For now, SEV pins guest's memory to avoid swapping or
moving ciphertext, but leading to the inhibition of
Memory Ballooning.
In Memory Ballooning, only guest's free pages will be relocated
in balloon inflation and deflation, so the difference of plaintext
doesn't matter to guest.
This seems only true if the page is zeroed, is this true here?
Sorry, I cannot figure out why the pages should be zeroed. I think
both host kernel and guest kernel assume that the pages are not
zeroed and will use kzalloc or manually zero them in real applications,
which is same as non-SEV environments.
balloon_page_alloc() will not zero the memory (no __GFP_ZERO set). Only
in some configurations (zero-on-alloc, zero-on-free), the kernel would
do that implicitly.
So we'd eventually be leaking secrets to the untrusted hypervisor?
I have tested in SEV-ES, reclaiming memory by balloon inflation and reuse
them after balloon deflation both works well with the patch. Hypervisor
can normally give the reclaimed memory from one CVM to another, or give
back to the origin CVM.
I'll comment on your misconception of memory overcommit separately.
--
Cheers,
David / dhildenb