[vfio-users] IOMMU restrictions inside a VM
Alex Williamson
alex.williamson at redhat.com
Thu Mar 1 04:18:12 UTC 2018
On Wed, 28 Feb 2018 20:25:11 -0500
"Taiidan at gmx.com" <Taiidan at gmx.com> wrote:
> On 02/26/2018 04:14 PM, Alex Williamson wrote:
>
> > On Mon, 26 Feb 2018 02:12:39 -0500
> > "Taiidan at gmx.com" <Taiidan at gmx.com> wrote:
> >
> >> How would I with libvirt/qemu and AMD-Vi v1.26 restrict device
> >> communication inside a VM as it would be on the host?
> > https://libvirt.org/formatdomain.html#elementsIommu
> >
> > (Yes, you can use Intel IOMMU emulation backed by an AMD IOMMU)
> >
> > The assigned devices cannot share an IOMMU group with any other
> > assigned device as we cannot create separate address spaces for devices
> > which are grouped together. This configuration will also impose
> > performance overhead in the DMA mapping path. You'll need to determine
> > for your use case if device assignment is sill a performance advantage
> > vs other options. The typical use case for emulated IOMMU is isolated
> > userspace drivers such as DPDK in the guest. Much like a VM use case,
> > and unlike a kernel driver use case, these drivers generally use mostly
> > static mappings for DMA. Thanks,
> >
> > Alex
> >
> Ah thank you.
> I also recall reading an article awhile back about how internal vm
> restrictions can be done via the host IOMMU, do you know anything about
> that?
The above is using the host IOMMU. A guest IOMMU is required to put
devices into separate address spaces, which map to separate IOMMU
domains in the host and therefore provide restricted DMA for each
assigned devices. Not sure what else you might be referring to.
Thanks,
Alex
More information about the vfio-users
mailing list