[vfio-users] Difference and how to use it?
Alex Williamson
alex.williamson at redhat.com
Thu Feb 2 17:26:52 UTC 2017
On Thu, 2 Feb 2017 13:18:55 +0700
harry tulus <harrytulus14 at gmail.com> wrote:
> What's the different pci-stub of vfio exactly?
pci-stub is a dummy driver. AIUI it was originally developed because
the original KVM device assignment didn't actually bind to the assigned
device as a host driver, it simply grabbed the device and started using
it. Likewise, since KVM isn't a proper device driver, another host
driver could attempt to bind to the device while KVM had it assigned to
a user. The pci-stub driver was introduced to occupy the driver slot
for the device while KVM made use of it.
There are two reasons this can still be useful with vfio. One is that
pci-stub is often built into the kernel (it really should be even
though some distros get this wrong), this allows it to bind to devices
earlier than drivers that are loadable modules. With this setup we can
instruct pci-stub to bind to devices before the host driver can get to
them so we can keep the device in a pristine state for assignment to a
guest.
The other lesser use case with vfio is with IOMMU grouping. If you
have a group with multiple devices all the devices in the group must be
bound to compatible drivers or else vfio will consider the group
non-viable. This is intended to prevent host drivers within the same
group as a user controlled device as they would not be isolated from
each other. With pci-stub, we know this driver does not initiate any
DMA on behalf of the host, so we consider it compatible. Thus if you
have endpoints in your IOMMU group that you need to do something with
to make the group viable, but you want to make sure the user doesn't
have access to it, you can bind the device to pci-stub. This adds a
little bit of extra protection vs binding the device to vfio-pci as a
compromised user could not simply open other devices within the group
that are bound to vfio-pci through the vfio interface.
As opposed to pci-stub, vfio is a complete interface for userspace
drivers. It provides secure, isolated, IOMMU protected access to the
device. There's an entire document in the kernel
(Documentation/vfio.txt) describing vfio. If you have further
question, please ask. Thanks,
Alex
More information about the vfio-users
mailing list