[dpdk-dev] [PATCH v1 1/1] kernel/linux: introduce vfio_pf kernel module

[Stephen Hemminger]

On Fri, 6 Sep 2019 14:42:30 +0530
<vattunuru at marvell.com> wrote:

> From: Vamsi Attunuru <vattunuru at marvell.com>
> 
> The DPDK use case such as VF representer or OVS offload etc
> would call for PF and VF PCIe devices to bind vfio-pci
> module to enable IOMMU protection.
> 
> In addition to vSwitch use case, unlike, other PCI class of
> devices, Network class of PCIe devices would have additional
> responsibility on the PF devices such as promiscuous mode support
> etc.
> 
> The above use cases demand VFIO needs bound to PF and its
> VF devices. This is use case is not supported in Linux kernel,
> due to a security issue where it is possible to have
> DoS in case if VF attached to guest over vfio-pci and netdev
> kernel driver runs on it and which something VF representer
> would like to enable it.
> 
> Since we can not differentiate, the vfio-pci bounded VF devices
> runs DPDK application or netdev driver in guest, we can not
> introduce any scheme to fix DoS case and therefore not have
> proper support of this in the upstream kernel.
> 
> The igb_uio enables such PF and VF binding support for
> non-iommu devices to make VF representer or OVS offload
> run on non-iommu devices with DoS vulnerability for netdev driver
> as VF.
> 
> This kernel module, facilitate to enable SRIOV on PF devices,
> therefore, to run both PF and VF devices in VFIO mode knowing
> its impacts like igb_uio driver functions of non-iommu devices.
> 
> Signed-off-by: Vamsi Attunuru <vattunuru at marvell.com>
> Signed-off-by: Jerin Jacob <jerinj at marvell.com>

NAK
Having kernel drivers  not in upstream kernel is a long term
maintenance and security risk. Please work with upstream kernel
developers to get this merged there.