Memory Encryption

The Memory Subsystem (MSS) provides 128-bit AES-XTS encryption functionality for data stored in DRAM to protect secure content from hardware snooping attacks. Write data stored in certain regions of DRAM (TZ and GSC carveouts) is encrypted before reaching the DRAM. Read data is decrypted on its way back from the DRAM before being returned to the requesting client. Except for the increased read latency for decrypting data, this functionality is transparent to software.

A Generalized Security Carveout (GSC) is a type of aperture/carveout with configurable functionality that designates a region of the physical address space. Access from different clients to the region are controlled by registers in the Memory Controller (MC).

In T264, DRAM not protected by TZ and GSC carveouts (non-secure DRAM) can also be set to encrypt all data that comes in and decrypt all data that goes out through the MC/EMC.

BCT flag enable_nsdram_encryption is set by default to enable DRAM encryption on the T264 Jetson boards. When the flag is set, the bootloader (MB1 or UEFI) reports encryption is enabled. The latency in encrypting and decrypting all DRAM traffic is low and unlikely to affect DRAM performance.