From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 8CC27949FD for ; Thu, 11 Apr 2024 10:31:25 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 6541C1CA00 for ; Thu, 11 Apr 2024 10:30:55 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Thu, 11 Apr 2024 10:30:51 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 91E964499D for ; Thu, 11 Apr 2024 10:30:51 +0200 (CEST) Message-ID: <55b9f4ca-7d09-4300-bb6d-6aa52b34833a@proxmox.com> Date: Thu, 11 Apr 2024 10:30:50 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Beta To: Proxmox VE development discussion , Markus Frank References: <20240124094918.260222-1-m.frank@proxmox.com> <20240124094918.260222-3-m.frank@proxmox.com> Content-Language: en-GB, de-AT From: Thomas Lamprecht Autocrypt: addr=t.lamprecht@proxmox.com; keydata= xsFNBFsLjcYBEACsaQP6uTtw/xHTUCKF4VD4/Wfg7gGn47+OfCKJQAD+Oyb3HSBkjclopC5J uXsB1vVOfqVYE6PO8FlD2L5nxgT3SWkc6Ka634G/yGDU3ZC3C/7NcDVKhSBI5E0ww4Qj8s9w OQRloemb5LOBkJNEUshkWRTHHOmk6QqFB/qBPW2COpAx6oyxVUvBCgm/1S0dAZ9gfkvpqFSD 90B5j3bL6i9FIv3YGUCgz6Ue3f7u+HsEAew6TMtlt90XV3vT4M2IOuECG/pXwTy7NtmHaBQ7 UJBcwSOpDEweNob50+9B4KbnVn1ydx+K6UnEcGDvUWBkREccvuExvupYYYQ5dIhRFf3fkS4+ wMlyAFh8PQUgauod+vqs45FJaSgTqIALSBsEHKEs6IoTXtnnpbhu3p6XBin4hunwoBFiyYt6 YHLAM1yLfCyX510DFzX/Ze2hLqatqzY5Wa7NIXqYYelz7tXiuCLHP84+sV6JtEkeSUCuOiUY virj6nT/nJK8m0BzdR6FgGtNxp7RVXFRz/+mwijJVLpFsyG1i0Hmv2zTn3h2nyGK/I6yhFNt dX69y5hbo6LAsRjLUvZeHXpTU4TrpN/WiCjJblbj5um5eEr4yhcwhVmG102puTtuCECsDucZ jpKpUqzXlpLbzG/dp9dXFH3MivvfuaHrg3MtjXY1i+/Oxyp5iwARAQABzTNUaG9tYXMgTGFt cHJlY2h0IChBdXRoLTQpIDx0LmxhbXByZWNodEBwcm94bW94LmNvbT7CwY4EEwEIADgWIQQO R4qbEl/pah9K6VrTZCM6gDZWBgUCWwuNxgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAK CRDTZCM6gDZWBm/jD/4+6JB2s67eaqoP6x9VGaXNGJPCscwzLuxDTCG90G9FYu29VcXtubH/ bPwsyBbNUQpqTm/s4XboU2qpS5ykCuTjqavrcP33tdkYfGcItj2xMipJ1i3TWvpikQVsX42R G64wovLs/dvpTYphRZkg5DwhgTmy3mRkmofFCTa+//MOcNOORltemp984tWjpR3bUJETNWpF sKGZHa3N4kCNxb7A+VMsJZ/1gN3jbQbQG7GkJtnHlWkw9rKCYqBtWrnrHa4UAvSa9M/XCIAB FThFGqZI1ojdVlv5gd6b/nWxfOPrLlSxbUo5FZ1i/ycj7/24nznW1V4ykG9iUld4uYUY86bB UGSjew1KYp9FmvKiwEoB+zxNnuEQfS7/Bj1X9nxizgweiHIyFsRqgogTvLh403QMSGNSoArk tqkorf1U+VhEncIn4H3KksJF0njZKfilrieOO7Vuot1xKr9QnYrZzJ7m7ZxJ/JfKGaRHXkE1 feMmrvZD1AtdUATZkoeQtTOpMu4r6IQRfSdwm/CkppZXfDe50DJxAMDWwfK2rr2bVkNg/yZI tKLBS0YgRTIynkvv0h8d9dIjiicw3RMeYXyqOnSWVva2r+tl+JBaenr8YTQw0zARrhC0mttu cIZGnVEvQuDwib57QLqMjQaC1gazKHvhA15H5MNxUhwm229UmdH3KM7BTQRbC43GARAAyTkR D6KRJ9Xa2fVMh+6f186q0M3ni+5tsaVhUiykxjsPgkuWXWW9MbLpYXkzX6h/RIEKlo2BGA95 QwG5+Ya2Bo3g7FGJHAkXY6loq7DgMp5/TVQ8phsSv3WxPTJLCBq6vNBamp5hda4cfXFUymsy HsJy4dtgkrPQ/bnsdFDCRUuhJHopnAzKHN8APXpKU6xV5e3GE4LwFsDhNHfH/m9+2yO/trcD txSFpyftbK2gaMERHgA8SKkzRhiwRTt9w5idOfpJVkYRsgvuSGZ0pcD4kLCOIFrer5xXudk6 NgJc36XkFRMnwqrL/bB4k6Pi2u5leyqcXSLyBgeHsZJxg6Lcr2LZ35+8RQGPOw9C0ItmRjtY ZpGKPlSxjxA1WHT2YlF9CEt3nx7c4C3thHHtqBra6BGPyW8rvtq4zRqZRLPmZ0kt/kiMPhTM 8wZAlObbATVrUMcZ/uNjRv2vU9O5aTAD9E5r1B0dlqKgxyoImUWB0JgpILADaT3VybDd3C8X s6Jt8MytUP+1cEWt9VKo4vY4Jh5vwrJUDLJvzpN+TsYCZPNVj18+jf9uGRaoK6W++DdMAr5l