Re: [RFC PATCH 00/20] Add Cgroup support for SGX EPC memory
From: Tejun Heo
Date: Thu Sep 22 2022 - 13:41:48 EST
Hello,
(cc'ing memcg folks)
On Thu, Sep 22, 2022 at 10:10:37AM -0700, Kristen Carlson Accardi wrote:
> Add a new cgroup controller to regulate the distribution of SGX EPC memory,
> which is a subset of system RAM that is used to provide SGX-enabled
> applications with protected memory, and is otherwise inaccessible.
>
> SGX EPC memory allocations are separate from normal RAM allocations,
> and is managed solely by the SGX subsystem. The existing cgroup memory
> controller cannot be used to limit or account for SGX EPC memory.
>
> This patchset implements the sgx_epc cgroup controller, which will provide
> support for stats, events, and the following interface files:
>
> sgx_epc.current
> A read-only value which represents the total amount of EPC
> memory currently being used on by the cgroup and its descendents.
>
> sgx_epc.low
> A read-write value which is used to set best-effort protection
> of EPC usage. If the EPC usage of a cgroup drops below this value,
> then the cgroup's EPC memory will not be reclaimed if possible.
>
> sgx_epc.high
> A read-write value which is used to set a best-effort limit
> on the amount of EPC usage a cgroup has. If a cgroup's usage
> goes past the high value, the EPC memory of that cgroup will
> get reclaimed back under the high limit.
>
> sgx_epc.max
> A read-write value which is used to set a hard limit for
> cgroup EPC usage. If a cgroup's EPC usage reaches this limit,
> allocations are blocked until EPC memory can be reclaimed from
> the cgroup.
I don't know how SGX uses its memory but you said in the other message that
it's usually a really small portion of the memory and glancing the code it
looks like its own page aging and all. Can you give some concrete examples
on how it's used and why we need cgroup support for it? Also, do you really
need all three control knobs here? e.g. given that .high is only really
useful in conjunction with memory pressure and oom handling from userspace,
I don't see how this would actually be useful for something like this.
Thanks.
--
tejun