Re: Determining iommu groups in Xen?

[Andrew Cooper <andrew.cooper3@citrix.com>]

On 28/08/14 17:48, Peter Kay wrote:
>  
>
> On 28 August 2014 14:54:01 BST, Andrew Cooper <andrew.cooper3@citrix.com> wrote:
>> On 28/08/14 14:26, Peter Kay wrote:
>>> This should be a simple question, but I can't find the answer : how
>> are iommu groups determined/found in Xen?
> ...snip...
> >From memory, ACS is present to fix an interaction issue between PCI
>> Passthrough and peer-to-peer dma translations in the PCIe spec.  ACS
>> instructions a bridge/switch to forward the transaction to the upstream
>> port for translation by the IOMMU instead of resolving it privately as
>> a peer-to-peer transaction.
> Yes, precisely.
>
>> Unfortunately, a lot of 1st era PCIe switches after ACS was specified
>> have errata, caused by an ambiguity in the spec, which means that
>> despite claiming ACS support, they don't function correctly.  
> Yes. KVM has a list of quirks from Intel specifying which chipsets actually work.
>
>> Certainly within XenServer, we state that customers using
>> PCIPassthrough must trust the guest administrators, which
>> 'fixes' the security aspect of things from the point of view
>> of malicious guests.
>>
>> ~Andrew
> Fair enough; possibly not ideal but it's an administrator function with calculated risk. A warning might be nice, though.

I am not aware of a single server platform which doesn't have a single
erraturm which breaks the end-to-end security or functionality of PCI
Passthrough.  I would love to be proved wrong in this regard.

>
> The more important question is : how do I determine the iommu groups? Do I need to write some code? It isn't possible to discover from the motherboard manual (it lies) and furthermore, as expansion cards are added and removed the iommu groups change slightly as do the PCI IDs (which is also annoying as it's then necessary to edit all the domU config files plus the pciback hide parameters. KVM is just as broken here).

I am confused as to what exactly you mean by iommu groups in this
context.  My initial guess of the iommu context identifiers for HAP/EPT
tables was clearly wrong.

>
> I currently have an issue with the system spontaneously rebooting under both 4.4 and -unstable as soon as I pass through the entire USB controller (or the half on one set or other of PCI IDs). I don't know if it's a bug or something daft is happening with iommu groups or similar.

Almost certainly to do with the (lack of correct) RMRR support.  There
is a patch series on-list attempting to remedy this problem.

~Andrew

>
> On the bright side, USB host device passthrough with a virtual USB controller appears to work well under Windows, Linux and FreeBSD. KVM doesn't fare so well under *BSD.
>
> PK