I think the whole process of VFIO binding maybe needs at least a second thought regarding corner cases and security.
1) in the setup process, there currently is no mechanism that checks if the Device to be used has other devices in the same iommu group that need to be bound to VFIO too. Otherwise using VFIO will fail. I think currently, it only works if the network device is the only one in its iommu group. 2) Right now everything inside /dev/vfio/ is granted to the all users, right? Maybe this leads to (security) issues if VFIO is in active use by other non-dpdk processes for other PCIe devices. Cheers, Andre Burakov, Anatoly <anatoly.burakov at intel.com> schrieb am Di., 31. M?rz 2015 um 11:05: > > > 3. Why depend on location of vfio module in kernel tree? > > > modprobe does the right thing and finds it. > > > > > > VFIO_PATH="kernel/drivers/vfio/pci/vfio-pci.ko" > > > > > > echo "Loading VFIO module" > > > /sbin/lsmod | grep -s vfio_pci > /dev/null > > > if [ $? -ne 0 ] ; then > > > if [ -f /lib/modules/$(uname -r)/$VFIO_PATH ] ; then > > > sudo /sbin/modprobe vfio-pci > > > fi > > > fi > > > > > Here I agree. Needs to be fixed. > > Thanks, > Anatoly >
