pradeep singh rautela
2008-Feb-19 20:38 UTC
[Xen-users] Can I expose a pci device to HVM domU?
Can i assign a PCI device(e.g a NIC) exclusively to a Linux HVM
domainU after hiding it from domain 0?
I know that only PV guests are the best candidates for this but I
still want to ask, hoping someone might have done some work in latest
xen-unstable.
Is there any known way to do this?
PS:- NIC Is does not have Intel''s VT-d.
Thanks,
--Pradeep
--
Pradeep Singh Rautela
http://eagain.wordpress.com
http://emptydomain.googlepages.com
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
Caitlin Bestler
2008-Feb-19 20:44 UTC
RE: [Xen-devel] Can I expose a pci device to HVM domU?
> -----Original Message----- > From: xen-devel-bounces@lists.xensource.com [mailto:xen-devel- > bounces@lists.xensource.com] On Behalf Of pradeep singh rautela > Sent: Tuesday, February 19, 2008 12:39 PM > To: xen-users@lists.xensource.com > Cc: xen-devel > Subject: [Xen-devel] Can I expose a pci device to HVM domU? > > Can i assign a PCI device(e.g a NIC) exclusively to a Linux HVM > domainU after hiding it from domain 0? > > I know that only PV guests are the best candidates for this but I > still want to ask, hoping someone might have done some work in latest > xen-unstable. > > Is there any known way to do this? > > PS:- NIC Is does not have Intel's VT-d. >If the Guest is HVM, how would it know how to give usable DMA addresses to the NIC? (Whether it should be trusted to in the absence of an Address Translation Service is the next question, but first is whether it could even do it at all). A PV Guest, by contrast, would know the distinction between GPAs and SPAs (not that it makes it any more trustworthy). _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Daniel Stodden
2008-Feb-19 21:35 UTC
RE: [Xen-devel] Can I expose a pci device to HVM domU?
On Tue, 2008-02-19 at 15:44 -0500, Caitlin Bestler wrote:> > > -----Original Message----- > > From: xen-devel-bounces@lists.xensource.com [mailto:xen-devel- > > bounces@lists.xensource.com] On Behalf Of pradeep singh rautela > > Sent: Tuesday, February 19, 2008 12:39 PM > > To: xen-users@lists.xensource.com > > Cc: xen-devel > > Subject: [Xen-devel] Can I expose a pci device to HVM domU? > > > > Can i assign a PCI device(e.g a NIC) exclusively to a Linux HVM > > domainU after hiding it from domain 0? > > > > I know that only PV guests are the best candidates for this but I > > still want to ask, hoping someone might have done some work in latest > > xen-unstable. > > > > Is there any known way to do this? > > > > PS:- NIC Is does not have Intel''s VT-d. > > > > If the Guest is HVM, how would it know how to give usable > DMA addresses to the NIC? (Whether it should be trusted to > in the absence of an Address Translation Service is the next > question, but first is whether it could even do it at all). > > A PV Guest, by contrast, would know the distinction between > GPAs and SPAs (not that it makes it any more trustworthy).VT-d / IO-MMUs fixes that. regards, daniel -- Daniel Stodden LRR - Lehrstuhl für Rechnertechnik und Rechnerorganisation Institut für Informatik der TU München D-85748 Garching http://www.lrr.in.tum.de/~stodden mailto:stodden@cs.tum.edu PGP Fingerprint: F5A4 1575 4C56 E26A 0B33 3D80 457E 82AE B0D8 735B _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Daniel Stodden
2008-Feb-19 22:01 UTC
RE: [Xen-devel] Can I expose a pci device to HVM domU?
