Re: [PATCH] driver/virtio: Add Memory Balloon Support for SEV/SEV-ES

From: David Hildenbrand
Date: Thu Jan 11 2024 - 03:35:46 EST


On 10.01.24 07:22, Zheyun Shen wrote:
For now, SEV pins guest's memory to avoid swapping or
moving ciphertext, but leading to the inhibition of
Memory Ballooning.

In Memory Ballooning, only guest's free pages will be relocated
in balloon inflation and deflation, so the difference of plaintext
doesn't matter to guest.

A Linux hypervisor will always give you a fresh, zeroed page. I don't recall what the spec says, could be that that is a guarantee.


Memory Ballooning is a nice memory overcommitment technology can
be used in CVM based on SEV and SEV-ES, so userspace tools can
provide an option to allow SEV not to pin memory and enable
Memory Ballooning. Guest kernel may not inhibit Balloon and
should set shared memory for Balloon decrypted.

Two points:

1) Memory overcommit means that you promise to have more memory than you actually have.

To be able to use that in a *safe* way in the hypervisor, to fulfill that promise, you need some backup strategy, which is usually swap space in the hypervisor. Further one might apply other techniques (ram compression, memory deduplication) in the hypervisor to make that swapping unlikely to ever happen when overcommitting (because nobody wants to swap).

Assume you run a lot of VMs that mostly have private/encrypted memory (which is the default). Imagine you previously inflated the balloon on VM0, and that VM needs more memory (you promised it could have more!). You reach out to other VMs to inflate the balloon so you get memory back, but they cannot give up memory safely.

In that scenario (a) you cannot swap something out because all pages are pinned (b) memory compression cannot be applied because pages are pinned and (c) memory deduplication cannot be applied because pages are pinned.

Pinned memory is a resource that cannot be overcomitted.

So I am not convinced the use case you are targeting can be considered any way of sane memory overcommit. You should better call it resizing VM memory instead. Then, it's clearer that the hypervisor cannot promise to ever give you that memory when you are in need.


2) What about other features?

What if the hypervisor enabled free-page-reporting? Would that work (unlikely, I assunme). Don't we have to block that?

--
Cheers,

David / dhildenb