Merge pull request #1002 from intel/push-2026-02-20

Push 2026 02 20

Author: opcm

.github/workflows/ci-cas-security-dockerfile.yml

@@ -0,0 +1,38 @@
+name: Security Scanning (dockerfile)
+
+on:
+  schedule:
+  # Every 2 months on 1st at midnight UTC
+    - cron: '0 0 1 */2 *'
+  # Manual trigger for testing
+  workflow_dispatch:
+
+jobs:
+  security:
+    runs-on: ["innersource.prod.amr.dind"]
+    if: ${{ github.repository != 'intel/pcm' }}
+
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          submodules: false
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: CAS Security Orchestrator (Source Only)
+        uses: intel-innersource/applications.security.monitoring.cas@v2
+        with:
+          sdl-api-key: ${{ secrets.SDL_API_KEY }}
+          sdl-project-id: ${{ secrets.SDL_PROJECT_ID }}
+          sdl-idsid-value: ${{ secrets.SDL_IDSID_VALUE }}
+          # Scan for SDL419 only (workaround), SDL441 has separate scan
+          sdl-tasks: "SDL419"
+          # Set branch type to 'release' for scheduled runs and manual trigger on main branch.
+          # Required for automatic evidence submit. Excludes push events.
+          branch-type: ${{ github.ref == 'refs/heads/main' && (github.event_name == 'workflow_dispatch' || github.event_name == 'schedule') && 'release' || 'dev' }}

.github/workflows/ci-cas-security.yml

@@ -0,0 +1,43 @@
+name: Security Scanning (Source Code)
+
+on:
+  schedule:
+  # Every 2 months on 1st at midnight UTC
+    - cron: '0 0 1 */2 *'
+  # Manual trigger for testing
+  workflow_dispatch:
+
+jobs:
+  security:
+    runs-on: ["innersource.prod.amr.dind"]
+    if: ${{ github.repository != 'intel/pcm' }}
+
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          submodules: recursive
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Install Python dependencies for SCA scanning
+        run: |
+          pip install -r perfmon/requirements.txt || true
+          pip install -r perfmon/scripts/ci/verify_mapfile/requirements.txt || true
+          pip install -r Intel-PMT/tools/docker/requirements.txt || true
+
+      - name: CAS Security Orchestrator (Source Only)
+        uses: intel-innersource/applications.security.monitoring.cas@v2
+        with:
+          sdl-api-key: ${{ secrets.SDL_API_KEY }}
+          sdl-project-id: ${{ secrets.SDL_PROJECT_ID }}
+          sdl-idsid-value: ${{ secrets.SDL_IDSID_VALUE }}
+          sdl-tasks: "SDL441"  # scan for SDL441 only, SDL419 has separate scan (workaround)
+          # Set branch type to 'release' for scheduled runs and manual trigger on main branch.
+          # Required for automatic evidence submit. Excludes push events.
+          branch-type: ${{ github.ref == 'refs/heads/main' && (github.event_name == 'workflow_dispatch' || github.event_name == 'schedule') && 'release' || 'dev' }}

.github/workflows/ci-fuzz-micro.yml

@@ -41,7 +41,9 @@ jobs:
     - name: upload-artifact
       uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
       with:
-        name: fuzz-log-${{ github.sha }}
-        path: "build/fuzz-log.txt"
+        name: fuzz-evidence-${{ github.sha }}
+        path: |
+          build/fuzz-log.txt
+          build/report.txt
 
 

.github/workflows/ci-fuzz.yml

@@ -43,7 +43,9 @@ jobs:
     - name: upload-artifact
       uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
       with:
-        name: fuzz-log-${{ github.sha }}
-        path: "build/fuzz-log.txt"
+        name: fuzz-evidence-${{ github.sha }}
+        path: |
+          build/fuzz-log.txt
+          build/report.txt
 
 

