Trusted Memory Zone Support Coming To AMD APUs in Linux Kernel 5.6
Support for Trusted Memory Zones on AMD APUs has been merged into the linux-next tree which makes it highly likely that Linux 5.6 will have code which allows the GPU driver to encrypt shared system memory used by the graphics driver. Regular programs running on the CPU will not be able to read or write the TMZ memory areas.
written by Öyvind Sæther. published 2019-01-06 - last edited 2020-01-07
AMD added "High-bandwidth Digital Content Protection" support to the upcoming 5.5 Linux Kernel which currently on its fifth release-candidate. A close-up inspection of a patch from September 2019 which was merged to linux-next late November revels that AMD GPUs will soon support HDCP 2.2 digital restrictions management as well. AMD's push towards Digital Restrictions Management (DRM) in the Linux kernel does not end there.
My close-up inspection of a huge code commit to the amdgpu driver which was merged into linux-next on January 6th, 2019 reveals that AMD is quietly adding support for "Trusted Memory Zone" memory encryption to their RAVEN (Vega) and RENOIR (Navi) series APUs. The purpose of this code is to make CPU part of AMD APU's unable to read the shared system memory used by the GPU part. Only "trusted" parts of the GPU will have access to the encrypted system memory within the TMZ.
"Those who would give up essential liberty, to purchase a little temporary safety, deserve neither liberty nor safety."
The linux-next changes to drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c indicate that TMZ support will be "auto" enabled on supported Vega and Navi GPUs. There will be a
amdgpu.tmz= mode parameter for those who want to disable this anti-feature.
"High-bandwidth Digital Content Protection" and other Digital Restrictions Management schemes are not very effective if you can pull the displays framebuffer from shared system memory. That is where the "Trusted Memory Zone" scheme comes into play. Commercial content distributors will be able to trust that end-users can not freely access the contents of their computers "Trusted Memory Zone".
When asked, AMD developer Alex Deucher had this to say about the TMZ technology:
"Trusted memory zone is useful for anything you want to prevent softwarew access to.
TMZ just provides a mechanism where only engines in trusted mode can access pages mapped as TMZ on the GPU.
Copying from the encrypted to unencrypted memory on the GPU is not allowed by the hardware. Once it's encrypted, it can't be decrypted."
TMZ support is coming. It's happening. You can not stop it. It is in linux-next. It is too late. The good news is that it will only be available on AMD APUs and it will be possible to disable it. The bad news is that web browsers and browser plugins for playing DRM content like Netflix and Disney+ will likely require TMZ on AMD APUs (or a similar scheme on Intel iGPUs) in the future.