The Linux kernel offers a way to mitigate side channel attacks on Hyper
Threads (e.g. MDS and L1TF). Long story short, userspace can define
groups of processes (aka trusted groups) and only processes within one
group can run on sibling Hyper Threads. The group membership is
automatically preserved on fork() and exec().
Now, there is one scenario which I don't cover in my series and I'd like
to hear proposal: if there are two guests with odd number of vCPUs they
can no longer run on sibling Hyper Threads because my patches create
separate group for each QEMU. This is a performance penalty. Ideally, we
would have a knob inside domain XML that would place two or more domains
into the same trusted group. But since there's pre-existing example (of
sharing a piece of information between two domains) I've failed to come
up with something usable.
Also, it's worth noting, that on kernel level, group membership is
expressed by so called 'cookie' which is effectively an unique UL
number, but there's no API that would "set this number on given
process", so we may have to go with some abstraction layer.
Michal Prívozník (10):
qemu_tpm: Make APIs work over a single virDomainTPMDef
qemu_dbus: Separate PID read code into qemuDBusGetPID
qemu_vhost_user_gpu: Export qemuVhostUserGPUGetPid()
qemu_tpm: Expose qemuTPMEmulatorGetPid()
qemu_virtiofs: Separate PID read code into qemuVirtioFSGetPid
virprocess: Core Scheduling support
virCommand: Introduce APIs for core scheduling
qemu_conf: Introduce a knob to turn off SCHED_CORE
qemu: Enable SCHED_CORE for domains and helper processes
qemu: Place helper processes into the same trusted group
src/libvirt_private.syms | 6 +
src/qemu/libvirtd_qemu.aug | 1 +
src/qemu/qemu.conf.in | 5 +
src/qemu/qemu_conf.c | 24 ++++
src/qemu/qemu_conf.h | 2 +
src/qemu/qemu_dbus.c | 42 ++++---
src/qemu/qemu_dbus.h | 4 +
src/qemu/qemu_extdevice.c | 171 ++++++++++++++++++++++++++---
src/qemu/qemu_extdevice.h | 3 +
src/qemu/qemu_process.c | 9 ++
src/qemu/qemu_security.c | 4 +
src/qemu/qemu_tpm.c | 91 +++++----------
src/qemu/qemu_tpm.h | 18 ++-
src/qemu/qemu_vhost_user_gpu.c | 2 +-
src/qemu/qemu_vhost_user_gpu.h | 8 ++
src/qemu/qemu_virtiofs.c | 41 ++++---
src/qemu/qemu_virtiofs.h | 5 +
src/qemu/test_libvirtd_qemu.aug.in | 1 +
src/util/vircommand.c | 74 +++++++++++++
src/util/vircommand.h | 5 +
src/util/virprocess.c | 124 +++++++++++++++++++++
src/util/virprocess.h | 8 ++
22 files changed, 538 insertions(+), 110 deletions(-)
--
2.35.1