From: David Hildenbrand <david@redhat.com>
To: Zheyun Shen <szy0127@sjtu.edu.cn>,
linux-kernel@vger.kernel.org, virtualization@lists.linux.dev
Cc: mst <mst@redhat.com>, jasowang@redhat.com, xuanzhuo@linux.alibaba.com
Subject: Re: [PATCH] driver/virtio: Add Memory Balloon Support for SEV/SEV-ES
Date: Thu, 11 Jan 2024 09:35:32 +0100 [thread overview]
Message-ID: <10db6936-c951-447f-bf50-aff016008a53@redhat.com> (raw)
In-Reply-To: <2035137075.1083380.1704867762955.JavaMail.zimbra@sjtu.edu.cn>
On 10.01.24 07:22, Zheyun Shen wrote:
> For now, SEV pins guest's memory to avoid swapping or
> moving ciphertext, but leading to the inhibition of
> Memory Ballooning.
>
> In Memory Ballooning, only guest's free pages will be relocated
> in balloon inflation and deflation, so the difference of plaintext
> doesn't matter to guest.
A Linux hypervisor will always give you a fresh, zeroed page. I don't
recall what the spec says, could be that that is a guarantee.
>
> Memory Ballooning is a nice memory overcommitment technology can
> be used in CVM based on SEV and SEV-ES, so userspace tools can
> provide an option to allow SEV not to pin memory and enable
> Memory Ballooning. Guest kernel may not inhibit Balloon and
> should set shared memory for Balloon decrypted.
Two points:
1) Memory overcommit means that you promise to have more memory than you
actually have.
To be able to use that in a *safe* way in the hypervisor, to fulfill
that promise, you need some backup strategy, which is usually swap space
in the hypervisor. Further one might apply other techniques (ram
compression, memory deduplication) in the hypervisor to make that
swapping unlikely to ever happen when overcommitting (because nobody
wants to swap).
Assume you run a lot of VMs that mostly have private/encrypted memory
(which is the default). Imagine you previously inflated the balloon on
VM0, and that VM needs more memory (you promised it could have more!).
You reach out to other VMs to inflate the balloon so you get memory
back, but they cannot give up memory safely.
In that scenario (a) you cannot swap something out because all pages are
pinned (b) memory compression cannot be applied because pages are pinned
and (c) memory deduplication cannot be applied because pages are pinned.
Pinned memory is a resource that cannot be overcomitted.
So I am not convinced the use case you are targeting can be considered
any way of sane memory overcommit. You should better call it resizing VM
memory instead. Then, it's clearer that the hypervisor cannot promise to
ever give you that memory when you are in need.
2) What about other features?
What if the hypervisor enabled free-page-reporting? Would that work
(unlikely, I assunme). Don't we have to block that?
--
Cheers,
David / dhildenb
next prev parent reply other threads:[~2024-01-11 8:35 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-10 6:22 [PATCH] driver/virtio: Add Memory Balloon Support for SEV/SEV-ES Zheyun Shen
2024-01-10 8:01 ` Michael S. Tsirkin
2024-01-11 3:20 ` Jason Wang
2024-01-11 8:35 ` David Hildenbrand [this message]
-- strict thread matches above, loose matches on Subject: below --
2024-01-11 6:35 Zheyun Shen
2024-01-11 8:22 ` David Hildenbrand
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=10db6936-c951-447f-bf50-aff016008a53@redhat.com \
--to=david@redhat.com \
--cc=jasowang@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mst@redhat.com \
--cc=szy0127@sjtu.edu.cn \
--cc=virtualization@lists.linux.dev \
--cc=xuanzhuo@linux.alibaba.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox