From nobody Tue Sep  9 19:11:27 2025
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	arc=fail (BodyHash is different from the expected one);
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 175325560184741.35909423355827;
 Wed, 23 Jul 2025 00:26:41 -0700 (PDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id D005C1324; Wed, 23 Jul 2025 03:26:40 -0400 (EDT)
Received: from lists.libvirt.org (localhost [IPv6:::1])
	by lists.libvirt.org (Postfix) with ESMTP id 64A411487;
	Wed, 23 Jul 2025 03:22:49 -0400 (EDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 50D9D11BA; Tue, 22 Jul 2025 16:26:29 -0400 (EDT)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com
 (mail-sn1nam02on2040.outbound.protection.outlook.com [40.107.96.40])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id CFA97BB3
	for <devel@lists.libvirt.org>; Tue, 22 Jul 2025 16:26:28 -0400 (EDT)
Received: from CH0PR12MB5092.namprd12.prod.outlook.com (2603:10b6:610:bf::16)
 by CY5PR12MB6346.namprd12.prod.outlook.com (2603:10b6:930:21::12) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8964.21; Tue, 22 Jul
 2025 20:26:25 +0000
Received: from CH0PR12MB5092.namprd12.prod.outlook.com
 ([fe80::969b:49e4:6d48:b058]) by CH0PR12MB5092.namprd12.prod.outlook.com
 ([fe80::969b:49e4:6d48:b058%5]) with mapi id 15.20.8943.029; Tue, 22 Jul 2025
 20:26:25 +0000
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=0.2 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	FORGED_SPF_HELO,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_PASS autolearn=no
	autolearn_force=no version=3.4.4
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=IC7LFSYZFW6TiC+DE/dHNH0CwBTjOxJEDusIOht+8F3e13tqELoaLdB3IBH4LODkkOMkU1lJDE8Mnx65vJPNtLljptpYrgtbSFkgWhZwWshIeGLvJOvxneSWWgS5PviAvhBF2L4KQK/j1Tz2Dy1NnLewQ7xHmC3/8iKLB9bNwRT8ABKX9GOOAWmqfp+Zs3ulrgxWBeNW4bZ7kRDxzWb2NXO6ulxtKCt6A4vcL/Q4AJ5T4T/IZOBswWeAZyDhkn3NkSANwLbOjK9JkHb7HjEdJgnGuy70FeYptkae2Ung49hGN36oloLMl/qN/m6SpUERC4XHwAfWvmmfL1VhaMQ7Cw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=Y4cllt4xdHlxQsQr9AoN7VmzJH4O/QTPWRn+fBft8ss=;
 b=USZapvh2ZRxIK/VRsx3imTX76V4ZBucAlu+bfdJhSPqotk/IolLMiYj+s+9oz4t6RyVxh9usEkVj3Z9RAKkHn/oKQXnOj6VM18nQ2AP5HX0OnnsxCN4lpbBrbP05RXrsc38Rz/pvXLaFJpJrsGtzzaT6rAEqtDxJHeJ7ow5C3kz/aalLsTcikGmSB2TfqWroBWdoX8crC5vkiDhsZ+C+83qk/dv1EAaIPLa3sIqVZPNiLF1Xalha9VnQmyN5X13880QKT3dCcg4XZnRDp3PJHbcl6099mJ0c03+L5hxaoTWQfAgqvQHBsiOBh9+Bumnx0oVqljc2IdNhdTJbP4rHMg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=nvidia.com; dmarc=pass action=none header.from=nvidia.com;
 dkim=pass header.d=nvidia.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com;
 s=selector2;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=Y4cllt4xdHlxQsQr9AoN7VmzJH4O/QTPWRn+fBft8ss=;