.github/workflows/ci-windows.yml

@@ -8,6 +8,7 @@ on:
 
 env:
   BUILD_TYPE: Release
+  OPENSSL_ROOT_DIR: "C:\\Program Files\\OpenSSL-Win64"
 
 permissions:
   contents: read
@@ -30,7 +31,11 @@ jobs:
     - name: Configure CMake
       run: |
         if (Test-Path ${{github.workspace}}\build){ Remove-Item ${{github.workspace}}\build -Recurse }
-        cmake -B ${{github.workspace}}\build
+        $cryptoLib = "$env:OPENSSL_ROOT_DIR\lib\VC\x64\MT\libcrypto_static.lib"
+        $sslLib = "$env:OPENSSL_ROOT_DIR\lib\VC\x64\MT\libssl_static.lib"
+        cmake -B ${{github.workspace}}\build `
+          -DLIB_EAY_RELEASE:FILEPATH="$cryptoLib" `
+          -DSSL_EAY_RELEASE:FILEPATH="$sslLib"
     - name: Build
       run: |
         cmake --build ${{github.workspace}}\build --config ${{env.BUILD_TYPE}} --parallel

.gitignore

@@ -35,3 +35,4 @@ build
 src/simdjson
 .vscode/
 _codeql_build_dir/
+tests/numa_test

Dockerfile

@@ -4,13 +4,26 @@ FROM fedora:43@sha256:6cd815d862109208adf6040ea13391fe6aeb87a9dc80735c2ab07083fd
 # Copyright (c) 2020-2024 Intel Corporation
 
 RUN dnf -y install gcc-c++ git findutils make cmake openssl openssl-devel libasan libasan-static hwdata
+
 COPY . /tmp/pcm
-RUN cd /tmp/pcm && mkdir build && cd build && cmake -DPCM_NO_STATIC_LIBASAN=OFF .. && make -j
+WORKDIR /tmp/pcm/build
+RUN cmake -DPCM_NO_STATIC_LIBASAN=OFF .. && make -j
 
 FROM fedora:43@sha256:6cd815d862109208adf6040ea13391fe6aeb87a9dc80735c2ab07083fdf5e03a
+
 COPY --from=builder /tmp/pcm/build/bin/* /usr/local/bin/
 COPY --from=builder /tmp/pcm/build/bin/opCode*.txt /usr/local/share/pcm/
 COPY --from=builder /usr/share/hwdata/pci.ids /usr/share/hwdata/pci.ids
 ENV PCM_NO_PERF=1
 
-ENTRYPOINT [ "/usr/local/bin/pcm-sensor-server", "-p", "9738", "-r" ]
+RUN useradd -m pcm-user
+
+# Allow pcm-user to run the server via sudo without a password
+RUN echo "pcm-user ALL=(root) NOPASSWD: /usr/local/bin/pcm-sensor-server" >> /etc/sudoers
+
+USER pcm-user
+
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
+  CMD sudo /usr/local/bin/pcm-sensor-server --help > /dev/null 2>&1 || exit 1
+
+ENTRYPOINT [ "sudo", "/usr/local/bin/pcm-sensor-server", "-p", "9738", "-r" ]

Intel-PMT

@@ -14,4 +14,6 @@
 
 `PCM_ENFORCE_MBM=1` :  force-enable Memory Bandwidth Monitoring (MBM) metrics (LocalMemoryBW = LMB) and (RemoteMemoryBW = RMB) on processors with RDT/MBM errata
 
+`PCM_QUIET=1` :  enable quiet mode for PCM initialization. In quiet mode, only error messages are output during PCM initialization, suppressing informational output such as processor information and topology details
+
 `PCM_DEBUG_LEVEL=x` :  x is an integer defining debug output level. level = 0 (default): minimal or no debug info, > 0 increases verbosity