On Tue, 2008-02-19 at 16:51 -0500, Caitlin Bestler wrote:> > > > > > > > PS:- NIC Is does not have Intel''s VT-d. > > > > > > > > > > If the Guest is HVM, how would it know how to give usable > > > DMA addresses to the NIC? (Whether it should be trusted to > > > in the absence of an Address Translation Service is the next > > > question, but first is whether it could even do it at all). > > > > > > A PV Guest, by contrast, would know the distinction between > > > GPAs and SPAs (not that it makes it any more trustworthy). > > > > VT-d / IO-MMUs fixes that. > > > If you interpret the problem as being that the NIC is not > itself aware of VT-d (or other IOMMU), but that there is an > IOMMU active, then that would be true. > > My interpretation of "does not have VT-d" is that there is > no IOMMU active in the target platform at all.It was meant as a rather general reply (I thought yours was as well). I simply overlooked the no-VTd statement above. Sorry, you''re certainly right. greetings, daniel -- Daniel Stodden LRR - Lehrstuhl für Rechnertechnik und Rechnerorganisation Institut für Informatik der TU München D-85748 Garching http://www.lrr.in.tum.de/~stodden mailto:stodden@cs.tum.edu PGP Fingerprint: F5A4 1575 4C56 E26A 0B33 3D80 457E 82AE B0D8 735B _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Stephan Seitz
2008-Feb-20 01:19 UTC
Re: [Xen-users] Can I expose a pci device to HVM domU?
Hi, i''ve tried a LOT of different xen changesets and patches on recent high-end intel (supermicro) and amd (tyan) boards with advertised VT-d / AMD IOMMU support. The result was really frustrating, without VT-d / IOMMU an export into a HVM domU is impossible. The tests showed that advertised VT-d is only "VT-x" and IOMMU is not fully supported (Answers from tech. support hotlines at supermicro and tyan) So, I would also like to know if anyone was able to do this? pradeep singh rautela schrieb:> Can i assign a PCI device(e.g a NIC) exclusively to a Linux HVM > domainU after hiding it from domain 0? > > I know that only PV guests are the best candidates for this but I > still want to ask, hoping someone might have done some work in latest > xen-unstable. > > Is there any known way to do this? > > PS:- NIC Is does not have Intel''s VT-d. > > Thanks, > --Pradeep >-- Stephan Seitz Senior System Administrator *netz-haut* e.K. multimediale kommunikation zweierweg 22 97074 würzburg fon: +49 931 2876247 fax: +49 931 2876248 web: www.netz-haut.de <http://www.netz-haut.de/> registriergericht: amtsgericht würzburg, hra 5054 _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Mark Williamson
2008-Feb-21 02:03 UTC
Re: [Xen-devel] Can I expose a pci device to HVM domU?
> > Can i assign a PCI device(e.g a NIC) exclusively to a Linux HVM > > domainU after hiding it from domain 0? > > > > I know that only PV guests are the best candidates for this but I > > still want to ask, hoping someone might have done some work in latest > > xen-unstable. > > > > Is there any known way to do this? > > > > PS:- NIC Is does not have Intel''s VT-d. > > If the Guest is HVM, how would it know how to give usable > DMA addresses to the NIC? (Whether it should be trusted to > in the absence of an Address Translation Service is the next > question, but first is whether it could even do it at all). > > A PV Guest, by contrast, would know the distinction between > GPAs and SPAs (not that it makes it any more trustworthy).Guys from Neocleus (I think) have been working on making PCI passthrough to HVM guests happen, without using an IOMMU. There is code out there that these guys have released. It''s a clever bit of lateral thinking that makes this possible :-) However, doing this without an IOMMU still doesn''t address the security concerns and I''m not sure if it scales to many (or even if they support more than one) HVM guests controlling PCI devices. Cheers, Mark -- Push Me Pull You - Distributed SCM tool (http://www.cl.cam.ac.uk/~maw48/pmpu/) _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
pradeep singh rautela
2008-Feb-21 05:35 UTC
Re: [Xen-devel] Can I expose a pci device to HVM domU?
Hi Mark, On 21/02/2008, Mark Williamson <mark.williamson@cl.cam.ac.uk> wrote: [...]> Guys from Neocleus (I think) have been working on making PCI passthrough to > HVM guests happen, without using an IOMMU. There is code out there that > these guys have released. It''s a clever bit of lateral thinking that makes > this possible :-)Any hints, where can i find the code?Is it in the current xen-unstable? or may be in xen-3.2 staging? Thanks, --Pradeep> > However, doing this without an IOMMU still doesn''t address the security > concerns and I''m not sure if it scales to many (or even if they support more > than one) HVM guests controlling PCI devices. > > Cheers, > Mark > > > -- > Push Me Pull You - Distributed SCM tool (http://www.cl.cam.ac.uk/~maw48/pmpu/) >-- Pradeep Singh Rautela http://eagain.wordpress.com http://emptydomain.googlepages.com _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Mark Williamson
2008-Feb-21 05:51 UTC
Re: [Xen-devel] Can I expose a pci device to HVM domU?
