Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
KVM: SVM: Create SEV cgroup controller.
Create SEV cgroup controller for SEV ASIDs on the AMD platform. SEV ASIDs are used to encrypt virtual machines memory and isolate the guests from the hypervisor. However, number of SEV ASIDs are limited on a platform. This leads to the resource constraints and cause issues like: 1. Some applications exhausting all of the SEV ASIDs and depriving others on a host. 2. No capability with the system admin to allocate and limit the number of SEV ASIDs used by tasks. 3. Difficult for the cloud service providers to optimally schedule VMs and sandboxes across its fleet without knowing the overall picture of SEV ASIDs usage. SEV controller tracks the usage and provides capability to limit SEV ASIDs used by tasks. Controller is enabled by CGROUP_SEV config option, it is dependent on KVM_AMD_SEV option in the config file. SEV Controller has 3 interface files: 1. max - Sets the max limit of the SEV ASIDs in the cgroup. 2. current - Shows the current count of the SEV ASIDs in the cgroup. 3. events - Event file to show the SEV ASIDs allocation denied in the cgroup. When kvm-amd module is installed it calls SEV controller API and informs how many SEV ASIDs are available on the platform. Controller use this value to allocate an array which stores ASID to cgroup mapping. New SEV ASID allocation gets charged to the task's SEV cgroup. Migration of charge is not supported, so, a charged ASID remains charged to the same cgroup until that SEV ASID is freed. This feature is similar to the memory cgroup as it is a stateful resource On deletion of an empty cgroup whose tasks have moved to some other cgroup but a SEV ASID is still charged to it, the SEV ASID gets mapped to the parent cgroup. Mapping array tells which cgroup to uncharge, and update mapping when the cgroup is deleted. Mapping array is freed when kvm-amd module is unloaded. Signed-off-by: Vipin Sharma <vipinsh@google.com> Reviewed-by: David Rientjes <rientjes@google.com> Reviewed-by: Dionna Glaze <dionnaglaze@google.com> Reviewed-by: Erdem Aktas <erdemaktas@google.com>
- Loading branch information