gQiwsNgf9372dbMI7pt2gnT5/YdG+ZHnIIlXC6OUonA1Ro/Itg90Q7iQySnKKkqqnWVc+qO9 GJbzcGykxD6EQtCSlurt3/5IXTA7t6sAEQEAAcLBdgQYAQgAIBYhBA5HipsSX+lqH0rpWtNk IzqANlYGBQJbC43GAhsMAAoJENNkIzqANlYGD1sP/ikKgHgcspEKqDED9gQrTBvipH85si0j /Jwu/tBtnYjLgKLh2cjv1JkgYYjb3DyZa1pLsIv6rGnPX9bH9IN03nqirC/Q1Y1lnbNTynPk IflgvsJjoTNZjgu1wUdQlBgL/JhUp1sIYID11jZphgzfDgp/E6ve/8xE2HMAnf4zAfJaKgD0 F+fL1DlcdYUditAiYEuN40Ns/abKs8I1MYx7Yglu3RzJfBzV4t86DAR+OvuF9v188WrFwXCS RSf4DmJ8tntyNej+DVGUnmKHupLQJO7uqCKB/1HLlMKc5G3GLoGqJliHjUHUAXNzinlpE2Vj C78pxpwxRNg2ilE3AhPoAXrY5qED5PLE9sLnmQ9AzRcMMJUXjTNEDxEYbF55SdGBHHOAcZtA kEQKub86e+GHA+Z8oXQSGeSGOkqHi7zfgW1UexddTvaRwE6AyZ6FxTApm8wq8NT2cryWPWTF BDSGB3ujWHMM8ERRYJPcBSjTvt0GcEqnd+OSGgxTkGOdufn51oz82zfpVo1t+J/FNz6MRMcg 8nEC+uKvgzH1nujxJ5pRCBOquFZaGn/p71Yr0oVitkttLKblFsqwa+10Lt6HBxm+2+VLp4Ja 0WZNncZciz3V3cuArpan/ZhhyiWYV5FD0pOXPCJIx7WS9PTtxiv0AOS4ScWEUmBxyhFeOpYa DrEx In-Reply-To: <20240124094918.260222-3-m.frank@proxmox.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.057 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [machine.pm, qemuserver.pm, qemu.pm] Subject: Re: [pve-devel] [PATCH qemu-server v8 2/4] fix #3784: Parameter for guest vIOMMU + test-cases X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Apr 2024 08:31:25 -0000 Am 24/01/2024 um 10:49 schrieb Markus Frank: > vIOMMU is the emulation of a hardware IOMMU within a virtual machine, > providing improved memory access control and security for virtualized I/O devices. > vIOMMU also enables the option to passthrough pci devices to L2 VMs > in L1 VMs via Nested Virtualisation. > > Currently there are two vIOMMU implementation in QEMU to choose: > intel & virtio > > Virtio-iommu is more recent but less used in production than intel-iommu. > > The check_machine_config function prevents using intel-iommu with > i440fx. > > Signed-off-by: Markus Frank > --- > PVE/API2/Qemu.pm | 2 ++ > PVE/QemuServer.pm | 12 ++++++++++++ > PVE/QemuServer/Machine.pm | 17 ++++++++++++++++- > test/cfg2cmd/q35-viommu-intel.conf | 1 + > test/cfg2cmd/q35-viommu-intel.conf.cmd | 23 +++++++++++++++++++++++ > test/cfg2cmd/q35-viommu-virtio.conf | 1 + > test/cfg2cmd/q35-viommu-virtio.conf.cmd | 23 +++++++++++++++++++++++ > 7 files changed, 78 insertions(+), 1 deletion(-) > create mode 100644 test/cfg2cmd/q35-viommu-intel.conf > create mode 100644 test/cfg2cmd/q35-viommu-intel.conf.cmd > create mode 100644 test/cfg2cmd/q35-viommu-virtio.conf > create mode 100644 test/cfg2cmd/q35-viommu-virtio.conf.cmd > this one needs to be rebased. > diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm > index c23b16a..4a5a833 100644 > --- a/PVE/API2/Qemu.pm > +++ b/PVE/API2/Qemu.pm > @@ -1056,6 +1056,7 @@ __PACKAGE__->register_method({ > $conf->{machine} = PVE::QemuServer::Machine::print_machine($machine_conf); > } > } > + PVE::QemuServer::Machine::check_machine_config($conf, $machine_conf); > > PVE::QemuConfig->write_config($vmid, $conf); > > @@ -1894,6 +1895,7 @@ my $update_vm_api = sub { > $conf->{pending}->{$opt} = $param->{$opt}; > } elsif ($opt eq 'machine') { > my $machine_conf = PVE::QemuServer::Machine::parse_machine($param->{$opt}); > + PVE::QemuServer::Machine::check_machine_config($conf, $machine_conf); > $conf->{pending}->{$opt} = $param->{$opt}; > } else { > $conf->{pending}->{$opt} = $param->{$opt}; > diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm > index 6bb2ec3..92832f8 100644 > --- a/PVE/QemuServer.pm > +++ b/PVE/QemuServer.pm > @@ -4070,6 +4070,18 @@ sub config_to_command { > } > push @$machineFlags, "type=${machine_type_min}"; > > + PVE::QemuServer::Machine::check_machine_config($conf, $machine_conf); > + > + if ($machine_conf->{viommu}) { > + if ($machine_conf->{viommu} eq 'intel') { > + unshift @$devices, '-device', 'intel-iommu,intremap=on,caching-mode=on'; > + push @$machineFlags, 'kernel-irqchip=split'; > + } > + if ($machine_conf->{viommu} eq 'virtio') { could be merged with the line before as `} elsif (...) {` > + push @$devices, '-device', 'virtio-iommu-pci'; > + } > + } > + > push @$cmd, @$devices; > push @$cmd, '-rtc', join(',', @$rtcFlags) if scalar(@$rtcFlags); > push @$cmd, '-machine', join(',', @$machineFlags) if scalar(@$machineFlags); > diff --git a/PVE/QemuServer/Machine.pm b/PVE/QemuServer/Machine.pm > index 5e3a75c..71790c4 100644 > --- a/PVE/QemuServer/Machine.pm > +++ b/PVE/QemuServer/Machine.pm > @@ -23,12 +23,19 @@ my $machine_fmt = { > format_description => 'machine type', > optional => 1, > }, > + viommu => { > + type => 'string', > + description => "Enable/disable guest vIOMMU" > + ." (needs kvm to be enabled and q35 to be set as machine type).", early newline > + enum => ['intel', 'virtio'], > + optional => 1, > + }, > }; > > PVE::JSONSchema::register_format('pve-qemu-machine-fmt', $machine_fmt); > > PVE::JSONSchema::register_standard_option('pve-qemu-machine', { > - description => "Specify the QEMU machine type.", > + description => "Specify the QEMU machine type & enable/disable vIOMMU.", > type => 'string', > optional => 1, > format => PVE::JSONSchema::get_format('pve-qemu-machine-fmt'), > @@ -48,6 +55,14 @@ sub print_machine { > return print_property_string($machine_conf, $machine_fmt); > } > > +sub check_machine_config { maybe name that `assert_valid_machine_property` to better convey that it can die > + my ($conf, $machine_conf) = @_; > + my $q35 = $machine_conf->{type} && ($machine_conf->{type} =~ m/q35/) ? 1 : 0; > + if ($machine_conf->{viommu} && $machine_conf->{viommu} eq "intel" && !$q35) { > + die "to use Intel vIOMMU please set the machine type to q35\n"; > + } > +} > + > sub machine_type_is_q35 { > my ($conf) = @_; > > diff --git a/test/cfg2cmd/q35-viommu-intel.conf b/test/cfg2cmd/q35-viommu-intel.conf > new file mode 100644 > index 0000000..e500ab0 > --- /dev/null > +++ b/test/cfg2cmd/q35-viommu-intel.conf one test is great, but they do not cost that much (even if big line-wise) so maybe also test the `virtio` one and some error behavior (e.g., enabled on a VM that has i440fx as machine-type (one can specify an expected error in a source config, grep "EXPECT_ERROR" for examples).