AMD SEV Optimizations Ready For Linux 6.17 Plus A 10x Improvement For Intel TDX
([Virtualization] 6 Hours Ago
AMD SEV Optimizations)
- Reference: 0001564388
- News link: https://www.phoronix.com/news/AMD-SEV-Optimizations-Linux-617
- Source link:
There are a few AMD [1]Secure Encrypted Virtualization improvements on the way for the Linux 6.17 kernel worth noting.
Sean Christopherson of Google sent out all the KVM x86 changes this weekend for Linux 6.17. Those changes were submitted to the Kernel-based Virtual Machine maintainer Paolo Bonzini of Red Hat. Notable with the KVM x86 changes this cycle are some AMD SEV optimizations as well as continued work on Intel TDX.
Most notable on the AMD side is [2]smarter cache flushing for AMD SEV VM guests . Cache flushes will only be carried out now on CPUs that have entered the relevant VM since the last cache flush rather than cache flushing all CPU cores.
There are also other improvements like avoiding an unnecessary Write Back and Invalidate Cache (WBINVD) on all CPU cores when destroying a virtual machine.
" - Drop a superfluous WBINVD (on all CPUs!) when destroying a VM.
- Use WBNOINVD instead of WBINVD when possible, for SEV cache maintenance, e.g. to minimize collateral damage when reclaiming memory from an SEV guest.
- When reclaiming memory from an SEV guest, only do cache flushes on CPUs that have ever run a vCPU for the guest, i.e. don't flush the caches for CPUs that can't possibly have cache lines with dirty, encrypted data."
More details on those AMD SEV improvements for Linux 6.17 via [3]this pull .
[4]Another pull also gets rid of KVM's rejection of AMD SEV-SNP's SMT and single-socket policy restrictions to instead rely on firmware for obtaining the policy.
Over on the Intel TDX side is [5]this pull that adds the KVM_TDX_TERMINATE_VM sub-ioctl for letting user-space mark a VM as dead. Using KVM_TDX_TERMINATE_VM can lead to memory page reclaim time by reduced by a factor of 10x or more.
"Add a TDX sub-ioctl, KVM_TDX_TERMINATE_VM, to let userspace mark a VM as dead, and most importantly release its HKID, prior to dropping the last reference to the VM. Releasing the HKID moves the VM to TDX's TEARDOWN state, which allows pages to be reclaimed directly and ultimately reduces total reclaim time by a factor of 10x or more."
Lots of great changes in the open-source virtualization space on the way for Linux 6.17.
[1] https://www.phoronix.com/search/Secure+Encrypted+Virtualization
[2] https://www.phoronix.com/news/Linux-6.17-AMD-SEV-Opt-Flush
[3] https://lore.kernel.org/lkml/20250725220713.264711-11-seanjc@google.com/
[4] https://lore.kernel.org/lkml/20250725220713.264711-12-seanjc@google.com/
[5] https://lore.kernel.org/lkml/20250725220713.264711-13-seanjc@google.com/
Sean Christopherson of Google sent out all the KVM x86 changes this weekend for Linux 6.17. Those changes were submitted to the Kernel-based Virtual Machine maintainer Paolo Bonzini of Red Hat. Notable with the KVM x86 changes this cycle are some AMD SEV optimizations as well as continued work on Intel TDX.
Most notable on the AMD side is [2]smarter cache flushing for AMD SEV VM guests . Cache flushes will only be carried out now on CPUs that have entered the relevant VM since the last cache flush rather than cache flushing all CPU cores.
There are also other improvements like avoiding an unnecessary Write Back and Invalidate Cache (WBINVD) on all CPU cores when destroying a virtual machine.
" - Drop a superfluous WBINVD (on all CPUs!) when destroying a VM.
- Use WBNOINVD instead of WBINVD when possible, for SEV cache maintenance, e.g. to minimize collateral damage when reclaiming memory from an SEV guest.
- When reclaiming memory from an SEV guest, only do cache flushes on CPUs that have ever run a vCPU for the guest, i.e. don't flush the caches for CPUs that can't possibly have cache lines with dirty, encrypted data."
More details on those AMD SEV improvements for Linux 6.17 via [3]this pull .
[4]Another pull also gets rid of KVM's rejection of AMD SEV-SNP's SMT and single-socket policy restrictions to instead rely on firmware for obtaining the policy.
Over on the Intel TDX side is [5]this pull that adds the KVM_TDX_TERMINATE_VM sub-ioctl for letting user-space mark a VM as dead. Using KVM_TDX_TERMINATE_VM can lead to memory page reclaim time by reduced by a factor of 10x or more.
"Add a TDX sub-ioctl, KVM_TDX_TERMINATE_VM, to let userspace mark a VM as dead, and most importantly release its HKID, prior to dropping the last reference to the VM. Releasing the HKID moves the VM to TDX's TEARDOWN state, which allows pages to be reclaimed directly and ultimately reduces total reclaim time by a factor of 10x or more."
Lots of great changes in the open-source virtualization space on the way for Linux 6.17.
[1] https://www.phoronix.com/search/Secure+Encrypted+Virtualization
[2] https://www.phoronix.com/news/Linux-6.17-AMD-SEV-Opt-Flush
[3] https://lore.kernel.org/lkml/20250725220713.264711-11-seanjc@google.com/
[4] https://lore.kernel.org/lkml/20250725220713.264711-12-seanjc@google.com/
[5] https://lore.kernel.org/lkml/20250725220713.264711-13-seanjc@google.com/
phoronix