The AMD-SP is a precious resource that doesn't have a scheduler other than a mutex lock queue. To avoid customers from causing a DoS, a module_param-set rate limit is added with a default of 2 requests per 2 seconds. These defaults were chosen empirically with a the assumption that current server-grade SEV-SNP machines will rarely exceed 128 VMs under usual circumstance. The 2 burst per 2 seconds means on average 1 request every second. We allow 2 requests back to back to allow for the guest to query the certificate length in an extended guest request without a pause. The 1 second average is our target for quality of service since empirical tests show that 64 VMs can concurrently request an attestation report with a maximum latency of 1 second. We don't anticipate more concurrency than that for a seldom used request for a majority well- behaved set of VMs. The majority point is decided as >64 VMs given the assumed 128 VM count for "extreme load". The throttling code is 2 << 32 given that invalid length is 1 and 2 is the next available code. This was suggested by Tom Lendacky, and will be included in a new revision of the GHCB specification. Cc: Thomas Lendacky <Thomas.Lendacky@xxxxxxx> Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx> Cc: Joerg Roedel <jroedel@xxxxxxx> Cc: Peter Gonda <pgonda@xxxxxxxxxx> Cc: Borislav Petkov <bp@xxxxxxxxx> Signed-off-by: Dionna Glaze <dionnaglaze@xxxxxxxxxx> --- arch/x86/include/asm/sev-common.h | 1 + arch/x86/kvm/svm/sev.c | 29 +++++++++++++++++++++++++++++ arch/x86/kvm/svm/svm.h | 3 +++ include/uapi/linux/in.h | 1 + 4 files changed, 34 insertions(+) diff --git a/arch/x86/include/asm/sev-common.h b/arch/x86/include/asm/sev-common.h index 1b111cde8c82..e3a6b039480d 100644 --- a/arch/x86/include/asm/sev-common.h +++ b/arch/x86/include/asm/sev-common.h @@ -158,6 +158,7 @@ struct snp_psc_desc { /* Guest message request error code */ #define SNP_GUEST_REQ_INVALID_LEN BIT_ULL(32) +#define SNP_GUEST_REQ_THROTTLED (((u64)2) << 32) #define GHCB_MSR_TERM_REQ 0x100 #define GHCB_MSR_TERM_REASON_SET_POS 12 diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index d0e58cffd1ed..cd9372ce6fc2 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -58,6 +58,14 @@ module_param_named(sev_es, sev_es_enabled, bool, 0444); /* enable/disable SEV-SNP support */ static bool sev_snp_enabled = true; module_param_named(sev_snp, sev_snp_enabled, bool, 0444); + +/* Throttle guest requests to a burst # per this many seconds */ +unsigned int guest_request_throttle_s = 2; +module_param(guest_request_throttle_s, int, 0444); + +/* Throttle guest requests to this many per the above many seconds */ +unsigned int guest_request_throttle_burst = 2; +module_param(guest_request_throttle_burst, int, 0444); #else #define sev_enabled false #define sev_es_enabled false @@ -333,6 +341,9 @@ static int sev_guest_init(struct kvm *kvm, struct kvm_sev_cmd *argp) goto e_free; mutex_init(&sev->guest_req_lock); + ratelimit_state_init(&sev->snp_guest_msg_rs, + guest_request_throttle_s * HZ, + guest_request_throttle_burst); ret = sev_snp_init(&argp->error, false); } else { ret = sev_platform_init(&argp->error); @@ -3595,6 +3606,14 @@ static void snp_cleanup_guest_buf(struct sev_data_snp_guest_request *data, unsig *rc = SEV_RET_INVALID_ADDRESS; } +static bool snp_throttle_guest_request(struct kvm_sev_info *sev) { + if (__ratelimit(&sev->snp_guest_msg_rs)) + return false; + + pr_info_ratelimited("svm: too many guest message requests\n"); + return true; +} + static void snp_handle_guest_request(struct vcpu_svm *svm, gpa_t req_gpa, gpa_t resp_gpa) { struct sev_data_snp_guest_request data = {0}; @@ -3611,6 +3630,11 @@ static void snp_handle_guest_request(struct vcpu_svm *svm, gpa_t req_gpa, gpa_t sev = &to_kvm_svm(kvm)->sev_info; + if (snp_throttle_guest_request(sev)) { + rc = SNP_GUEST_REQ_THROTTLED; + goto e_fail; + } + mutex_lock(&sev->guest_req_lock); rc = snp_setup_guest_buf(svm, &data, req_gpa, resp_gpa); @@ -3648,6 +3672,11 @@ static void snp_handle_ext_guest_request(struct vcpu_svm *svm, gpa_t req_gpa, gp sev = &to_kvm_svm(kvm)->sev_info; + if (snp_throttle_guest_request(sev)) { + rc = SNP_GUEST_REQ_THROTTLED; + goto e_fail; + } + data_gpa = vcpu->arch.regs[VCPU_REGS_RAX]; data_npages = vcpu->arch.regs[VCPU_REGS_RBX]; diff --git a/arch/x86/kvm/svm/svm.h b/arch/x86/kvm/svm/svm.h index 8d1ba66860a4..7048f817efb0 100644 --- a/arch/x86/kvm/svm/svm.h +++ b/arch/x86/kvm/svm/svm.h @@ -18,6 +18,7 @@ #include <linux/kvm_types.h> #include <linux/kvm_host.h> #include <linux/bits.h> +#include <linux/ratelimit.h> #include <asm/svm.h> #include <asm/sev-common.h> @@ -105,6 +106,8 @@ struct kvm_sev_info { unsigned int snp_certs_len; /* Size of instance override for certs */ struct mutex guest_req_lock; + struct ratelimit_state snp_guest_msg_rs; /* Limit guest requests */ + u64 sev_features; /* Features set at VMSA creation */ }; diff --git a/include/uapi/linux/in.h b/include/uapi/linux/in.h index f243ce665f74..07a4cb149305 100644 --- a/include/uapi/linux/in.h +++ b/include/uapi/linux/in.h @@ -20,6 +20,7 @@ #define _UAPI_LINUX_IN_H #include <linux/types.h> +#include <linux/stddef.h> #include <linux/libc-compat.h> #include <linux/socket.h> -- 2.39.0.246.g2a6d74b583-goog