From nobody Sun Feb  8 12:43:28 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 170.10.129.124 as permitted sender) client-ip=170.10.129.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com
	with SMTPS id 1656326711535297.4313122767917;
 Mon, 27 Jun 2022 03:45:11 -0700 (PDT)
Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com
 [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-501-Am_J6IgqP0qdH1rXpcj17A-1; Mon, 27 Jun 2022 06:44:53 -0400
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com
 [10.11.54.5])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 92E2B38164DD;
	Mon, 27 Jun 2022 10:44:50 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (unknown [10.30.29.100])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 79494815B;
	Mon, 27 Jun 2022 10:44:50 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (localhost [IPv6:::1])
	by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id 157601947055;
	Mon, 27 Jun 2022 10:44:50 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com
 [10.11.54.6])
 by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id 5AEAF19466DF for <libvir-list@listman.corp.redhat.com>;
 Mon, 27 Jun 2022 10:44:48 +0000 (UTC)
Received: by smtp.corp.redhat.com (Postfix)
 id 4F6452166B29; Mon, 27 Jun 2022 10:44:48 +0000 (UTC)
Received: from maggie.redhat.com (unknown [10.43.2.39])
 by smtp.corp.redhat.com (Postfix) with ESMTP id ED2E22166B26
 for <libvir-list@redhat.com>; Mon, 27 Jun 2022 10:44:47 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1656326710;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=R66cL/+PyZAYjx2rarVHGa5ihfzI9xwWWvWJbcRuX9g=;
	b=N8dZd4ERquQkDdv9jURJnjNC8A9ZyfbHT5nicOzu152WjemDKRFqBh+T6ZtNHJvip0J24A
	z/FFXcEgyH85IhIqmMuA5djgwrjWgn6zZgeVbe3/K2PiN3wtPGw4B/GVfEcl4hUY5cRPpQ
	jBOlLrQsI2ElXTHm1P4cvVT8HLqWUzQ=
X-MC-Unique: Am_J6IgqP0qdH1rXpcj17A-1
X-Original-To: libvir-list@listman.corp.redhat.com
From: Michal Privoznik <mprivozn@redhat.com>
To: libvir-list@redhat.com
Subject: [PATCH v2 8/9] qemu: Enable SCHED_CORE for domains and helper
 processes
Date: Mon, 27 Jun 2022 12:44:40 +0200
Message-Id: 
 <8ab264b5d03d4e731fdbdd780b9d8e87d70372ad.1656324035.git.mprivozn@redhat.com>
In-Reply-To: <cover.1656324035.git.mprivozn@redhat.com>
References: <cover.1656324035.git.mprivozn@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <http://listman.redhat.com/archives/libvir-list/>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=subscribe>
Errors-To: libvir-list-bounces@redhat.com
Sender: "libvir-list" <libvir-list-bounces@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1656326713024100001
Content-Type: text/plain; charset="utf-8"; x-default="true"

Despite all mitigations, side channel attacks when two processes
run at two Hyper Threads of the same core are still possible.
Fortunately, the Linux kernel came up with a solution: userspace
can create so called trusted groups, which are sets of processes
and only processes of the same group can run on sibling Hyper
Threads. Of course, two processes of different groups can run on
different cores, because there's no known side channel attack.
It's only Hyper Threads that are affected.

Having said that, it's a clear security win for users when
enabled for QEMU.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/qemu/qemu_process.c  | 5 +++++
 src/qemu/qemu_security.c | 4 ++++
 src/qemu/qemu_virtiofs.c | 3 +++
 3 files changed, 12 insertions(+)

diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 771a623ef7..86c058316f 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -2919,6 +2919,9 @@ qemuProcessStartManagedPRDaemon(virDomainObj *vm)
      * qemu (so that it shares the same view of the system). */
     virCommandSetPreExecHook(cmd, qemuProcessStartPRDaemonHook, vm);
=20
+    if (cfg->schedCore =3D=3D QEMU_SCHED_CORE_FULL && vm->pid !=3D 0)
+        virCommandSetRunAmong(cmd, vm->pid);
+
     if (virCommandRun(cmd, NULL) < 0)
         goto cleanup;
=20
@@ -7634,6 +7637,8 @@ qemuProcessLaunch(virConnectPtr conn,
         virCommandSetMaxProcesses(cmd, cfg->maxProcesses);
     if (cfg->maxFiles > 0)
         virCommandSetMaxFiles(cmd, cfg->maxFiles);
+    if (cfg->schedCore !=3D QEMU_SCHED_CORE_NONE)
+        virCommandSetRunAlone(cmd);
=20
     /* In this case, however, zero means that core dumps should be
      * disabled, and so we always need to set the limit explicitly */
diff --git a/src/qemu/qemu_security.c b/src/qemu/qemu_security.c
index 3be1766764..badb8fc8ba 100644
--- a/src/qemu/qemu_security.c
+++ b/src/qemu/qemu_security.c
@@ -683,6 +683,8 @@ qemuSecurityCommandRun(virQEMUDriver *driver,
                        int *exitstatus,
                        int *cmdret)
 {
+    g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver);
+
     if (virSecurityManagerSetChildProcessLabel(driver->securityManager,
                                                vm->def, cmd) < 0)
         return -1;
@@ -691,6 +693,8 @@ qemuSecurityCommandRun(virQEMUDriver *driver,
         virCommandSetUID(cmd, uid);
     if (gid !=3D (gid_t) -1)
         virCommandSetGID(cmd, gid);
+    if (cfg->schedCore =3D=3D QEMU_SCHED_CORE_FULL && vm->pid !=3D 0)
+        virCommandSetRunAmong(cmd, vm->pid);
=20
     if (virSecurityManagerPreFork(driver->securityManager) < 0)
         return -1;
diff --git a/src/qemu/qemu_virtiofs.c b/src/qemu/qemu_virtiofs.c
index 2fd4b9f987..faf8fedc0c 100644
--- a/src/qemu/qemu_virtiofs.c
+++ b/src/qemu/qemu_virtiofs.c
@@ -252,6 +252,9 @@ qemuVirtioFSStart(virQEMUDriver *driver,
     virCommandNonblockingFDs(cmd);
     virCommandDaemonize(cmd);
=20
+    if (cfg->schedCore =3D=3D QEMU_SCHED_CORE_FULL && vm->pid !=3D 0)
+        virCommandSetRunAmong(cmd, vm->pid);
+
     if (qemuExtDeviceLogCommand(driver, vm, cmd, "virtiofsd") < 0)
         goto error;
=20
--=20
2.35.1