1 .. SPDX-License-Identifier: BSD-3-Clause
2 Copyright(c) 2010-2015 Intel Corporation.
3 Copyright 2017 Mellanox Technologies, Ltd
6 .. _linux_gsg_linux_drivers:
11 Different PMDs may require different kernel drivers in order to work properly.
12 Depending on the PMD being used, a corresponding kernel driver should be loaded,
13 and network ports should be bound to that driver.
18 VFIO is a robust and secure driver that relies on IOMMU protection.
19 To make use of VFIO, the ``vfio-pci`` module must be loaded:
21 .. code-block:: console
23 sudo modprobe vfio-pci
25 VFIO kernel is usually present by default in all distributions,
26 however please consult your distributions documentation to make sure that is the case.
28 For DMA mapping of either external memory or hugepages, VFIO interface is used.
29 VFIO does not support partial unmap of once mapped memory. Hence DPDK's memory is
30 mapped in hugepage granularity or system page granularity. Number of DMA
31 mappings is limited by kernel with user locked memory limit of a process (rlimit)
32 for system/hugepage memory. Another per-container overall limit applicable both
33 for external memory and system memory was added in kernel 5.1 defined by
34 VFIO module parameter ``dma_entry_limit`` with a default value of 64K.
35 When application is out of DMA entries, these limits need to be adjusted to
36 increase the allowed limit.
38 Since Linux version 5.7,
39 the ``vfio-pci`` module supports the creation of virtual functions.
40 After the PF is bound to ``vfio-pci`` module,
41 the user can create the VFs using the ``sysfs`` interface,
42 and these VFs will be bound to ``vfio-pci`` module automatically.
44 When the PF is bound to ``vfio-pci``,
45 by default it will have a randomly generated VF token.
46 For security reasons, this token is write only,
47 so the user cannot read it from the kernel directly.
48 To access the VFs, the user needs to create a new token,
49 and use it to initialize both VF and PF devices.
50 The tokens are in UUID format,
51 so any UUID generation tool can be used to create a new token.
53 This VF token can be passed to DPDK by using EAL parameter ``--vfio-vf-token``.
54 The token will be used for all PF and VF ports within the application.
56 #. Generate the VF token by uuid command
58 .. code-block:: console
60 14d63f20-8445-11ea-8900-1f9ce7d5650d
62 #. Load the ``vfio-pci`` module with ``enable_sriov`` parameter set
64 .. code-block:: console
66 sudo modprobe vfio-pci enable_sriov=1
68 Alternatively, pass the ``enable_sriov`` parameter through the ``sysfs`` if the module is already loaded or is built-in:
70 .. code-block:: console
72 echo 1 | sudo tee /sys/module/vfio_pci/parameters/enable_sriov
74 #. Bind the PCI devices to ``vfio-pci`` driver
76 .. code-block:: console
78 ./usertools/dpdk-devbind.py -b vfio-pci 0000:86:00.0
80 #. Create the desired number of VF devices
82 .. code-block:: console
84 echo 2 > /sys/bus/pci/devices/0000:86:00.0/sriov_numvfs
86 #. Start the DPDK application that will manage the PF device
88 .. code-block:: console
90 <build_dir>/app/dpdk-testpmd -l 22-25 -n 4 -a 86:00.0 \
91 --vfio-vf-token=14d63f20-8445-11ea-8900-1f9ce7d5650d --file-prefix=pf -- -i
93 #. Start the DPDK application that will manage the VF device
95 .. code-block:: console
97 <build_dir>/app/dpdk-testpmd -l 26-29 -n 4 -a 86:02.0 \
98 --vfio-vf-token=14d63f20-8445-11ea-8900-1f9ce7d5650d --file-prefix=vf0 -- -i
100 To make use of full VFIO functionality,
101 both kernel and BIOS must support and be configured
102 to use IO virtualization (such as IntelĀ® VT-d).
106 Linux versions earlier than version 3.6 do not support VFIO.
110 Linux versions earlier than version 5.7 do not support the creation of
111 virtual functions within the VFIO framework.
115 In most cases, specifying "iommu=on" as kernel parameter should be enough to
116 configure the Linux kernel to use IOMMU.
118 For proper operation of VFIO when running DPDK applications as a non-privileged user, correct permissions should also be set up.