 b=UF+t8ePYUq2GsvBMQm9lL5HWGbcvvIDApwhH9aYe9Fmyg2hl811H7/Cwt15uf3EJQoKgbuo8t7hdrA9thonF9hT4CgQWYR7yre6DpCGQdV9dKRXaYXDzNmOpggRc9bRqabBqhWpbAjmD0KuYLdeHO5/zw3nad3F7rblJ9TQJiCqDvg9LmNhAx4ETJAHlQLifZW/yez/fFwZdswdjpPrJ/+BvqnHgIkDtgEIXX29ePq0xZrRPdrBnN8h6ssUB0CroUdqx6Qoiq3Lmi0WhCszF40Jammh0M/UBGh9HouVBGhPC/eS8WpzyZsPNb6+lp/gjwJnZxt/N3BwIzzN7XySIjg==
Authentication-Results: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=nvidia.com;
To: devel@lists.libvirt.org
Subject: [RFC PATCH 6/8] qemu: Add cgroup and namespace setup for ACPI EGM
 memory device
Date: Tue, 22 Jul 2025 15:26:06 -0500
Message-ID: <20250722202609.1823658-7-ianm@nvidia.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20250722202609.1823658-1-ianm@nvidia.com>
References: <20250722202609.1823658-1-ianm@nvidia.com>
X-ClientProxiedBy: SN7P220CA0006.NAMP220.PROD.OUTLOOK.COM
 (2603:10b6:806:123::11) To CH0PR12MB5092.namprd12.prod.outlook.com
 (2603:10b6:610:bf::16)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CH0PR12MB5092:EE_|CY5PR12MB6346:EE_
X-MS-Office365-Filtering-Correlation-Id: 0d59f042-2b4d-4387-c0f0-08ddc95e07a5
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|376014;
X-Microsoft-Antispam-Message-Info: 
 =?us-ascii?Q?AKyI8QQgpUYKzrWxM8T+hKOn29NkKMC02y/VZ1Wel0qgBz9G2hS8BcXOZuQw?=
 =?us-ascii?Q?wHpNoCzvVkgCkpS6kcc/Ga0wpMVT1+XFHXgBCXNc3Fl6IEtC8jU9Q3RX9aZ/?=
 =?us-ascii?Q?Upys3/D1VMg278jINhrKZZYS2ZmLVUXxMi67l+fYw+HhKOiQk7Y1sq+6NgQt?=
 =?us-ascii?Q?a5Y5h0DdPBBFRoYFhC9p5dWYg05QrOI2uQ9AiTz14hugrwdCuGrq5UYDh30p?=
 =?us-ascii?Q?l8ksVqQ9MshsKsvuFY+p5ItGgbMttmt+51+zS0ERdsLkE4zkHug80kx5vFd4?=
 =?us-ascii?Q?hodKbyUFiI38NwJ0obvJvuedkyvxEyJ7i6aPrt0dlNiNlWQxRVz8teZLHS3P?=
 =?us-ascii?Q?xH3AveqT2lKJmEhQdY8Jr/RcME6TYhNMzO8e3ItrtuGoyk8u/ZlunRl/+tac?=
 =?us-ascii?Q?uxRlYmiWT+4IFNK46eyl9yJ5mLA33cJf34C6nbqZj12ZvCgFIZHfR/kCd4p2?=
 =?us-ascii?Q?DrxxGv54y5W04HwLF0Ai82b4/Ew/rEvAoPn0T+/rFQ+bvjIdxWmOBEJj0SeU?=
 =?us-ascii?Q?RN3x/1hOb3k7+o4od7Kn3JDy3lmz4jTIGF9w3Ljs9Hu0DiOdlGDvqELPDTCd?=
 =?us-ascii?Q?BdOpyMSldO2F7cwRQYDqmH55XHEKzl95SRDXfZ2/vboGslG7eMPh8XTdUYiF?=
 =?us-ascii?Q?VVZhKQIxjayyIBQ+TvXKe/bn/uQ61yhGJ7W0BC/6OK9MbH83kO1An8z6aCoU?=
 =?us-ascii?Q?VIXms9g7PeHzv/QgmK+OxLisaO+5NIHeX6PxLL5wPvxfLTZWIdwzwKXqwBBW?=
 =?us-ascii?Q?6GSMRAd5soSkW47t8I1md6k4C565ShK2aaFvJG3ystPVNgx7WthjIme0i41b?=
 =?us-ascii?Q?/JM/Zsv1OR9s6ERAa+dejF+5qfeAMyUuW7N+zdrBS9+a74orxUIix3GonwaJ?=
 =?us-ascii?Q?g243Nk69fBd2mAqY21SZBDRBUBwOC8GepovWELbRfIf5qw2OsUAAE1+pd6lK?=
 =?us-ascii?Q?3DOSkGtPNy+sr2nPil7/uwR6XxnIyJbE/wFKkVCT/dQNIxwzQ8N7Ddo1tfTi?=
 =?us-ascii?Q?U3kV8k70u2tjXnoObRUSvwINYeJ0WcMjUVLAEYRExFNRfdmfXtStsTsDlwBK?=
 =?us-ascii?Q?njglwYVrrwim31FNHKdeoi/ScB0IZPaHanThKOqdIRUVaCV71X//ETKeEO7Z?=
 =?us-ascii?Q?6qx1HtU/HubJE4Xiy3qHzpBLSzx/Z9rLyl018RbluTgTjyDIo6UhzNICTDmk?=
 =?us-ascii?Q?MS1Qe7+8SASWxt8SBKhAwK3GPo6ZqYHMwutlo6GNNeB58XxVkL4DTs1BQ0al?=
 =?us-ascii?Q?BgmbiGMhVy4Wt3RRgWeFolig1NVLXHzAPFHvpFMfAJPr16Q5oFiw35VDZF+9?=
 =?us-ascii?Q?Vmw/qTgZ17hL2DhVLhE7IPSYjrjWXCwKvvYaabB3bA5Fa//AUnYcY3QU5Rez?=
