The AMD-SP is a precious resource that doesn't have a scheduler other
than a mutex lock queue. To avoid customers from causing a DoS, a
module_param-set rate limit is added with a default of 2 requests
per 2 seconds.
These defaults were chosen empirically with a the assumption that
current server-grade SEV-SNP machines will rarely exceed 128 VMs under
usual circumstance.
The 2 burst per 2 seconds means on average 1 request every second. We
allow 2 requests back to back to allow for the guest to query the
certificate length in an extended guest request without a pause. The
1 second average is our target for quality of service since empirical
tests show that 64 VMs can concurrently request an attestation report
with a maximum latency of 1 second. We don't anticipate more
concurrency than that for a seldom used request for a majority well-
behaved set of VMs. The majority point is decided as >64 VMs given
the assumed 128 VM count for "extreme load".
The throttling code is 2 << 32 given that invalid length is 1 and 2 is
the next available code. This was suggested by Tom Lendacky, and will
be included in a new revision of the GHCB specification.
Cc: Thomas Lendacky <Thomas.Lendacky@xxxxxxx>
Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
Cc: Joerg Roedel <jroedel@xxxxxxx>
Cc: Peter Gonda <pgonda@xxxxxxxxxx>
Cc: Borislav Petkov <bp@xxxxxxxxx>
Signed-off-by: Dionna Glaze <dionnaglaze@xxxxxxxxxx>
---
arch/x86/include/asm/sev-common.h | 1 +
arch/x86/kvm/svm/sev.c | 29 +++++++++++++++++++++++++++++
arch/x86/kvm/svm/svm.h | 3 +++
include/uapi/linux/in.h | 1 +
4 files changed, 34 insertions(+)
diff --git a/arch/x86/include/asm/sev-common.h b/arch/x86/include/asm/sev-common.h
index 1b111cde8c82..e3a6b039480d 100644
--- a/arch/x86/include/asm/sev-common.h
+++ b/arch/x86/include/asm/sev-common.h
@@ -158,6 +158,7 @@ struct snp_psc_desc {
/* Guest message request error code */
#define SNP_GUEST_REQ_INVALID_LEN BIT_ULL(32)
+#define SNP_GUEST_REQ_THROTTLED (((u64)2) << 32)
#define GHCB_MSR_TERM_REQ 0x100
#define GHCB_MSR_TERM_REASON_SET_POS 12
diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index d0e58cffd1ed..cd9372ce6fc2 100644
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -58,6 +58,14 @@ module_param_named(sev_es, sev_es_enabled, bool, 0444);
/* enable/disable SEV-SNP support */
static bool sev_snp_enabled = true;
module_param_named(sev_snp, sev_snp_enabled, bool, 0444);
+
+/* Throttle guest requests to a burst # per this many seconds */
+unsigned int guest_request_throttle_s = 2;
+module_param(guest_request_throttle_s, int, 0444);
+
+/* Throttle guest requests to this many per the above many seconds */
+unsigned int guest_request_throttle_burst = 2;
+module_param(guest_request_throttle_burst, int, 0444);
#else
#define sev_enabled false
#define sev_es_enabled false
@@ -333,6 +341,9 @@ static int sev_guest_init(struct kvm *kvm, struct kvm_sev_cmd *argp)
goto e_free;
mutex_init(&sev->guest_req_lock);
+ ratelimit_state_init(&sev->snp_guest_msg_rs,
+ guest_request_throttle_s * HZ,
+ guest_request_throttle_burst);
ret = sev_snp_init(&argp->error, false);
} else {
ret = sev_platform_init(&argp->error);
@@ -3595,6 +3606,14 @@ static void snp_cleanup_guest_buf(struct sev_data_snp_guest_request *data, unsig
*rc = SEV_RET_INVALID_ADDRESS;
}
+static bool snp_throttle_guest_request(struct kvm_sev_info *sev) {
+ if (__ratelimit(&sev->snp_guest_msg_rs))
+ return false;
+
+ pr_info_ratelimited("svm: too many guest message requests\n");
+ return true;
+}
+
static void snp_handle_guest_request(struct vcpu_svm *svm, gpa_t req_gpa, gpa_t resp_gpa)
{
struct sev_data_snp_guest_request data = {0};
@@ -3611,6 +3630,11 @@ static void snp_handle_guest_request(struct vcpu_svm *svm, gpa_t req_gpa, gpa_t
sev = &to_kvm_svm(kvm)->sev_info;
+ if (snp_throttle_guest_request(sev)) {
+ rc = SNP_GUEST_REQ_THROTTLED;
+ goto e_fail;
+ }
+
mutex_lock(&sev->guest_req_lock);
rc = snp_setup_guest_buf(svm, &data, req_gpa, resp_gpa);
@@ -3648,6 +3672,11 @@ static void snp_handle_ext_guest_request(struct vcpu_svm *svm, gpa_t req_gpa, gp
sev = &to_kvm_svm(kvm)->sev_info;
+ if (snp_throttle_guest_request(sev)) {
+ rc = SNP_GUEST_REQ_THROTTLED;
+ goto e_fail;
+ }
+
data_gpa = vcpu->arch.regs[VCPU_REGS_RAX];
data_npages = vcpu->arch.regs[VCPU_REGS_RBX];
diff --git a/arch/x86/kvm/svm/svm.h b/arch/x86/kvm/svm/svm.h
index 8d1ba66860a4..7048f817efb0 100644
--- a/arch/x86/kvm/svm/svm.h
+++ b/arch/x86/kvm/svm/svm.h
@@ -18,6 +18,7 @@
#include <linux/kvm_types.h>
#include <linux/kvm_host.h>
#include <linux/bits.h>
+#include <linux/ratelimit.h>
#include <asm/svm.h>
#include <asm/sev-common.h>
@@ -105,6 +106,8 @@ struct kvm_sev_info {
unsigned int snp_certs_len; /* Size of instance override for certs */
struct mutex guest_req_lock;
+ struct ratelimit_state snp_guest_msg_rs; /* Limit guest requests */
+
u64 sev_features; /* Features set at VMSA creation */
};
diff --git a/include/uapi/linux/in.h b/include/uapi/linux/in.h
index f243ce665f74..07a4cb149305 100644
--- a/include/uapi/linux/in.h
+++ b/include/uapi/linux/in.h
@@ -20,6 +20,7 @@
#define _UAPI_LINUX_IN_H
#include <linux/types.h>
+#include <linux/stddef.h>
#include <linux/libc-compat.h>
#include <linux/socket.h>
--
2.39.0.246.g2a6d74b583-goog
