Re: [Patch v2 0/2] cgroup: KVM: New Encryption IDs cgroup controller
From: Vipin Sharma
Date: Wed Dec 09 2020 - 15:34:32 EST
On Tue, Dec 08, 2020 at 01:35:29PM -0800, Vipin Sharma wrote:
> Hello,
>
> This patch adds a new cgroup controller, Encryption IDs, to track and
> limit the usage of encryption IDs on a host.
>
> AMD provides Secure Encrypted Virtualization (SEV) and SEV with
> Encrypted State (SEV-ES) to encrypt the guest OS's memory using limited
> number of Address Space Identifiers (ASIDs).
>
> This limited number of ASIDs creates issues like SEV ASID starvation and
> unoptimized scheduling in the cloud infrastucture.
>
> In the RFC patch v1, I provided only SEV cgroup controller but based
> on the feedback and discussion it became clear that this cgroup
> controller can be extended to be used by Intel's Trusted Domain
> Extension (TDX) and s390's protected virtualization Secure Execution IDs
> (SEID)
>
> This patch series provides a generic Encryption IDs controller with
> tracking support of the SEV ASIDs.
>
> Changes in v2:
> - Changed cgroup name from sev to encryption_ids.
> - Replaced SEV specific names in APIs and documentations with generic
> encryption IDs.
> - Providing 3 cgroup files per encryption ID type. For example in SEV,
> - encryption_ids.sev.stat (only in the root cgroup directory).
> - encryption_ids.sev.max
> - encryption_ids.sev.current
>
> Thanks
> Vipin Sharma
>
> [1] https://lore.kernel.org/lkml/20200922004024.3699923-1-vipinsh@xxxxxxxxxx/#r
>
> Vipin Sharma (2):
> cgroup: svm: Add Encryption ID controller
> cgroup: svm: Encryption IDs cgroup documentation.
>
> .../admin-guide/cgroup-v1/encryption_ids.rst | 108 +++++
> Documentation/admin-guide/cgroup-v2.rst | 78 +++-
> arch/x86/kvm/svm/sev.c | 28 +-
> include/linux/cgroup_subsys.h | 4 +
> include/linux/encryption_ids_cgroup.h | 70 +++
> include/linux/kvm_host.h | 4 +
> init/Kconfig | 14 +
> kernel/cgroup/Makefile | 1 +
> kernel/cgroup/encryption_ids.c | 430 ++++++++++++++++++
> 9 files changed, 728 insertions(+), 9 deletions(-)
> create mode 100644 Documentation/admin-guide/cgroup-v1/encryption_ids.rst
> create mode 100644 include/linux/encryption_ids_cgroup.h
> create mode 100644 kernel/cgroup/encryption_ids.c
>
> --
> 2.29.2.576.ga3fc446d84-goog
>
Please ignore this version of patch series, I will send out v3 soon. v2
has build failure when CONFIG_CGROUP is disabled.