Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp8018pxb; Thu, 7 Jan 2021 17:30:59 -0800 (PST) X-Google-Smtp-Source: ABdhPJykggMKSWLsMi1RBBV6hdX71mLP6wt2w1OEGCawh+UD72ibPlqo/yVA0rJ98mfAYqaWSa3z X-Received: by 2002:a17:906:5293:: with SMTP id c19mr1129052ejm.72.1610069459727; Thu, 07 Jan 2021 17:30:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610069459; cv=none; d=google.com; s=arc-20160816; b=d/ttGA1KgqTthyubHgVE7P8FpdQb5635xyPvZEwcss1NnEGkAaHggEi+1DIU18X6xI sFu8ASYKn/XtvQVDPkLV61t2WcF7Fl+RjQ8zKUwbesTz7cSuHEO+W5gfAmRGXNQ3U4mZ 7V+yHs3eAJk22ox4lAnEbV6XNDSHqgPGnOW5LRPi5PiSX/75VXsM2RTQyZWX+NZlMnf5 +Qvt7HKD3Q/qgNh+bNY+9GWAna62Jp5pbHrwQqmg7oWfU1ZwIVI1BAwuzdBIH2s/833h vGfegmSfGkAviEKbivvgKihPdQsGxawCCAGF/ewi4EcXdYHVheu+F92SqW7Qa2zm9eIw mX+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:mime-version:message-id:date :sender:dkim-signature; bh=UMAjKymYTdkz3wAZcW0ar3R52PKBGQEKlAaIA5W8JIc=; b=Vn1MhZwLEuFki61h0P0HFVvBVbizS1P9Oy/R/UcmBSH9xgRQk39+vw5B5j9/eRFi1O qGvPADnwcEUwKV2vgaibRKfYf9hMrO1CB+K3OObF4yts/cdGv0OOlkHjksOTD2dPBuRR WrOWHgATwCRXgeRAtpkWC9D13Sh25eZHyYFs9U2zYaQZA87Qv/7wXEdp1LTdNmdjQYw4 DUrfP2H+Wz/xdYEjmbRqP7D5yHlxclIjRp8pb/2mcZBuowZrCHNiN2nviT6mKGVUBm5q m/3lSTufGNJ4CsuRSW4RWgrZ9I6BExb42fE8WnHw8zqOM5pqoVFGSwO5tRHRsaJ+zR61 +pWA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=VkP6PA7U; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id cx27si2812294edb.264.2021.01.07.17.30.35; Thu, 07 Jan 2021 17:30:59 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=VkP6PA7U; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729797AbhAHB3k (ORCPT + 99 others); Thu, 7 Jan 2021 20:29:40 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47058 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729667AbhAHB3k (ORCPT ); Thu, 7 Jan 2021 20:29:40 -0500 Received: from mail-pf1-x44a.google.com (mail-pf1-x44a.google.com [IPv6:2607:f8b0:4864:20::44a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5557BC0612FA for ; Thu, 7 Jan 2021 17:29:00 -0800 (PST) Received: by mail-pf1-x44a.google.com with SMTP id e4so5452875pfc.11 for ; Thu, 07 Jan 2021 17:29:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=sender:date:message-id:mime-version:subject:from:to:cc; bh=UMAjKymYTdkz3wAZcW0ar3R52PKBGQEKlAaIA5W8JIc=; b=VkP6PA7UE9/mTi1zArELyLAnbHzFz9zmWujz5LV472BF45d0K+LOCwmZjUewY/CnlL 5p08Q87+7zDNT2cVA3FY2+GOOoMq399zFzY5srDg8xvmG+GEeACkNboVC/dBsSlAKIP/ Tr3OBHba424Ambsx8muEqncyjt6Rcs56TQ7LAs9usMK5Y9Bh6eRMyWUSTwYvbRufYK5d btoxwHV6D1NXm3145EaHKhuIZzt3l9zAbeetJaubCXA43wZx7xdjgpSDCQvPlIDI9czw inPhXzb6umDZQYFrj1YJPJqlloNBcrEflq1i7le/blUzlVf0QOo9X+I9bdi0wQXQk95l mGew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:message-id:mime-version:subject:from :to:cc; bh=UMAjKymYTdkz3wAZcW0ar3R52PKBGQEKlAaIA5W8JIc=; b=RwMSYEfSs1+DomLQ9uy8tleFk5pe8QaZVk7RzXasH0t09bvrmP5deTtMpb2RIyrLaj Q+JCbV7LuFTuNgGso0u9I+aqO7N4rCdnLFuWJmJWvkypXlBZLUT9UfWV+qX/X2ryNTC1 3cNBFcYgEtY+MPHUEBi6PEQJUKz2J9QMDNqOQmkfEdE9GiEb4hd6H0n1bxCoSNQGdY9X VQxdiWcbS2xuMnexAxY2yPF6y7lrd5hexCrWM/55zBR6H+PLTwtpgJPeFDObZXE3991k POOt6dHgnxtzUuFywKDDmprFh8paXn0MesdlKSzLTbQAqnfDVL1c+qD19NugcVnDPpOZ zyog== X-Gm-Message-State: AOAM5323XuqcjUtLYfCk6iISVanUNdQwADKHkiFSaCMB98MeGq5IJQ41 4RL+pHGd8TLPoOg+huDWSb3tQC+Mf/9R Sender: "vipinsh via sendgmr" X-Received: from vipinsh.kir.corp.google.com ([2620:0:1008:10:1ea0:b8ff:fe75:b885]) (user=vipinsh job=sendgmr) by 