new file mode 100644
@@ -0,0 +1,94 @@
+==============
+SEV Controller
+==============
+
+Overview
+========
+
+The SEV controller regulates the distribution of SEV ASIDs. SEV ASIDs are used
+in creating encrypted VMs on AMD processors. SEV ASIDs are stateful and one
+ASID is only used in one KVM object at a time. It cannot be used with other KVM
+before unbinding it from the previous KVM.
+
+All SEV ASIDs are tracked by this controller and it allows for accounting and
+distribution of this resource.
+
+How to Enable Controller
+========================
+
+- Enable memory encryption on AMD platform::
+
+ CONFIG_KVM_AMD_SEV=y
+
+- Enable SEV controller::
+
+ CONFIG_CGROUP_SEV=y
+
+- Above options will build SEV controller support in the kernel.
+ To mount sev controller::
+
+ mount -t cgroup -o sev none /sys/fs/cgroup/sev
+
+Interface Files
+==============
+
+ sev.current
+ A read-only single value file which exists on non-root cgroups.
+
+ The total number of SEV ASIDs currently in use by the cgroup and its
+ descendants.
+
+ sev.max
+ A read-write single value file which exists on non-root cgroups. The
+ default is "max".
+
+ SEV ASIDs usage hard limit. If the cgroup's current SEV ASIDs usage
+ reach this limit then the new SEV VMs creation will return error
+ -EBUSY. This limit cannot be set lower than sev.current.
+
+ sev.events
+ A read-only flat-keyed single value file which exists on non-root
+ cgroups. A value change in this file generates a file modified event.
+
+ max
+ The number of times the cgroup's SEV ASIDs usage was about to
+ go over the max limit. This is a tally of SEV VM creation
+ failures in the cgroup.
+
+Hierarchy
+=========
+
+SEV controller supports hierarchical accounting. It supports following
+features:
+
+1. SEV ASID usage in the cgroup includes itself and its descendent cgroups.
+2. SEV ASID usage can never exceed the max limit set in the cgroup and its
+ ancestor's chain up to the root.
+3. SEV events keep a tally of SEV VM creation failures in the cgroup and not in
+ its child subtree.
+
+Suppose the following example hierarchy::
+
+ root
+ / \
+ A B
+ |
+ C
+
+1. A will show the count of SEV ASID used in A and C.
+2. C's SEV ASID usage may not exceed any of the max limits set in C, A, or
+ root.
+3. A's event file lists only SEV VM creation failed in A, and not the ones in
+ C.
+
+Migration and SEV ASID ownership
+================================
+
+An SEV ASID is charged to the cgroup which instantiated it, and stays charged
+to that cgroup until that SEV ASID is freed. Migrating a process to a different
+cgroup do not move the SEV ASID charge to the destination cgroup where the
+process has moved.
+
+Deletion of a cgroup with existing ASIDs charges will migrate those ASIDs to
+the parent cgroup.
+
@@ -63,8 +63,11 @@ v1 is available under :ref:`Documentation/admin-guide/cgroup-v1/index.rst <cgrou
5-7-1. RDMA Interface Files
5-8. HugeTLB
5.8-1. HugeTLB Interface Files
- 5-8. Misc
- 5-8-1. perf_event
+ 5-9 SEV
+ 5-9-1 SEV Interface Files
+ 5-9-2 SEV ASIDs Ownership
+ 5-10. Misc
+ 5-10-1. perf_event
5-N. Non-normative information
5-N-1. CPU controller root cgroup process behaviour
5-N-2. IO controller root cgroup process behaviour
@@ -2109,6 +2112,54 @@ HugeTLB Interface Files
are local to the cgroup i.e. not hierarchical. The file modified event
generated on this file reflects only the local events.
+SEV
+---
+
+The SEV controller regulates the distribution of SEV ASIDs. SEV ASIDs are used
+in creating encrypted VMs on AMD processors. SEV ASIDs are stateful and one
+ASID is only used in one KVM object at a time. It cannot be used with other KVM
+before unbinding it from the previous KVM.
+
+All SEV ASIDs are tracked by this controller and it allows for accounting and
+distribution of this resource.
+
+SEV Interface Files
+~~~~~~~~~~~~~~~~~~~
+
+ sev.current
+ A read-only single value file which exists on non-root cgroups.
+
+ The total number of SEV ASIDs currently in use by the cgroup and its
+ descendants.
+
+ sev.max
+ A read-write single value file which exists on non-root cgroups. The
+ default is "max".
+
+ SEV ASIDs usage hard limit. If the cgroup's current SEV ASIDs usage
+ reach this limit then the new SEV VMs creation will return error
+ -EBUSY. This limit cannot be set lower than sev.current.
+
+ sev.events
+ A read-only flat-keyed single value file which exists on non-root
+ cgroups. A value change in this file generates a file modified event.
+
+ max
+ The number of times the cgroup's SEV ASIDs usage was about to
+ go over the max limit. This is a tally of SEV VM creation
+ failures in the cgroup.
+
+SEV ASIDs Ownership
+~~~~~~~~~~~~~~~~~~~
+
+An SEV ASID is charged to the cgroup which instantiated it, and stays charged
+to the cgroup until the ASID is freed. Migrating a process to a different
+cgroup do not move the SEV ASID charge to the destination cgroup where the
+process has moved.
+
+Deletion of a cgroup with existing ASIDs charges will migrate those ASIDs to
+the parent cgroup.
+
Misc
----
@@ -2120,7 +2171,6 @@ automatically enabled on the v2 hierarchy so that perf events can
always be filtered by cgroup v2 path. The controller can still be
moved to a legacy hierarchy after v2 hierarchy is populated.
-
Non-normative information
-------------------------