forked from pool/openvswitch
218 lines
7.8 KiB
Diff
218 lines
7.8 KiB
Diff
|
From 99aa592dd03c15e9857cfc9c93cc31a8a660af7e Mon Sep 17 00:00:00 2001
|
||
|
From: Mark Kavanagh <mark.b.kavanagh@intel.com>
|
||
|
Date: Fri, 8 Dec 2017 10:53:47 +0000
|
||
|
Subject: [PATCH 3/3] netdev-dpdk: vHost IOMMU support
|
||
|
|
||
|
DPDK v17.11 introduces support for the vHost IOMMU feature.
|
||
|
This is a security feature, which restricts the vhost memory
|
||
|
that a virtio device may access.
|
||
|
|
||
|
This feature also enables the vhost REPLY_ACK protocol, the
|
||
|
implementation of which is known to work in newer versions of
|
||
|
QEMU (i.e. v2.10.0), but is buggy in older versions (v2.7.0 -
|
||
|
v2.9.0, inclusive). As such, the feature is disabled by default
|
||
|
in (and should remain so), for the aforementioned older QEMU
|
||
|
verions. Starting with QEMU v2.9.1, vhost-iommu-support can
|
||
|
safely be enabled, even without having an IOMMU device, with
|
||
|
no performance penalty.
|
||
|
|
||
|
This patch adds a new global config option, vhost-iommu-support,
|
||
|
that controls enablement of the vhost IOMMU feature:
|
||
|
|
||
|
ovs-vsctl set Open_vSwitch . other_config:vhost-iommu-support=true
|
||
|
|
||
|
This value defaults to false; to enable IOMMU support, this field
|
||
|
should be set to true when setting other global parameters on init
|
||
|
(such as "dpdk-socket-mem", for example). Changing the value at
|
||
|
runtime is not supported, and requires restarting the vswitch daemon.
|
||
|
|
||
|
Signed-off-by: Mark Kavanagh <mark.b.kavanagh@intel.com>
|
||
|
Acked-by: Kevin Traynor <ktraynor@redhat.com>
|
||
|
Signed-off-by: Ian Stokes <ian.stokes@intel.com>
|
||
|
---
|
||
|
Documentation/topics/dpdk/vhost-user.rst | 28 ++++++++++++++++++++++++++++
|
||
|
lib/dpdk-stub.c | 6 ++++++
|
||
|
lib/dpdk.c | 12 ++++++++++++
|
||
|
lib/dpdk.h | 3 +++
|
||
|
lib/netdev-dpdk.c | 14 ++++++++++----
|
||
|
vswitchd/vswitch.xml | 15 +++++++++++++++
|
||
|
6 files changed, 74 insertions(+), 4 deletions(-)
|
||
|
|
||
|
diff --git a/Documentation/topics/dpdk/vhost-user.rst b/Documentation/topics/dpdk/vhost-user.rst
|
||
|
index d383a16e3..9286f8ac6 100644
|
||
|
--- a/Documentation/topics/dpdk/vhost-user.rst
|
||
|
+++ b/Documentation/topics/dpdk/vhost-user.rst
|
||
|
@@ -273,6 +273,34 @@ One benefit of using this mode is the ability for vHost ports to 'reconnect' in
|
||
|
event of the switch crashing or being brought down. Once it is brought back up,
|
||
|
the vHost ports will reconnect automatically and normal service will resume.
|
||
|
|
||
|
+vhost-user-client IOMMU Support
|
||
|
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
+
|
||
|
+vhost IOMMU is a feature which restricts the vhost memory that a virtio device
|
||
|
+can access, and as such is useful in deployments in which security is a
|
||
|
+concern.
|
||
|
+
|
||
|
+IOMMU support may be enabled via a global config value,
|
||
|
+```vhost-iommu-support```. Setting this to true enables vhost IOMMU support for
|
||
|
+all vhost ports when/where available::
|
||
|
+
|
||
|
+ $ ovs-vsctl set Open_vSwitch . other_config:vhost-iommu-support=true
|
||
|
+
|
||
|
+The default value is false.
|
||
|
+
|
||
|
+.. important::
|
||
|
+
|
||
|
+ Changing this value requires restarting the daemon.