> > Guys from Neocleus (I think) have been working on making PCI passthrough > > to HVM guests happen, without using an IOMMU. There is code out there > > that these guys have released. It''s a clever bit of lateral thinking > > that makes this possible :-) > > Any hints, where can i find the code?Is it in the current > xen-unstable? or may be in xen-3.2 staging?Their development tree was at: http://xenbits.xensource.com/ext/direct-io.hg but it looks like its not been updated for a while. They posted some patches to xen-devel a while back, which might be worth you searching the archives for. I don''t remember hearing anything about it for a while but I may just be out of touch! I''m not sure what the current status of the work is. Cheers, Mark -- Push Me Pull You - Distributed SCM tool (http://www.cl.cam.ac.uk/~maw48/pmpu/) _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
pradeep singh rautela
2008-Feb-21 05:58 UTC
Re: [Xen-devel] Can I expose a pci device to HVM domU?
thanks a lot Mark.
I''ll have a look.
Cu,
--Pradeep
On 21/02/2008, Mark Williamson <mark.williamson@cl.cam.ac.uk>
wrote:> > > Guys from Neocleus (I think) have been working on making PCI
passthrough
> > > to HVM guests happen, without using an IOMMU. There is code out
there
> > > that these guys have released. It''s a clever bit of
lateral thinking
> > > that makes this possible :-)
> >
> > Any hints, where can i find the code?Is it in the current
> > xen-unstable? or may be in xen-3.2 staging?
>
>
> Their development tree was at:
http://xenbits.xensource.com/ext/direct-io.hg
> but it looks like its not been updated for a while.
>
> They posted some patches to xen-devel a while back, which might be worth
you
> searching the archives for. I don''t remember hearing anything
about it for a
> while but I may just be out of touch!
>
> I''m not sure what the current status of the work is.
>
>
> Cheers,
> Mark
>
> --
> Push Me Pull You - Distributed SCM tool
(http://www.cl.cam.ac.uk/~maw48/pmpu/)
>
--
Pradeep Singh Rautela
http://eagain.wordpress.com
http://emptydomain.googlepages.com
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
Caitlin Bestler
2008-Feb-21 17:45 UTC
RE: [Xen-devel] Can I expose a pci device to HVM domU?
> -----Original Message----- > From: M.A. Williamson [mailto:maw48@hermes.cam.ac.uk] On Behalf Of Mark > Williamson > Sent: Wednesday, February 20, 2008 6:03 PM > To: xen-devel@lists.xensource.com > Cc: Caitlin Bestler; pradeep singh rautela > Subject: Re: [Xen-devel] Can I expose a pci device to HVM domU? > > > > Can i assign a PCI device(e.g a NIC) exclusively to a Linux HVM > > > domainU after hiding it from domain 0? > > > > > > I know that only PV guests are the best candidates for this but I > > > still want to ask, hoping someone might have done some work in > latest > > > xen-unstable. > > > > > > Is there any known way to do this? > > > > > > PS:- NIC Is does not have Intel's VT-d. > > > > If the Guest is HVM, how would it know how to give usable > > DMA addresses to the NIC? (Whether it should be trusted to > > in the absence of an Address Translation Service is the next > > question, but first is whether it could even do it at all). > > > > A PV Guest, by contrast, would know the distinction between > > GPAs and SPAs (not that it makes it any more trustworthy). > > Guys from Neocleus (I think) have been working on making PCI > passthrough to HVM guests happen, without using an IOMMU. > There is code out there that these guys have released. > It's a clever bit of lateral thinking that makes this > possible :-) >Ultimately *some* form of Address Translation Service is required. Stacking the deck so that a null translation works is still a form of Address Translation Service. Translating work requests in a backend driver is also an Address Translation Service. I see no problem of embracing multiple Address Translation solutions, as long as the caveats with each are clear and unambiguous. But I think it would be a mistake for a Hypervisor to take extra steps to facilitate solutions that do not provide the full equivalent of a PCI-SIG defined IOMMU. In this case, I would not recommend taking extra steps to enable direct access to a NIC from an HVM Guest. Trusting a guest to refrain from accessing memory it does not own is a major act of faith that is rarely justified, but an HVM Guest would not even understand what it has been entrusted with. That sounds very risky to me. _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel