[ovs-dev] [PATCH V6 2/2] netdev-dpdk: vHost IOMMU support
Stokes, Ian
ian.stokes at intel.com
Fri Dec 8 13:00:40 UTC 2017
: [ovs-dev][PATCH V6 2/2] netdev-dpdk: vHost IOMMU support
>
> DPDK v17.11 introduces support for the vHost IOMMU feature.
> This is a security feature, which restricts the vhost memory that a virtio
> device may access.
>
> This feature also enables the vhost REPLY_ACK protocol, the implementation
> of which is known to work in newer versions of QEMU (i.e. v2.10.0), but is
> buggy in older versions (v2.7.0 - v2.9.0, inclusive). As such, the feature
> is disabled by default in (and should remain so), for the aforementioned
> older QEMU verions. Starting with QEMU v2.9.1, vhost-iommu-support can
> safely be enabled, even without having an IOMMU device, with no
> performance penalty.
>
> This patch adds a new global config option, vhost-iommu-support, that
> controls enablement of the vhost IOMMU feature:
>
> ovs-vsctl set Open_vSwitch . other_config:vhost-iommu-support=true
>
> This value defaults to false; to enable IOMMU support, this field should
> be set to true when setting other global parameters on init (such as
> "dpdk-socket-mem", for example). Changing the value at runtime is not
> supported, and requires restarting the vswitch daemon.
>
> Signed-off-by: Mark Kavanagh <mark.b.kavanagh at intel.com>
Thanks all, I will queue this for validation on the DPDK merge branch, will be part of the next pull request.
Ian
> ---
> Documentation/topics/dpdk/vhost-user.rst | 28
> ++++++++++++++++++++++++++++
> NEWS | 1 +
> lib/dpdk-stub.c | 6 ++++++
> lib/dpdk.c | 12 ++++++++++++
> lib/dpdk.h | 3 +++
> lib/netdev-dpdk.c | 14 ++++++++++----
> vswitchd/vswitch.xml | 15 +++++++++++++++
> 7 files changed, 75 insertions(+), 4 deletions(-)
>
> diff --git a/Documentation/topics/dpdk/vhost-user.rst
> b/Documentation/topics/dpdk/vhost-user.rst
> index a43affa..33d98a4 100644
> --- a/Documentation/topics/dpdk/vhost-user.rst
> +++ b/Documentation/topics/dpdk/vhost-user.rst
> @@ -273,6 +273,34 @@ One benefit of using this mode is the ability for
> vHost ports to 'reconnect' in event of the switch crashing or being
> brought down. Once it is brought back up, the vHost ports will reconnect
> automatically and normal service will resume.
>
> +vhost-user-client IOMMU Support
> +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> +
> +vhost IOMMU is a feature which restricts the vhost memory that a virtio
> +device can access, and as such is useful in deployments in which
> +security is a concern.
> +
> +IOMMU support may be enabled via a global config value,
> +```vhost-iommu-support```. Setting this to true enables vhost IOMMU
> +support for all vhost ports when/where available::
> +
> + $ ovs-vsctl set Open_vSwitch .
> + other_config:vhost-iommu-support=true
> +
> +The default value is false.
> +
> +.. important::
> +
> + Changing this value requires restarting the daemon.
> +
> +.. important::
> +
> + Enabling the IOMMU feature also enables the vhost user reply-ack
> protocol;
> + this is known to work on QEMU v2.10.0, but is buggy on older versions
> + (2.7.0 - 2.9.0, inclusive). Consequently, the IOMMU feaure is
> disabled by
> + default (and should remain so if using the aforementioned versions of
> + QEMU). Starting with QEMU v2.9.1, vhost-iommu-support can safely be
> + enabled, even without having an IOMMU device, with no performance
> penalty.