 =?us-ascii?Q?BzGL5NwsbaqNtq+ftfEzviYeZqqzrcgys/6sb7cy9m7j1dc+iw=3D=3D?=
X-Forefront-Antispam-Report: 
 CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH0PR12MB5092.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 =?us-ascii?Q?n7sExKB5Mg39dP5DRyyWDiIC61WtIOnXMhrVtRpJBnsWVF+uBFh4YWPsnQKs?=
 =?us-ascii?Q?kaIYVENq7+/xuWR3wrd2g3mpqph+3+2cxR8Cx4/DanVz5X09xN7Y/AIbu50/?=
 =?us-ascii?Q?yzFtvc0dasF6i3ab80YnsGUvWBjQ17YIdNYkArqVyiKFIKy77IfE56Ym7ESA?=
 =?us-ascii?Q?cryMITmXPQYP4Xz2zP8jijwFICS6JuKBbinwm7Y+1kN7pOCVgT4H6NqEmqnK?=
 =?us-ascii?Q?eeyorse7oYtylx3K8FrFaybZTPWmk0gumvUYb9UL7yCrv1tern6rUDCb+kaG?=
 =?us-ascii?Q?y/i1yhMli6ERTkxWRFkoxZ7PDTg2sxRKttemjwYchHm6mUjmK2PjsuQdgROw?=
 =?us-ascii?Q?lxbnGfXZrROC3UIMF8oexNly4z5YtysNNuxLAXgWk5k8icB+Ac7HqwYEdq/p?=
 =?us-ascii?Q?o0pIYYwjcA8tW2zm6T1D9z8Lhou2P12xKAjYf/lAj5yUYBu9EV1M48445LKk?=
 =?us-ascii?Q?Tq57reMcxprGoDa5SwHkpZDqAW/OBukR7h9DAFjcdlfnh5QR1bbKC2rdE/GI?=
 =?us-ascii?Q?Zz7glthJdzjoiNQf4R4oy+KVFTrMTfDOgRvHfa+7B3RAQd5Iw8E/OB5EOBm8?=
 =?us-ascii?Q?qCRx5GToUJXZ0JKRR4AG5qwyyiuvRIwxLxQn2aWkVllzNKjwyKJa3ozHleHT?=
 =?us-ascii?Q?Zfxj9w9ucGf1PLmjv7U7S/8Gtx6FknW+ySalUO/fbUZZPIWAyyvUr1HTHAR7?=
 =?us-ascii?Q?PyVccTDpO7SgF6zNV9nPhMsVHpZOCbq+iqkPGkdZFJsNKT7uFZPQ7jcb+ir2?=
 =?us-ascii?Q?Zl5XJkBApu9OmD1yHo7N/8CMPXfdWPApmNFHO4hLMGFF0gotfpWihTNKUKWJ?=
 =?us-ascii?Q?H9C5P+pgd7tcQQTi0VhY9hYZqac4QMGfibHvrL7bw0Np4PCBvQqhS4//9pk9?=
 =?us-ascii?Q?R/3+uRZ5RNvpNV3GteciAemXVV2ie6Ch+MATuYjlS2TvX5OV7zTpId0BM/OJ?=
 =?us-ascii?Q?AgnbjyNJ7V7sTPufRHs2J6dlzI6ibcbbmcMcDqrtJ7uaYJWCSMIkr7v0xz4V?=
 =?us-ascii?Q?SA3AYlUgYvoi9VTUh+wSjU0vklI8xbNAboizBcXsDnJIjZOqtF1i4Ud6wN+7?=
 =?us-ascii?Q?G1q+6VeuDq04w70yTBvNrcwGCU7Z9Jl3suU992PdgcIOQ2qB1vvV3JSLqNNW?=
 =?us-ascii?Q?xmA6h5FCj0rqN6wyjHOWrsjbhO+PVedtJv6/pvPLyR9HlTxcqUUXJGTT/EaS?=
 =?us-ascii?Q?kKerKJ9GSgemnEAPAKFbCsbDhB1sRIPHX39+t5AZF/scxMlSP7GhaLAeF3P6?=
 =?us-ascii?Q?WOs82PFrnEsyx5PXI/vl062+66PLu+xwLL7AwRgo1YfK//8puWiSlr1w+n/4?=
 =?us-ascii?Q?filpzcVSUe3UDoxSB5FAAFV0TEDtXLHVZTuuPNwXDuebE3WpGM4Ln11iv8A4?=
 =?us-ascii?Q?fwrdEJ43YNAoGgnZuZNZDjsLn4/FI9Br2m9joQtU0EmNO0Br8qG/23CCC9Wl?=
 =?us-ascii?Q?tToojT5SeW+9bz08duF6VBQlsyUs2z1CHWo+taLb3YSX4s0dkubZZC6PU/JD?=
 =?us-ascii?Q?cJMpZP0D+oZSsImMNOk13D4DnDLUHotfpszeDpP2dSCiJ8h4eQH5t4qFLq5T?=
 =?us-ascii?Q?gln59JwjeuTMS6ZaDJhupJFQdNONG0cxrw0pEb/Z?=
X-OriginatorOrg: Nvidia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 0d59f042-2b4d-4387-c0f0-08ddc95e07a5
X-MS-Exchange-CrossTenant-AuthSource: CH0PR12MB5092.namprd12.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Jul 2025 20:26:25.0644
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 7+/ylE2gsH/1o+LZfLkLRG33mGyJxEZMJ2H/F0Oa64KAX6pYi44ZK7eWaCKKgdqC
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY5PR12MB6346
Content-Transfer-Encoding: quoted-printable
X-MailFrom: ianm@nvidia.com
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1;
 header-match-config-2; header-match-config-3;
