (such as cold boot attacks and memory dump attacks) from B's data center (e.g., by B's data center personnel).
  5. A wants to enable TME directly in the BIOS (without needing TDX or TME-MK), so that A does not need to make any modifications to the system software (Linux kernel) or application software.

Therefore, the question in this scenario is that we only need Intel TME, so Intel TME bypass must be configured as disabled to ensure the security of A's data, correct?

In response to Scott_R_Intel
0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.