On Mon, Sep 21, 2020 at 06:22:28PM -0700, Sean Christopherson wrote: > On Mon, Sep 21, 2020 at 06:04:04PM -0700, Randy Dunlap wrote: > > Hi, > > > > On 9/21/20 5:40 PM, Vipin Sharma wrote: > > > diff --git a/init/Kconfig b/init/Kconfig > > > index d6a0b31b13dc..1a57c362b803 100644 > > > --- a/init/Kconfig > > > +++ b/init/Kconfig > > > @@ -1101,6 +1101,20 @@ config CGROUP_BPF > > > BPF_CGROUP_INET_INGRESS will be executed on the ingress path of > > > inet sockets. > > > > > > +config CGROUP_SEV > > > + bool "SEV ASID controller" > > > + depends on KVM_AMD_SEV > > > + default n > > > + help > > > + Provides a controller for AMD SEV ASIDs. This controller limits and > > > + shows the total usage of SEV ASIDs used in encrypted VMs on AMD > > > + processors. Whenever a new encrypted VM is created using SEV on an > > > + AMD processor, this controller will check the current limit in the > > > + cgroup to which the task belongs and will deny the SEV ASID if the > > > + cgroup has already reached its limit. > > > + > > > + Say N if unsure. > > > > Something here (either in the bool prompt string or the help text) should > > let a reader know w.t.h. SEV means. > > > > Without having to look in other places... > > ASIDs too. I'd also love to see more info in the docs and/or cover letter > to explain why ASID management on SEV requires a cgroup. I know what an > ASID is, and have a decent idea of how KVM manages ASIDs for legacy VMs, but > I know nothing about why ASIDs are limited for SEV and not legacy VMs. Thanks for the feedback, I will add more details in the Kconfig and the documentation about SEV and ASID.