|
||
|
+
|
||
|
+.. important::
|
||
|
+
|
||
|
+ Enabling the IOMMU feature also enables the vhost user reply-ack protocol;
|
||
|
+ this is known to work on QEMU v2.10.0, but is buggy on older versions
|
||
|
+ (2.7.0 - 2.9.0, inclusive). Consequently, the IOMMU feature is disabled by
|
||
|
+ default (and should remain so if using the aforementioned versions of
|
||
|
+ QEMU). Starting with QEMU v2.9.1, vhost-iommu-support can safely be
|
||
|
+ enabled, even without having an IOMMU device, with no performance penalty.
|
||
|
+
|
||
|
.. _dpdk-testpmd:
|
||
|
|
||
|
DPDK in the Guest
|
||
|
diff --git a/lib/dpdk-stub.c b/lib/dpdk-stub.c
|
||
|
index daef7291f..36021807c 100644
|
||
|
--- a/lib/dpdk-stub.c
|
||
|
+++ b/lib/dpdk-stub.c
|
||
|
@@ -48,3 +48,9 @@ dpdk_get_vhost_sock_dir(void)
|
||
|
{
|
||
|
return NULL;
|
||
|
}
|
||
|
+
|
||
|
+bool
|
||
|
+dpdk_vhost_iommu_enabled(void)
|
||
|
+{
|
||
|
+ return false;
|
||
|
+}
|
||
|
diff --git a/lib/dpdk.c b/lib/dpdk.c
|
||
|
index 8da6c3244..6710d10fc 100644
|
||
|
--- a/lib/dpdk.c
|
||
|
+++ b/lib/dpdk.c
|
||
|
@@ -41,6 +41,7 @@ VLOG_DEFINE_THIS_MODULE(dpdk);
|
||
|
static FILE *log_stream = NULL; /* Stream for DPDK log redirection */
|
||
|
|
||
|
static char *vhost_sock_dir = NULL; /* Location of vhost-user sockets */
|
||
|
+static bool vhost_iommu_enabled = false; /* Status of vHost IOMMU support */
|
||
|
|
||
|
static int
|
||
|
process_vhost_flags(char *flag, const char *default_val, int size,
|
||
|
@@ -345,6 +346,11 @@ dpdk_init__(const struct smap *ovs_other_config)
|
||
|
vhost_sock_dir = sock_dir_subcomponent;
|
||
|
}
|
||
|
|
||
|
+ vhost_iommu_enabled = smap_get_bool(ovs_other_config,
|
||
|
+ "vhost-iommu-support", false);
|
||
|
+ VLOG_INFO("IOMMU support for vhost-user-client %s.",
|
||
|
+ vhost_iommu_enabled ? "enabled" : "disabled");
|
||
|
+
|
||
|
argv = grow_argv(&argv, 0, 1);
|
||
|
argc = 1;
|
||
|
argv[0] = xstrdup(ovs_get_program_name());
|
||
|
@@ -482,6 +488,12 @@ dpdk_get_vhost_sock_dir(void)
|
||
|
return vhost_sock_dir;
|
||
|
}
|
||
|
|
||
|
+bool
|
||
|
+dpdk_vhost_iommu_enabled(void)
|
||
|
+{
|
||
|
+ return vhost_iommu_enabled;
|
||
|
+}
|
||
|
+
|
||
|
void
|
||
|
dpdk_set_lcore_id(unsigned cpu)
|
||
|
{
|
||
|
diff --git a/lib/dpdk.h b/lib/dpdk.h
|
||
|
index 673a1f17e..dc58d968a 100644
|
||
|
--- a/lib/dpdk.h
|
||
|
+++ b/lib/dpdk.h
|
||
|
@@ -17,6 +17,8 @@
|
||
|
#ifndef DPDK_H
|
||
|
#define DPDK_H
|
||
|
|
||
|
+#include <stdbool.h>
|
||
|
+
|
||
|
#ifdef DPDK_NETDEV
|
||
|
|
||
|
#include <rte_config.h>
|
||
|
@@ -35,5 +37,6 @@ struct smap;
|
||
|
void dpdk_init(const struct smap *ovs_other_config);
|
||
|
void dpdk_set_lcore_id(unsigned cpu);
|
||
|