119 For more information, please refer to :ref:`Running_Without_Root_Privileges`.
124 If there is no IOMMU available on the system, VFIO can still be used,
125 but it has to be loaded with an additional module parameter:
127 .. code-block:: console
129 modprobe vfio enable_unsafe_noiommu_mode=1
131 Alternatively, one can also enable this option in an already loaded kernel module:
133 .. code-block:: console
135 echo 1 > /sys/module/vfio/parameters/enable_unsafe_noiommu_mode
137 After that, VFIO can be used with hardware devices as usual.
141 It may be required to unload all VFIO related-modules before probing
142 the module again with ``enable_unsafe_noiommu_mode=1`` parameter.
146 Since no-IOMMU mode forgoes IOMMU protection, it is inherently unsafe.
147 That said, it does make it possible for the user
148 to keep the degree of device access and programming that VFIO has,
149 in situations where IOMMU is not available.
154 In situations where using VFIO is not an option, there are alternative drivers one can use.
155 In many cases, the standard ``uio_pci_generic`` module included in the Linux kernel
156 can be used as a substitute for VFIO. This module can be loaded using the command:
158 .. code-block:: console
160 sudo modprobe uio_pci_generic
164 ``uio_pci_generic`` module doesn't support the creation of virtual functions.
166 As an alternative to the ``uio_pci_generic``, there is the ``igb_uio`` module
167 which can be found in the repository `dpdk-kmods <http://git.dpdk.org/dpdk-kmods>`_.
168 It can be loaded as shown below:
170 .. code-block:: console
173 sudo insmod igb_uio.ko
177 If UEFI secure boot is enabled,
178 the Linux kernel may disallow the use of UIO on the system.
179 Therefore, devices for use by DPDK should be bound to the ``vfio-pci`` kernel module
180 rather than any UIO-based module.
181 For more details see :ref:`linux_gsg_binding_kernel` below.
185 If the devices used for DPDK are bound to the ``uio_pci_generic`` kernel module,
186 please make sure that the IOMMU is disabled or is in passthrough mode.
187 One can add ``intel_iommu=off`` or ``amd_iommu=off`` or ``intel_iommu=on iommu=pt``
188 in GRUB command line on x86_64 systems,
189 or add ``iommu.passthrough=1`` on aarch64 systems.
193 Using UIO drivers is inherently unsafe due to this method lacking IOMMU protection,
194 and can only be done by root user.
196 .. _bifurcated_driver:
201 PMDs which use the bifurcated driver co-exists with the device kernel driver.
202 On such model the NIC is controlled by the kernel, while the data
203 path is performed by the PMD directly on top of the device.
205 Such model has the following benefits:
207 - It is secure and robust, as the memory management and isolation
208 is done by the kernel.
209 - It enables the user to use legacy linux tools such as ``ethtool`` or
210 ``ifconfig`` while running DPDK application on the same network ports.
211 - It enables the DPDK application to filter only part of the traffic,
212 while the rest will be directed and handled by the kernel driver.
213 The flow bifurcation is performed by the NIC hardware.
214 As an example, using :ref:`flow_isolated_mode` allows to choose
215 strictly what is received in DPDK.
217 More about the bifurcated driver can be found in
218 `Mellanox Bifurcated DPDK PMD
219 <https://www.dpdk.org/wp-content/uploads/sites/35/2016/10/Day02-Session04-RonyEfraim-Userspace2016.pdf>`__.
221 .. _linux_gsg_binding_kernel:
223 Binding and Unbinding Network Ports to/from the Kernel Modules
224 --------------------------------------------------------------
228 PMDs which use the bifurcated driver should not be unbound from their kernel drivers.
229 This section is for PMDs which use the UIO or VFIO drivers.
231 As of release 1.4, DPDK applications no longer automatically unbind all supported network ports from the kernel driver in use.
232 Instead, in case the PMD being used use the VFIO or UIO drivers,
233 all ports that are to be used by a DPDK application must be bound to
234 the ``vfio-pci``, ``uio_pci_generic``, or ``igb_uio`` module
235 before the application is run.
236 For such PMDs, any network ports under Linux* control will be ignored and cannot be used by the application.
238 To bind ports to the ``vfio-pci``, ``uio_pci_generic`` or ``igb_uio`` module
239 for DPDK use, or to return ports to Linux control,
240 a utility script called ``dpdk-devbind.py`` is provided in the ``usertools`` subdirectory.
