[vfio-users] [FEEDBACK NEEDED] Rewriting the Arch wiki article

Alex Williamson alex.l.williamson at gmail.com
Tue Apr 12 22:32:14 UTC 2016

> On 2016-04-12 17:24, Alex Williamson wrote:
> On Tue, Apr 12, 2016 at 2:30 PM, Bronek Kozicki < <brok at spamcop.net>
> brok at spamcop.net> wrote:
>> 2. does PCI bridge have to be in a separate IOMMU group than
>> passed-through device?
> No.  Blank is mostly correct on this, newer kernel remove the pcieport
> driver test and presumes any driver attached to a bridge device is ok.
> Really? From what I understood reading your IOMMU article, plus from the
> issues I had getting my own GPU to work on the CPU-based PCIe slot on my
> E3-1200, I thought having a PCIe root port grouped with a PCI device made
> the GPU unsuited for passthrougs. What reccomendations should I give here
> <https://wiki.archlinux.org/index.php/PCI_passthrough_via_OVMF#Plugging_your_guest_GPU_in_an_unisolated_CPU-based_PCIe_slot>,
> then?

The statement "(there's generally only one)" is completely incorrect
regarding processor based root port slots.  That $30k PC that LinuxTechTips
did has 7 processor based root ports between the 2 sockets.

IOMMU group isolation requires that a group is never shared between host
and guest or between different guests.  However we assume that bridge
devices only do DMA on behalf of the devices downstream of them, so we
allow the bridge to be managed by a host driver.  So in your example, it's
possible that the bridge could do redirections, but the only affected party
would be the VM itself.  The same is true for a multi-function device like
the GPU itself, internal routing may allow the devices to perform
peer-to-peer internally.  So it's not ideal when the bridge is part of the
group, but it generally works and is allowed because it can't interfere
with anyone else.  I have the identical setup on my E3-1245v2 and haven't
had any problems.

Where the isolation problem with root ports explodes is when another
non-ACS root port is added at 01.x or there are many devices downsteam of
the root port (SR-IOV).  Then we end up with an even bigger IOMMU group and
the user generally doesn't want to assign all those endpoints to a single

Your recommendation isn't entirely wrong, we should be doing device
assignment on hardware with full isolation, but it excludes a very typical
use case that often works well enough.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/vfio-users/attachments/20160412/9bc8f05c/attachment.htm>

More information about the vfio-users mailing list