I'm not sure about POWER, but in AMD EPYC it is implemented at the hypervisor level. So each VM can have encrypted memory with a unique key, but within a VM the processes see unencrypted memory.
It's typically implemented as an extension of the virtual memory page table, and conceptually it wouldn't be too difficult to have finer-grained keys, such as one for the kernel and one for user mode processes, or even one per process.
Interesting. Does that allay the concerns about speculative execution side channel leaks in cloud VMs? (Because even if you can leak data from other VMs running on the same physical device, that data will be garbage without the other VM's encryption key.)
It's typically implemented as an extension of the virtual memory page table, and conceptually it wouldn't be too difficult to have finer-grained keys, such as one for the kernel and one for user mode processes, or even one per process.