241 This utility can be used to provide a view of the current state of the network ports on the system,
242 and to bind and unbind those ports from the different kernel modules,
243 including the VFIO and UIO modules.
244 The following are some examples of how the script can be used.
245 A full description of the script and its parameters can be obtained
246 by calling the script with the ``--help`` or ``--usage`` options.
247 Note that the UIO or VFIO kernel modules to be used,
248 should be loaded into the kernel before running the ``dpdk-devbind.py`` script.
252 Due to the way VFIO works, there are certain limitations
253 to which devices can be used with VFIO.
254 Mainly it comes down to how IOMMU groups work.
255 Any Virtual Function device can usually be used with VFIO on its own,
256 but physical devices may require either all ports bound to VFIO,
257 or some of them bound to VFIO while others not being bound to anything at all.
259 If your device is behind a PCI-to-PCI bridge,
260 the bridge will then be part of the IOMMU group in which your device is in.
261 Therefore, the bridge driver should also be unbound from the bridge PCI device
262 for VFIO to work with devices behind the bridge.
266 While any user can run the ``dpdk-devbind.py`` script
267 to view the status of the network ports,
268 binding or unbinding network ports requires root privileges.
270 To see the status of all network ports on the system:
272 .. code-block:: console
274 ./usertools/dpdk-devbind.py --status
276 Network devices using DPDK-compatible driver
277 ============================================
278 0000:82:00.0 '82599EB 10-GbE NIC' drv=uio_pci_generic unused=ixgbe
279 0000:82:00.1 '82599EB 10-GbE NIC' drv=uio_pci_generic unused=ixgbe
281 Network devices using kernel driver
282 ===================================
283 0000:04:00.0 'I350 1-GbE NIC' if=em0 drv=igb unused=uio_pci_generic *Active*
284 0000:04:00.1 'I350 1-GbE NIC' if=eth1 drv=igb unused=uio_pci_generic
285 0000:04:00.2 'I350 1-GbE NIC' if=eth2 drv=igb unused=uio_pci_generic
286 0000:04:00.3 'I350 1-GbE NIC' if=eth3 drv=igb unused=uio_pci_generic
288 Other network devices
289 =====================
292 To bind device ``eth1``,``04:00.1``, to the ``uio_pci_generic`` driver:
294 .. code-block:: console
296 ./usertools/dpdk-devbind.py --bind=uio_pci_generic 04:00.1
300 .. code-block:: console
302 ./usertools/dpdk-devbind.py --bind=uio_pci_generic eth1
304 To restore device ``82:00.0`` to its original kernel binding:
306 .. code-block:: console
308 ./usertools/dpdk-devbind.py --bind=ixgbe 82:00.0
313 In certain situations, using ``dpdk-devbind.py`` script
314 to bind a device to VFIO driver may fail.
315 The first place to check is the kernel messages:
317 .. code-block:: console
321 [ 1297.875090] vfio-pci: probe of 0000:31:00.0 failed with error -22
324 In most cases, the ``error -22`` indicates that the VFIO subsystem
325 could not be enabled because there is no IOMMU support.
327 To check whether the kernel has been booted with correct parameters,
328 one can check the kernel command-line:
330 .. code-block:: console
334 Please refer to earlier sections on how to configure kernel parameters
335 correctly for your system.
337 If the kernel is configured correctly, one also has to make sure that
338 the BIOS configuration has virtualization features (such as IntelĀ® VT-d).
339 There is no standard way to check if the platform is configured correctly,
340 so please check with your platform documentation to see if it has such features,
341 and how to enable them.
343 In certain distributions, default kernel configuration is such that
344 the no-IOMMU mode is disabled altogether at compile time.
345 This can be checked in the boot configuration of your system:
347 .. code-block:: console
349 cat /boot/config-$(uname -r) | grep NOIOMMU
350 # CONFIG_VFIO_NOIOMMU is not set
352 If ``CONFIG_VFIO_NOIOMMU`` is not enabled in the kernel configuration,
353 VFIO driver will not support the no-IOMMU mode,
354 and other alternatives (such as UIO drivers) will have to be used.