Re: [RFC Patch 1/2] KVM: SVM: Create SEV cgroup controller.
From: James Bottomley
Date: Tue Nov 03 2020 - 11:39:17 EST
On Mon, 2020-09-21 at 18:22 -0700, Sean Christopherson wrote:
> On Mon, Sep 21, 2020 at 06:04:04PM -0700, Randy Dunlap wrote:
> > Hi,
> >
> > On 9/21/20 5:40 PM, Vipin Sharma wrote:
> > > diff --git a/init/Kconfig b/init/Kconfig
> > > index d6a0b31b13dc..1a57c362b803 100644
> > > --- a/init/Kconfig
> > > +++ b/init/Kconfig
> > > @@ -1101,6 +1101,20 @@ config CGROUP_BPF
> > > BPF_CGROUP_INET_INGRESS will be executed on the ingress path
> > > of
> > > inet sockets.
> > >
> > > +config CGROUP_SEV
> > > + bool "SEV ASID controller"
> > > + depends on KVM_AMD_SEV
> > > + default n
> > > + help
> > > + Provides a controller for AMD SEV ASIDs. This controller
> > > limits and
> > > + shows the total usage of SEV ASIDs used in encrypted VMs on
> > > AMD
> > > + processors. Whenever a new encrypted VM is created using SEV
> > > on an
> > > + AMD processor, this controller will check the current limit
> > > in the
> > > + cgroup to which the task belongs and will deny the SEV ASID
> > > if the
> > > + cgroup has already reached its limit.
> > > +
> > > + Say N if unsure.
> >
> > Something here (either in the bool prompt string or the help text)
> > should let a reader know w.t.h. SEV means.
> >
> > Without having to look in other places...
>
> ASIDs too. I'd also love to see more info in the docs and/or cover
> letter to explain why ASID management on SEV requires a cgroup. I
> know what an ASID is, and have a decent idea of how KVM manages ASIDs
> for legacy VMs, but I know nothing about why ASIDs are limited for
> SEV and not legacy VMs.
Well, also, why would we only have a cgroup for ASIDs but not MSIDs?
For the reader at home a Space ID (SID) is simply a tag that can be
placed on a cache line to control things like flushing. Intel and AMD
use MSIDs which are allocated per process to allow fast context
switching by flushing all the process pages using a flush by SID.
ASIDs are also used by both Intel and AMD to control nested/extended
paging of virtual machines, so ASIDs are allocated per VM. So far it's
universal.
AMD invented a mechanism for tying their memory encryption technology
to the ASID asserted on the memory bus, so now they can do encrypted
virtual machines since each VM is tagged by ASID which the memory
encryptor sees. It is suspected that the forthcoming intel TDX
technology to encrypt VMs will operate in the same way as well. This
isn't everything you have to do to get an encrypted VM, but it's a core
part of it.
The problem with SIDs (both A and M) is that they get crammed into
spare bits in the CPU (like the upper bits of %CR3 for MSID) so we
don't have enough of them to do a 1:1 mapping of MSID to process or
ASID to VM. Thus we have to ration them somewhat, which is what I
assume this patch is about?
James