 header-match-devel.lists.libvirt.org-0
Message-ID-Hash: M4CVKLWU2T73AIAZGEKPZPVA6AZLNX3E
X-Message-ID-Hash: M4CVKLWU2T73AIAZGEKPZPVA6AZLNX3E
X-Mailman-Approved-At: Wed, 23 Jul 2025 07:22:29 -0400
CC: ianm@nvidia.com
X-Mailman-Version: 3.2.2
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/M4CVKLWU2T73AIAZGEKPZPVA6AZLNX3E/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Ian May via Devel <devel@lists.libvirt.org>
Reply-To: Ian May <ianm@nvidia.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1753255603765116600
Content-Type: text/plain; charset="utf-8"

Implement proper isolation and access control for ACPI EGM memory devices:

- Add device to cgroup for access control
- Set up namespace mappings for device access
- Ensure proper permissions in containerized environments

Signed-off-by: Ian May <ianm@nvidia.com>
---
 src/qemu/qemu_cgroup.c    | 21 +++++++++++++++++++++
 src/qemu/qemu_namespace.c | 21 +++++++++++++++++++++
 2 files changed, 42 insertions(+)

diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index 25e42ebfc6..3a33087778 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -753,6 +753,22 @@ qemuSetupSEVCgroup(virDomainObj *vm)
                                      VIR_CGROUP_DEVICE_RW, false);
 }
=20
+static int
+qemuSetupAcpiEgmCgroup(virDomainObj *vm)
+{
+    g_autofree char *path =3D NULL;
+
+    path =3D g_strdup_printf("/dev/%s", vm->def->egm->alias);
+
+    if (path &&
+        qemuCgroupAllowDevicePath(vm, path,
+                                  VIR_CGROUP_DEVICE_RW, false) < 0) {
+        return -1;
+    }
+
+    return 0;
+}
+
 static int
 qemuSetupDevicesCgroup(virDomainObj *vm)
 {
@@ -871,6 +887,11 @@ qemuSetupDevicesCgroup(virDomainObj *vm)
         }
     }
=20
+    if (vm->def->egm) {
+        if (qemuSetupAcpiEgmCgroup(vm) < 0)
+            return -1;
+    }
+
     return 0;
 }
=20
diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c
index 59421ec9d1..60000c2636 100644
--- a/src/qemu/qemu_namespace.c
+++ b/src/qemu/qemu_namespace.c
@@ -676,6 +676,24 @@ qemuDomainSetupLaunchSecurity(virDomainObj *vm,
 }
=20
=20
+static int
+qemuDomainSetupAcpiEgm(virDomainObj *vm,
+                       GSList **paths)
+{
+    virDomainAcpiEgmDef *egm =3D vm->def->egm;
+    g_autofree char *path =3D NULL;
+
+    if (!egm)
+        return 0;
+
+    path =3D g_strdup_printf("/dev/%s", egm->alias);
+
+    *paths =3D g_slist_prepend(*paths, g_steal_pointer(&path));
+
+    return 0;
+}
+
+
 static int
 qemuNamespaceMknodPaths(virDomainObj *vm,
                         GSList *paths,
@@ -729,6 +747,9 @@ qemuDomainBuildNamespace(virQEMUDriverConfig *cfg,
     if (qemuDomainSetupLaunchSecurity(vm, &paths) < 0)
         return -1;
=20
+    if (qemuDomainSetupAcpiEgm(vm, &paths) < 0)
+        return -1;
+
     if (qemuNamespaceMknodPaths(vm, paths, NULL) < 0)
         return -1;
=20
--=20
2.43.0