> +
> .. _dpdk-testpmd:
>
> DPDK in the Guest
> diff --git a/NEWS b/NEWS
> index d4a1c9a..99c47d8 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -15,6 +15,7 @@ Post-v2.8.0
> * Add support for compiling OVS with the latest Linux 4.13 kernel
> - DPDK:
> * Add support for DPDK v17.11
> + * Add support for vHost IOMMU
>
> v2.8.0 - 31 Aug 2017
> --------------------
> diff --git a/lib/dpdk-stub.c b/lib/dpdk-stub.c index daef729..3602180
> 100644
> --- a/lib/dpdk-stub.c
> +++ b/lib/dpdk-stub.c
> @@ -48,3 +48,9 @@ dpdk_get_vhost_sock_dir(void) {
> return NULL;
> }
> +
> +bool
> +dpdk_vhost_iommu_enabled(void)
> +{
> + return false;
> +}
> diff --git a/lib/dpdk.c b/lib/dpdk.c
> index 8da6c32..6710d10 100644
> --- a/lib/dpdk.c
> +++ b/lib/dpdk.c
> @@ -41,6 +41,7 @@ VLOG_DEFINE_THIS_MODULE(dpdk);
> static FILE *log_stream = NULL; /* Stream for DPDK log redirection
> */
>
> static char *vhost_sock_dir = NULL; /* Location of vhost-user sockets
> */
> +static bool vhost_iommu_enabled = false; /* Status of vHost IOMMU
> +support */
>
> static int
> process_vhost_flags(char *flag, const char *default_val, int size, @@ -
> 345,6 +346,11 @@ dpdk_init__(const struct smap *ovs_other_config)
> vhost_sock_dir = sock_dir_subcomponent;
> }
>
> + vhost_iommu_enabled = smap_get_bool(ovs_other_config,
> + "vhost-iommu-support", false);
> + VLOG_INFO("IOMMU support for vhost-user-client %s.",
> + vhost_iommu_enabled ? "enabled" : "disabled");
> +
> argv = grow_argv(&argv, 0, 1);
> argc = 1;
> argv[0] = xstrdup(ovs_get_program_name()); @@ -482,6 +488,12 @@
> dpdk_get_vhost_sock_dir(void)
> return vhost_sock_dir;
> }
>
> +bool
> +dpdk_vhost_iommu_enabled(void)
> +{
> + return vhost_iommu_enabled;
> +}
> +
> void
> dpdk_set_lcore_id(unsigned cpu)
> {
> diff --git a/lib/dpdk.h b/lib/dpdk.h
> index 673a1f1..dc58d96 100644
> --- a/lib/dpdk.h
> +++ b/lib/dpdk.h
> @@ -17,6 +17,8 @@
> #ifndef DPDK_H
> #define DPDK_H
>
> +#include <stdbool.h>
> +
> #ifdef DPDK_NETDEV
>
> #include <rte_config.h>
> @@ -35,5 +37,6 @@ struct smap;
> void dpdk_init(const struct smap *ovs_other_config); void
> dpdk_set_lcore_id(unsigned cpu); const char
> *dpdk_get_vhost_sock_dir(void);
> +bool dpdk_vhost_iommu_enabled(void);
>
> #endif /* dpdk.h */
> diff --git a/lib/netdev-dpdk.c b/lib/netdev-dpdk.c index f552444..9715c39
> 100644
> --- a/lib/netdev-dpdk.c
> +++ b/lib/netdev-dpdk.c
> @@ -3253,6 +3253,7 @@ netdev_dpdk_vhost_client_reconfigure(struct netdev
> *netdev) {
> struct netdev_dpdk *dev = netdev_dpdk_cast(netdev);
> int err;
> + uint64_t vhost_flags = 0;
>
> ovs_mutex_lock(&dev->mutex);
>
> @@ -3263,16 +3264,21 @@ netdev_dpdk_vhost_client_reconfigure(struct netdev
> *netdev)
> */
> if (!(dev->vhost_driver_flags & RTE_VHOST_USER_CLIENT)
> && strlen(dev->vhost_id)) {
> - /* Register client-mode device */
> - err = rte_vhost_driver_register(dev->vhost_id,
> - RTE_VHOST_USER_CLIENT);
> + /* Register client-mode device. */
> + vhost_flags |= RTE_VHOST_USER_CLIENT;
> +
> + /* Enable IOMMU support, if explicitly requested. */
> + if (dpdk_vhost_iommu_enabled()) {
> + vhost_flags |= RTE_VHOST_USER_IOMMU_SUPPORT;
> + }
> + err = rte_vhost_driver_register(dev->vhost_id, vhost_flags);
> if (err) {
> VLOG_ERR("vhost-user device setup failure for device %s\n",
> dev->vhost_id);
> goto unlock;
> } else {
> /* Configuration successful */
> - dev->vhost_driver_flags |= RTE_VHOST_USER_CLIENT;
> + dev->vhost_driver_flags |= vhost_flags;
> VLOG_INFO("vHost User device '%s' created in 'client' mode, "
> "using client socket '%s'",
> dev->up.name, dev->vhost_id); diff --git
> a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml index c145e1a..4c317d0
> 100644
> --- a/vswitchd/vswitch.xml
> +++ b/vswitchd/vswitch.xml
> @@ -344,6 +344,21 @@
> </p>
> </column>
>
> + <column name="other_config" key="vhost-iommu-support"
> + type='{"type": "boolean"}'>
> + <p>
> + vHost IOMMU is a security feature, which restricts the vhost
> memory
> + that a virtio device may access. vHost IOMMU support is
> disabled by
> + default, due to a bug in QEMU implementations of the vhost
> REPLY_ACK
> + protocol, (on which vHost IOMMU relies) prior to v2.9.1.
> Setting this
> + value to <code>true</code> enables vHost IOMMU support for
> vHost User
> + Client ports in OvS-DPDK, starting from DPDK v17.11.
> + </p>
> + <p>
> + Changing this value requires restarting the daemon.
> + </p>
> + </column>
> +
> <column name="other_config" key="n-handler-threads"
> type='{"type": "integer", "minInteger": 1}'>
> <p>
> --
> 1.9.3
More information about the dev
mailing list