[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] PCI Passthrough

  • To: xen-users@xxxxxxxxxxxxxxxxxxx
  • From: Paul Schulze <avlex@xxxxxxx>
  • Date: Sun, 25 May 2008 00:03:06 +0200
  • Delivery-date: Sat, 24 May 2008 15:03:44 -0700
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:in-reply-to:references:content-type:message-id:content-transfer-encoding:from:subject:date:to:x-pgp-agent:x-mailer:sender; b=sGx+kN5c5oYAwrFOz6v9TF7TL29hVFRkYNdnVbTfbSmp+THwYrJOxy9wo548NIumiHiC8mlgQyY0yzBLiQ40900nX0kAq1GOtDzCmiFwj/s9w2ILl3EPesZTDZKBMSPnLWnd/59ijtEhsqAOlvRg48JYCpLUb1LYQpgHvoBKIV0=
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

Hash: SHA1

Hi again,

Thanks Chris, this sounds very promising. If I run into any problems, I will take you up on your offer. For now I am still in the planning stage for this project of mine, which by the way proves to be much more work than I initially thought.

Thanks alot for the hint about IOMMU, Todd, I think you nailed the main problem I am facing, my initial thoughts were that as long as only one DomU has exclusive rights to a certain PCI device, it would not pose a threat to the entire system.

I have already heard about IOMMU being implemented in Intel CPUs (or probably the North Bridge, because as I hear that is where the Memory Controller is located) only, however, as far as I can see AMD isn't quiet there yet (I hear they postponed it to 2009 again, almost reminds me of GNU/Hurd). However, that is one of the main problems I am facing: Intel does not offer a suitable basis for low power systems with desktop performance. I already looked far and wide for a suitable CPU + Mainboard combination with low power consumption and onboard 3D graphics that are worth something and I'm sorry to say, but Intel's are definitively not (compared to the AMD 4x50e CPUs with AMD780G chipsets at least). So I am basically bound to AMD for this particular project.

I already looked around for clues on a software IOMMU implementation too, but the only thing I could find was SWIOTLB. As I understand it, this solution merely allows 32bit devices to use more than 4gb of RAM, or is there a way to use it as a software IOMMU in the sense of Intel VT-d too? If not, is there another way to emulate IOMMU or at least protect the system from a potentially compromised privileged DomU until AMD CPUs supporting this feature are available? And am I correct to assume that a possible feature for AMD CPUs will possibly not need support from the chipset, because the Memory Controller is located on the CPU?

I hope someone can help me out of my confusion,


- --
Paul Schulze
Public Key: http://solaris-net.dyndns.org/keys/key_avlex.asc

"Making mistakes is human,
but to really fuck things up you need Computers"

Am 24.05.2008 um 14:35 schrieb Christopher Isip:

On Fri, May 23, 2008 at 11:57 PM, Todd Deshane <deshantm@xxxxxxxxx> wrote:
Hi Paul,

I'm not going to answer all your questions since I don't have a lot of
experience with many of the things you mention. However I can do
the second part and give some hints on what I do know.

> Is that possible and am I really gaining security for the whole system or is > this just my imagination and doesn't make any sense at all? How about the > performance, especially for the graphics adapter, do I have to factor in > bigger losses there (maybe because PCI passthrough doesn't support the full > PCIe 16x speed)? Has anyone tried something similar yet or am I the first to
> think this might be a good idea?

For PCI passthrough to be secure you need a system that has an IOMMU. It is my understanding that the only IOMMUs that are currently available are in the Intel VT-d systems. The reason you need the IOMMU is that otherwise the domain that you give direct access to the physical device could DMA into
main memory and compromise the security of the system.

So, you first need to look for a system with an IOMMU.

I really like you explanation of what you want and what you are trying to accomplish, I believe you are right on in terms of the VGA passthrough and using serial for the Xen output instead. I have read the experiences of others
for that case and it seems that part you could do.

People have also reported using Xen and mythTV, so I think that is also
quite possible.

There are a lot of details to get right, but by the sounds of it you are willing to figure them and make things work. As for all the networking stuff Xen is
pretty good at that already and it will be a matter of setting it up.

Your biggest initial hurdle is the IOMMU. Take a look at the VT-d stuff there is a lot going on with that on the xen mailing lists. (try xen.markmail.org if
you haven't already, it has pretty good search).

You can find information on some of the other things as well, but I would expect that within the next few days others would share their experiences
on some of the items that you mentioned.


Xen-users mailing list

I am currently running a mythtv backend in a Xen domU. It seems to be working well. I am on the last stages of configuration. Its using Ubuntu Hardy. Since it is a 2.6.24 kernel (compared to my Dom0 2.6.18), there are far fewer DMA errors.

Some issues that I haven't resolved yet:
 mythfilldatabase segfault in dmesg ( runs fine on command line)
PVR 250/500 record at default bitrate (2.2 Gb an hour) as opposed to settings in the database.

The domU does not have a mysql server. This is still in dom0 but I will be moving that to its own domU next. It also nfs mounts the video directories from dom0. I like to keep my DomUs at 4 Gigabyte or less for easy backup to a DVD.

If you need help setting up your mythtv DomU, let me know.


Version: GnuPG v1.4.1 (Darwin)


Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.