[dpdk-dev] VFIO in setup.sh

Andre Richter andre.o.richter at gmail.com
Tue Mar 31 11:26:13 CEST 2015

Previous message: [dpdk-dev] VFIO in setup.sh
Next message: [dpdk-dev] VFIO in setup.sh
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I think the whole process of VFIO binding maybe needs at least a second
thought regarding corner cases and security.

1) in the setup process, there currently is no mechanism that checks if the
Device to be used has other devices in the same iommu group that need to be
bound to VFIO too. Otherwise using VFIO will fail.
I think currently, it only works if the network device is the only one in
its iommu group.

2) Right now everything inside /dev/vfio/ is granted to the all users,
right? Maybe this leads to (security) issues if VFIO is in active use by
other non-dpdk processes for other PCIe devices.

Cheers,
Andre
Burakov, Anatoly <anatoly.burakov at intel.com> schrieb am Di., 31. März 2015
um 11:05:

> > > 3. Why depend on location of vfio module in kernel tree?
> > >    modprobe does the right thing and finds it.
> > >
> > >     VFIO_PATH="kernel/drivers/vfio/pci/vfio-pci.ko"
> > >
> > >     echo "Loading VFIO module"
> > >     /sbin/lsmod | grep -s vfio_pci > /dev/null
> > >     if [ $? -ne 0 ] ; then
> > >             if [ -f /lib/modules/$(uname -r)/$VFIO_PATH ] ; then
> > >                     sudo /sbin/modprobe vfio-pci
> > >             fi
> > >     fi
> > >
>
> Here I agree. Needs to be fixed.
>
> Thanks,
> Anatoly
>

Previous message: [dpdk-dev] VFIO in setup.sh
Next message: [dpdk-dev] VFIO in setup.sh
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list