![]() ![]() These AMD SEV throttling patches are also marked as candidates for back-porting to the stable kernel series to further help fend off potentially malicious VM users trying to overload the AMD Secure Processor. You can put your web app behind APIM and use the IP address throttling policy. These AMD SEV patches were sent in today as part of the x86/urgent pull request prior to tonight's Linux 6.3-rc3 release. Given the security nature of this change, it was sent in now that the code is deemed ready and outside of the usual kernel merge window period. This is a good default but if it turns out to not pan out in practice, it can be tweaked later." So the guest is given a throttling period of 1 minute in which it retries the request every 2 seconds. ![]() That error code is returned in the upper 32-bit half of exitinfo2 and this is part of the GHCB spec v2. To the implementation: the hypervisor signals with SNP_GUEST_REQ_ERR_BUSY that the guest requests should be throttled. Such guest should get throttled and if its VMPCK gets disabled, then that's its own wrongdoing and perhaps that guest even deserves it. Obviously, something weird has been happening during last hour. During last hour number of throttled requests are similar to the same metric for previous 5 hours. If you look at this graph for last 6 hours, youll see Throttled requests is 1.18K. This is more to address the case of a malicious guest. What I dont like on the graph is that there is 2 User errors and 525 User requests. During its lifetime, it would end up issuing a handful of requests which the hardware can easily handle. Realistically speaking, a well-behaved guest should not even care about throttling. Otherwise, the VM platform communication key will be disabled, preventing the guest from attesting itself. check if the e-mail contains attachments. Therefore, the host is permitted and encouraged to throttle such guest requests.Īdd the capability to handle the case when the hypervisor throttles excessive numbers of requests issued by the guest. So when I receive the notification that the operation throttled, it means that the limit has been reached and no further e-mails are checked on that day The flow contains multiple checks: 1. "A potentially malicious SEV guest can constantly hammer the hypervisor using this driver to send down requests and thus prevent or at least considerably hinder other guests from issuing requests to the secure processor which is a shared platform resource. Dionna Glaze explained in one of the patches for this AMD SEV throttling: Robinhood offers a variety of services to make the lives of investors easier. Office 365 SharePoint Online enforces throttling limits to prevent users from over-consuming resources. Google engineer Dionna Glaze has been working on this "throttling awareness" support for AMD SEV guests and this Linux kernel code was agreed to by AMD's Linux engineers. The change is to protect the AMD Secure Processor from being potentially overloaded with requests by nefarious guest VMs. A change sent in this Sunday ahead of the Linux 6.3-rc3 release is a late addition adding a throttling mechanism to protect the hypervisor from potentially malicious AMD Secure Encrypted Virtualization (SEV) guests.
0 Comments
Leave a Reply. |