The Linux Kernel Mailing List
 help / color / mirror / Atom feed
From: Jason Gunthorpe <jgg@ziepe.ca>
To: "Tian, Kevin" <kevin.tian@intel.com>
Cc: Teddy Astie <teddy.astie@vates.tech>,
	"iommu@lists.linux.dev" <iommu@lists.linux.dev>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	Xen-devel <xen-devel@lists.xenproject.org>
Subject: Re: How to express "externally managed" IOMMU domains for VFIO/IOMMUFD ?
Date: Sat, 9 May 2026 14:00:51 -0300	[thread overview]
Message-ID: <20260509170051.GD9285@ziepe.ca> (raw)
In-Reply-To: <BN9PR11MB52768B5170F6CE558B0AC8AA8C3C2@BN9PR11MB5276.namprd11.prod.outlook.com>

On Thu, May 07, 2026 at 08:02:40AM +0000, Tian, Kevin wrote:
> > From: Jason Gunthorpe <jgg@ziepe.ca>
> > Sent: Sunday, April 26, 2026 9:30 PM
> > 
> > On Thu, Apr 23, 2026 at 08:01:50AM +0000, Tian, Kevin wrote:
> > > > On Xen, we have a dedicated hypercalls for moving a device into another
> > > > guest (so it no longer belongs in Dom0, at far as DMA is concerned).
> > > >
> > > > But it looks like there are no way to describe that idea of "attach that
> > > > device to this VM" nor "the device is in a VM"; which makes that
> > > > impracticable.
> > > >
> > > > There may be things that could be done with the vIOMMU objects, but
> > > > there would be no "parent domain" in such case, as said earlier it
> > > > doesn't exist in the IOMMU subsystem.
> > > >
> > > > What is expected to be done instead ?
> > > >
> > > > Teddy
> > > >
> > > > [1] https://www.youtube.com/watch?v=pLMGRgEJ-Eg
> > > >
> > >
> > > It'd be much easier to collect comments if you can put plain words
> > > to explain the problem rather than expecting other folks to watch
> > > the video first...
> > 
> > It sounds like CC and pkvm to me so I think it should re-use those
> > mechanisms..
> > 
> 
> for CC and pkvm the guest memory is still allocated from host.

From an iommu perspective that doesn't entirely matter, what it sees
is that the translation is controlled by some secure world and it
only needs a way to associate the kvm handle for the secure world with
any required call for configuring the viommu.

It is not very different from KVM installing encrypted pages that have
been completed unmapped from all page tables in the hypervisor into
the VM's secure EPT through TDX calls and then iommufd creating a
viommu that re-uses the secure EPT.

The only thing dealing with the memory map is KVM. I'd expect Xen to
work the same, however the invisible memory was affiliated with the VM
through KVM the iommu side should pick up the KVM and then request a
VIOMMU to be setup for the VFIO device on the target KVM and that
should trigger the hypercalls to move the device into the selected
guest.

Jason

      reply	other threads:[~2026-05-09 17:00 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <1776873531.8631fc262581453bbf619ec5b2062170.19db5ea67ab000f373@vates.tech>
     [not found] ` <BN9PR11MB5276B3A829AD624A7E1AB4408C2A2@BN9PR11MB5276.namprd11.prod.outlook.com>
     [not found]   ` <20260426133027.GB3501894@ziepe.ca>
2026-05-07  8:02     ` How to express "externally managed" IOMMU domains for VFIO/IOMMUFD ? Tian, Kevin
2026-05-09 17:00       ` Jason Gunthorpe [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260509170051.GD9285@ziepe.ca \
    --to=jgg@ziepe.ca \
    --cc=iommu@lists.linux.dev \
    --cc=kevin.tian@intel.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=teddy.astie@vates.tech \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox