On Wed, 31 Mar 2021 21:53:45 +1300 Kai Huang wrote: > On Wed, 31 Mar 2021 09:44:39 +0200 Boris Petkov wrote: > > On March 31, 2021 8:51:38 AM GMT+02:00, Kai Huang <kai.huang@xxxxxxxxx> wrote: > > >How about adding explanation to Documentation/x86/sgx.rst? > > > > Sure, and then we should point users at it. The thing is also indexed by search engines so hopefully people will find it. > > Thanks. Will do and send out new patch for review. > Hi Boris, Could you help to review whether below change is OK? diff --git a/Documentation/x86/sgx.rst b/Documentation/x86/sgx.rst index 5ec7d17e65e0..49a840718a4d 100644 --- a/Documentation/x86/sgx.rst +++ b/Documentation/x86/sgx.rst @@ -236,3 +236,19 @@ As a result, when this happpens, user should stop running any new SGX workloads, (or just any new workloads), and migrate all valuable workloads. Although a machine reboot can recover all EPC, the bug should be reported to Linux developers. + +Virtual EPC +=========== + +Separated from SGX driver for creating and running enclaves in host, SGX core +also supports virtual EPC driver to support KVM SGX virtualization. Unlike SGX +driver, EPC page allocated via virtual EPC driver is "raw" EPC page and doesn't +have specific enclave associated. This is because KVM doesn't track how guest +uses EPC pages. + +As a result, SGX core page reclaimer doesn't support reclaiming EPC pages +allocated to KVM guests via virtual EPC driver. If user wants to deploy both +host SGX applications and KVM SGX guests on the same machine, user should +reserve enough EPC (by taking out total virtual EPC size of all SGX VMs from +physical EPC size) for host SGX applications so they can run with acceptable +performance. In my local, I have squashed above change to this patch, and also added below paragraph to the commit message: Also add documenetation to explain what is virtual EPC, and suggest users should be aware of virtual EPC pages are not reclaimable and take this into account when deploying both host SGX applications and KVM SGX guests on the same machine.