diff options
| author | Mark Kavanagh <mark.b.kavanagh@intel.com> | 2017-12-08 10:53:47 +0000 |
|---|---|---|
| committer | Ian Stokes <ian.stokes@intel.com> | 2017-12-08 21:42:54 +0000 |
| commit | a14d1cc8a74858c7488207e02b9ebdb67e50bd88 (patch) | |
| tree | ab60c6755bba1d643a6bdc303046c16b7cf0d8f5 /Documentation | |
| parent | 5e925ccc2a6f569f1b32365e3660671b8e7d36b3 (diff) | |
| download | openvswitch-a14d1cc8a74858c7488207e02b9ebdb67e50bd88.tar.gz | |
netdev-dpdk: vHost IOMMU support
DPDK v17.11 introduces support for the vHost IOMMU feature.
This is a security feature, which restricts the vhost memory
that a virtio device may access.
This feature also enables the vhost REPLY_ACK protocol, the
implementation of which is known to work in newer versions of
QEMU (i.e. v2.10.0), but is buggy in older versions (v2.7.0 -
v2.9.0, inclusive). As such, the feature is disabled by default
in (and should remain so), for the aforementioned older QEMU
verions. Starting with QEMU v2.9.1, vhost-iommu-support can
safely be enabled, even without having an IOMMU device, with
no performance penalty.
This patch adds a new global config option, vhost-iommu-support,
that controls enablement of the vhost IOMMU feature:
ovs-vsctl set Open_vSwitch . other_config:vhost-iommu-support=true
This value defaults to false; to enable IOMMU support, this field
should be set to true when setting other global parameters on init
(such as "dpdk-socket-mem", for example). Changing the value at
runtime is not supported, and requires restarting the vswitch daemon.
Signed-off-by: Mark Kavanagh <mark.b.kavanagh@intel.com>
Acked-by: Kevin Traynor <ktraynor@redhat.com>
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
Diffstat (limited to 'Documentation')
| -rw-r--r-- | Documentation/topics/dpdk/vhost-user.rst | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/Documentation/topics/dpdk/vhost-user.rst b/Documentation/topics/dpdk/vhost-user.rst index a43affaa7..8447e2dee 100644 --- a/Documentation/topics/dpdk/vhost-user.rst +++ b/Documentation/topics/dpdk/vhost-user.rst @@ -273,6 +273,34 @@ One benefit of using this mode is the ability for vHost ports to 'reconnect' in event of the switch crashing or being brought down. Once it is brought back up, the vHost ports will reconnect automatically and normal service will resume. +vhost-user-client IOMMU Support +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +vhost IOMMU is a feature which restricts the vhost memory that a virtio device +can access, and as such is useful in deployments in which security is a +concern. + +IOMMU support may be enabled via a global config value, +```vhost-iommu-support```. Setting this to true enables vhost IOMMU support for +all vhost ports when/where available:: + + $ ovs-vsctl set Open_vSwitch . other_config:vhost-iommu-support=true + +The default value is false. + +.. important:: + + Changing this value requires restarting the daemon. + +.. important:: + + Enabling the IOMMU feature also enables the vhost user reply-ack protocol; + this is known to work on QEMU v2.10.0, but is buggy on older versions + (2.7.0 - 2.9.0, inclusive). Consequently, the IOMMU feature is disabled by + default (and should remain so if using the aforementioned versions of + QEMU). Starting with QEMU v2.9.1, vhost-iommu-support can safely be + enabled, even without having an IOMMU device, with no performance penalty. + .. _dpdk-testpmd: DPDK in the Guest |