[PATCH RFC 00/10] qemu: Enable SCHED_CORE for domains and helper processes

Michal Privoznik mprivozn at redhat.com
Mon May 9 15:02:07 UTC 2022 

The Linux kernel offers a way to mitigate side channel attacks on Hyper
Threads (e.g. MDS and L1TF). Long story short, userspace can define
groups of processes (aka trusted groups) and only processes within one
group can run on sibling Hyper Threads. The group membership is
automatically preserved on fork() and exec().

Now, there is one scenario which I don't cover in my series and I'd like
to hear proposal: if there are two guests with odd number of vCPUs they
can no longer run on sibling Hyper Threads because my patches create
separate group for each QEMU. This is a performance penalty. Ideally, we
would have a knob inside domain XML that would place two or more domains
into the same trusted group. But since there's pre-existing example (of
sharing a piece of information between two domains) I've failed to come
up with something usable.

Also, it's worth noting, that on kernel level, group membership is
expressed by so called 'cookie' which is effectively an unique UL
number, but there's no API that would "set this number on given
process", so we may have to go with some abstraction layer.

Michal Prívozník (10):
  qemu_tpm: Make APIs work over a single virDomainTPMDef
  qemu_dbus: Separate PID read code into qemuDBusGetPID
  qemu_vhost_user_gpu: Export qemuVhostUserGPUGetPid()
  qemu_tpm: Expose qemuTPMEmulatorGetPid()
  qemu_virtiofs: Separate PID read code into qemuVirtioFSGetPid
  virprocess: Core Scheduling support
  virCommand: Introduce APIs for core scheduling
  qemu_conf: Introduce a knob to turn off SCHED_CORE
  qemu: Enable SCHED_CORE for domains and helper processes
  qemu: Place helper processes into the same trusted group

 src/libvirt_private.syms           |   6 +
 src/qemu/libvirtd_qemu.aug         |   1 +
 src/qemu/qemu.conf.in              |   5 +
 src/qemu/qemu_conf.c               |  24 ++++
 src/qemu/qemu_conf.h               |   2 +
 src/qemu/qemu_dbus.c               |  42 ++++---
 src/qemu/qemu_dbus.h               |   4 +
 src/qemu/qemu_extdevice.c          | 171 ++++++++++++++++++++++++++---
 src/qemu/qemu_extdevice.h          |   3 +
 src/qemu/qemu_process.c            |   9 ++
 src/qemu/qemu_security.c           |   4 +
 src/qemu/qemu_tpm.c                |  91 +++++----------
 src/qemu/qemu_tpm.h                |  18 ++-
 src/qemu/qemu_vhost_user_gpu.c     |   2 +-
 src/qemu/qemu_vhost_user_gpu.h     |   8 ++
 src/qemu/qemu_virtiofs.c           |  41 ++++---
 src/qemu/qemu_virtiofs.h           |   5 +
 src/qemu/test_libvirtd_qemu.aug.in |   1 +
 src/util/vircommand.c              |  74 +++++++++++++
 src/util/vircommand.h              |   5 +
 src/util/virprocess.c              | 124 +++++++++++++++++++++
 src/util/virprocess.h              |   8 ++
 22 files changed, 538 insertions(+), 110 deletions(-)

-- 
2.35.1

More information about the libvir-list mailing list