2002:aa7:8813:0:b029:19d:cd3b:6f89 with SMTP id c19-20020aa788130000b029019dcd3b6f89mr1241032pfo.42.1610069339726; Thu, 07 Jan 2021 17:28:59 -0800 (PST) Date: Thu, 7 Jan 2021 17:28:44 -0800 Message-Id: <20210108012846.4134815-1-vipinsh@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.29.2.729.g45daf8777d-goog Subject: [Patch v4 0/2] cgroup: KVM: New Encryption IDs cgroup controller From: Vipin Sharma To: thomas.lendacky@amd.com, brijesh.singh@amd.com, jon.grimm@amd.com, eric.vantassell@amd.com, pbonzini@redhat.com, seanjc@google.com, tj@kernel.org, lizefan@huawei.com, hannes@cmpxchg.org, frankja@linux.ibm.com, borntraeger@de.ibm.com, corbet@lwn.net Cc: joro@8bytes.org, vkuznets@redhat.com, wanpengli@tencent.com, jmattson@google.com, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, hpa@zytor.com, gingell@google.com, rientjes@google.com, dionnaglaze@google.com, kvm@vger.kernel.org, x86@kernel.org, cgroups@vger.kernel.org, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, Vipin Sharma Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello, This patch adds a new cgroup controller, Encryption IDs, to track and limit the usage of encryption IDs on a host. AMD provides Secure Encrypted Virtualization (SEV) and SEV with Encrypted State (SEV-ES) to encrypt the guest OS's memory using limited number of Address Space Identifiers (ASIDs). This limited number of ASIDs creates issues like SEV ASID starvation and unoptimized scheduling in the cloud infrastucture. In the RFC patch v1, I provided only SEV cgroup controller but based on the feedback and discussion it became clear that this cgroup controller can be extended to be used by Intel's Trusted Domain Extension (TDX) and s390's protected virtualization Secure Execution IDs (SEID) This patch series provides a generic Encryption IDs controller with tracking support of the SEV and SEV-ES ASIDs. Changes in v4: - The max value can be set lower than the current. - Added SEV-ES support. Changes in v3: - Fixes a build error when CONFIG_CGROUP is disabled. Changes in v2: - Changed cgroup name from sev to encryption_ids. - Replaced SEV specific names in APIs and documentations with generic encryption IDs. - Providing 3 cgroup files per encryption ID type. For example in SEV, - encryption_ids.sev.stat (only in the root cgroup directory). - encryption_ids.sev.max - encryption_ids.sev.current [1] https://lore.kernel.org/lkml/20200922004024.3699923-1-vipinsh@google.com/ [2] https://lore.kernel.org/lkml/20201208213531.2626955-1-vipinsh@google.com/ [3] https://lore.kernel.org/lkml/20201209205413.3391139-1-vipinsh@google.com/ Vipin Sharma (2): cgroup: svm: Add Encryption ID controller cgroup: svm: Encryption IDs cgroup documentation. .../admin-guide/cgroup-v1/encryption_ids.rst | 108 +++++ Documentation/admin-guide/cgroup-v2.rst | 78 +++- arch/x86/kvm/svm/sev.c | 52 ++- include/linux/cgroup_subsys.h | 4 + include/linux/encryption_ids_cgroup.h | 72 +++ include/linux/kvm_host.h | 4 + init/Kconfig | 14 + kernel/cgroup/Makefile | 1 + kernel/cgroup/encryption_ids.c | 422 ++++++++++++++++++ 9 files changed, 741 insertions(+), 14 deletions(-) create mode 100644 Documentation/admin-guide/cgroup-v1/encryption_ids.rst create mode 100644 include/linux/encryption_ids_cgroup.h create mode 100644 kernel/cgroup/encryption_ids.c -- 2.29.2.729.g45daf8777d-goog