IOMMU group and ACS cap

VFIO做VM的设备直通过程中,需要把直通设备所在iommu group里面所有的设备都unbind掉,这是为啥呢,iommu group又是啥,木有遇到该问题的小伙伴你们肯定年轻而富有:)你们的设备都是有ACS的呢,这又是啥,咱先来看看官方文档吧:

In a virtualized environment it is generally not desirable to have peer-to-peer transactions that do not go through the root complex. With both Direct Assignment (see Section 2.3.2) and SR-IOV, which is also a form of Direct Assignment, the PCIe transactions should go through the Root Complex in order for the Address Translation Service (or VT-d) to be utilized.
Access Control Services (ACS) provides a mechanism by which a Peer-to-Peer PCIe transaction can be forced to go up through the PCIe Root Complex. ACS can be thought of as a kind of gate-keeper – preventing unauthorized transactions from occurring.
Without ACS, it is possible for a PCIe Endpoint to either accidentally or intentionally (maliciously) write to an invalid/illegal area on a peer endpoint, potentially causing problems.
一个不具有ACS cap的设备无法强制p2p的transaction走到root complex进而被iommu处理,这种情况下它必须被放在一个共享的iommu group中,以保证这些没有ACS而互相之间又存在p2p可能的设备能够共享同一个地址空间,否则他们之间的p2p可能会造成灾难性的结果(无法获知正确的目标地址,使用的目标地址可能是个恶意或因错误产生的非法地址)。同时它也不能假设它的上游设备具有ACS cap,因为一旦上游没有这个能力,那么p2p的数据将真的被直接写入目标地址。放在一个共享iommu group内的设备互相之间的p2p因为在同一个iova空间是可以正常工作的,但因为没有地址空间隔离而存在安全漏洞和数据泄露风险,而对其他具备ACS的设备来说就相对安全了。
For each group, a virtual device is created under /dev/vfio; prior to working with any individual device, a driver must open the group, claiming ownership of it. The access permissions on the group file control access to the underlying devices. Once the group has been opened, the driver should do an ioctl(VFIO_GROUP_GET_INFO) call to determine whether the group is “viable” (meaning all of the relevant devices are assigned to it) and available for use. If the group is not viable, the driver will not be able to proceed.
也就是说,一个iommu group中的所有设备必须都unbind掉原驱动,被vfio接管,而且是在一个虚拟的vfio设备管辖下

Leave a Reply

Your email address will not be published. Required fields are marked *