const char *dpdk_get_vhost_sock_dir(void);
|
||
|
+bool dpdk_vhost_iommu_enabled(void);
|
||
|
|
||
|
#endif /* dpdk.h */
|
||
|
diff --git a/lib/netdev-dpdk.c b/lib/netdev-dpdk.c
|
||
|
index b93aa2354..3082fd668 100644
|
||
|
--- a/lib/netdev-dpdk.c
|
||
|
+++ b/lib/netdev-dpdk.c
|
||
|
@@ -3259,6 +3259,7 @@ netdev_dpdk_vhost_client_reconfigure(struct netdev *netdev)
|
||
|
{
|
||
|
struct netdev_dpdk *dev = netdev_dpdk_cast(netdev);
|
||
|
int err;
|
||
|
+ uint64_t vhost_flags = 0;
|
||
|
|
||
|
ovs_mutex_lock(&dev->mutex);
|
||
|
|
||
|
@@ -3269,16 +3270,21 @@ netdev_dpdk_vhost_client_reconfigure(struct netdev *netdev)
|
||
|
*/
|
||
|
if (!(dev->vhost_driver_flags & RTE_VHOST_USER_CLIENT)
|
||
|
&& strlen(dev->vhost_id)) {
|
||
|
- /* Register client-mode device */
|
||
|
- err = rte_vhost_driver_register(dev->vhost_id,
|
||
|
- RTE_VHOST_USER_CLIENT);
|
||
|
+ /* Register client-mode device. */
|
||
|
+ vhost_flags |= RTE_VHOST_USER_CLIENT;
|
||
|
+
|
||
|
+ /* Enable IOMMU support, if explicitly requested. */
|
||
|
+ if (dpdk_vhost_iommu_enabled()) {
|
||
|
+ vhost_flags |= RTE_VHOST_USER_IOMMU_SUPPORT;
|
||
|
+ }
|
||
|
+ err = rte_vhost_driver_register(dev->vhost_id, vhost_flags);
|
||
|
if (err) {
|
||
|
VLOG_ERR("vhost-user device setup failure for device %s\n",
|
||
|
dev->vhost_id);
|
||
|
goto unlock;
|
||
|
} else {
|
||
|
/* Configuration successful */
|
||
|
- dev->vhost_driver_flags |= RTE_VHOST_USER_CLIENT;
|
||
|
+ dev->vhost_driver_flags |= vhost_flags;
|
||
|
VLOG_INFO("vHost User device '%s' created in 'client' mode, "
|
||
|
"using client socket '%s'",
|
||
|
dev->up.name, dev->vhost_id);
|
||
|
diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml
|
||
|
index 074535b58..8f646059f 100644
|
||
|
--- a/vswitchd/vswitch.xml
|
||
|
+++ b/vswitchd/vswitch.xml
|
||
|
@@ -344,6 +344,21 @@
|
||
|
</p>
|
||
|
</column>
|
||
|
|
||
|
+ <column name="other_config" key="vhost-iommu-support"
|
||
|
+ type='{"type": "boolean"}'>
|
||
|
+ <p>
|
||
|
+ vHost IOMMU is a security feature, which restricts the vhost memory
|
||
|
+ that a virtio device may access. vHost IOMMU support is disabled by
|
||
|
+ default, due to a bug in QEMU implementations of the vhost REPLY_ACK
|
||
|
+ protocol, (on which vHost IOMMU relies) prior to v2.9.1. Setting this
|
||
|
+ value to <code>true</code> enables vHost IOMMU support for vHost User
|
||
|
+ Client ports in OvS-DPDK, starting from DPDK v17.11.
|
||
|
+ </p>
|
||
|
+ <p>
|
||
|
+ Changing this value requires restarting the daemon.
|
||
|
+ </p>
|
||
|
+ </column>
|
||
|
+
|
||
|
<column name="other_config" key="n-handler-threads"
|
||
|
type='{"type": "integer", "minInteger": 1}'>
|
||
|
<p>
|
||
|
--
|
||
|
2.15.1
|
||
|
|