doc/ENVVAR_README.md

@@ -0,0 +1,119 @@
+# NUMA Node Location API for PCI Devices
+
+## Overview
+
+The `getNUMANode()` API allows you to retrieve the NUMA (Non-Uniform Memory Access) node location of a PCI device identified by its segment:bus:device:function coordinates.
+
+## Background
+
+- **PciHandle** and **PciHandleMM** classes are abstractions of PCI configuration space registers
+- Each PCI device has a unique location: `segment:bus:device:function`
+- **segment** is also known as **group number** or **domain** (synonyms: groupnr, groupnr_)
+
+## API Usage
+
+### Method Signature
+
+```cpp
+int32 PciHandle::getNUMANode() const;
+int32 PciHandleMM::getNUMANode() const;
+```
+
+### Return Value
+
+- **>= 0**: The NUMA node ID where the PCI device is located
+- **-1**: NUMA information not available or not applicable
+
+### Example
+
+```cpp
+#include "pci.h"
+
+using namespace pcm;
+
+// Open a PCI device at segment 0, bus 0, device 0, function 0
+PciHandleType handle(0, 0, 0, 0);
+
+// Get the NUMA node
+int32 numa_node = handle.getNUMANode();
+
+if (numa_node >= 0) {
+    std::cout << "Device is on NUMA node: " << numa_node << "\n";
+} else {
+    std::cout << "NUMA information not available\n";
+}
+```
+
+## Platform-Specific Implementation
+
+### Linux
+
+- **Method**: Reads from `/sys/bus/pci/devices/<domain>:<bus>:<device>.<function>/numa_node`
+- **Fallback**: Also tries `/pcm/sys/bus/pci/devices/...` path
+- **Return**: 
+  - NUMA node ID (typically 0, 1, 2, ...) if available
+  - -1 if the file doesn't exist or can't be read
+
+### Windows
+
+- **Method**: Reads SRAT (System Resource Affinity Table) from ACPI firmware using `GetSystemFirmwareTable` API
+- **Implementation**: 
+  - Parses SRAT table to extract PCI Device Affinity structures (type 2)
+  - Builds a mapping from PCI device location (segment:bus:device:function) to NUMA node (proximity domain)
+  - Caches the mapping on first call for performance
+- **Return**: 
+  - NUMA node ID (proximity domain) if device is found in SRAT table
+  - -1 if SRAT table is not available or device is not listed
+- **Requirements**: Windows Vista or later (for `GetSystemFirmwareTable` API)
+
+### FreeBSD / DragonFly
+
+- **Method**: Queries system via `sysctlbyname()` for NUMA domain information
+- **Implementation**:
+  - First checks if NUMA is enabled via `vm.ndomains` sysctl
+  - Attempts to query PCI device-specific NUMA domain using multiple sysctl path formats
+  - Tries: `hw.pci.X.Y.Z.W.numa_domain` and `hw.pci.X:Y:Z.W.numa_domain`
+- **Return**:
+  - NUMA node ID if available and system has NUMA enabled
+  - -1 if NUMA is disabled, not supported, or device affinity information unavailable
+- **Note**: FreeBSD doesn't have a standardized sysctl path for PCI device NUMA affinity across all versions
+
+### macOS
+
+- **Method**: Returns -1 (macOS typically doesn't expose NUMA for PCI devices)
+- **Return**: -1 (not applicable)
+
+## Use Cases
+
+1. **Performance Optimization**: Place processing threads on the same NUMA node as the device
+2. **Memory Allocation**: Allocate buffers on the same NUMA node for optimal DMA performance
+3. **System Topology Discovery**: Map out the relationship between PCI devices and NUMA nodes
+4. **Monitoring and Analytics**: Identify cross-NUMA traffic patterns
+
+## Building the Example
+
+```bash
+cd examples
+g++ -std=c++11 -I../src numa_node_example.cpp -o numa_node_example -L../build/lib -lpcm -lpthread
+LD_LIBRARY_PATH=../build/lib ./numa_node_example
+```
+
+## Notes
+
+- Requires appropriate permissions to access PCI configuration space
+- On Linux, run with `sudo` or ensure `/sys/bus/pci` is accessible
+- The NUMA node value is read at runtime and not cached
+- A return value of -1 doesn't indicate an error; it means NUMA information is not available
+
+## Related APIs
+
+- `PciHandle::read32()` - Read 32-bit value from PCI configuration space
+- `PciHandle::write32()` - Write 32-bit value to PCI configuration space
+- `PciHandle::read64()` - Read 64-bit value from PCI configuration space
+- `PciHandle::exists()` - Check if a PCI device exists
+
+## See Also
+
+- Linux kernel documentation: `Documentation/ABI/testing/sysfs-bus-pci`
+- ACPI SRAT (System Resource Affinity Table) specification
+- PCI Express Base Specification