1 .. SPDX-License-Identifier: BSD-3-Clause
2 Copyright(c) 2010-2015 Intel Corporation.
3 Copyright 2017 Mellanox Technologies, Ltd
6 .. include:: <isonum.txt>
8 .. _linux_gsg_linux_drivers:
13 Different PMDs may require different kernel drivers in order to work properly.
14 Depending on the PMD being used, a corresponding kernel driver should be loaded,
15 and network ports should be bound to that driver.
17 .. _linux_gsg_binding_kernel:
19 Binding and Unbinding Network Ports to/from the Kernel Modules
20 --------------------------------------------------------------
24 PMDs which use the bifurcated driver should not be unbound from their kernel drivers.
25 This section is for PMDs which use the UIO or VFIO drivers.
26 See :ref:`bifurcated_driver` section for more details.
30 It is recommended that ``vfio-pci`` be used as the kernel module for DPDK-bound ports in all cases.
31 If an IOMMU is unavailable, the ``vfio-pci`` can be used in :ref:`no-iommu<vfio_noiommu>` mode.
32 If, for some reason, vfio is unavailable, then UIO-based modules, ``igb_uio`` and ``uio_pci_generic`` may be used.
33 See section :ref:`uio` for details.
35 Most devices require that the hardware to be used by DPDK be unbound from the kernel driver it uses,
36 and instead be bound to the ``vfio-pci`` kernel module before the application is run.
37 For such PMDs, any network ports or other hardware under Linux* control will be ignored and cannot be used by the application.
39 To bind ports to the ``vfio-pci`` module
40 for DPDK use, or to return ports to Linux control,
41 a utility script called ``dpdk-devbind.py`` is provided in the ``usertools`` subdirectory.
42 This utility can be used to provide a view of the current state of the network ports on the system,
43 and to bind and unbind those ports from the different kernel modules,
44 including the VFIO and UIO modules.
45 The following are some examples of how the script can be used.
46 A full description of the script and its parameters can be obtained
47 by calling the script with the ``--help`` or ``--usage`` options.
48 Note that the UIO or VFIO kernel modules to be used,
49 should be loaded into the kernel before running the ``dpdk-devbind.py`` script.
53 Due to the way VFIO works, there are certain limitations
54 to which devices can be used with VFIO.
55 Mainly it comes down to how IOMMU groups work.
56 Any Virtual Function device can usually be used with VFIO on its own,
57 but physical devices may require either all ports bound to VFIO,
58 or some of them bound to VFIO while others not being bound to anything at all.
60 If your device is behind a PCI-to-PCI bridge,
61 the bridge will then be part of the IOMMU group in which your device is in.
62 Therefore, the bridge driver should also be unbound from the bridge PCI device
63 for VFIO to work with devices behind the bridge.
67 While any user can run the ``dpdk-devbind.py`` script
68 to view the status of the network ports,
69 binding or unbinding network ports requires root privileges.
71 To see the status of all network ports on the system:
73 .. code-block:: console
75 ./usertools/dpdk-devbind.py --status
77 Network devices using DPDK-compatible driver
78 ============================================
79 0000:82:00.0 '82599EB 10-GbE NIC' drv=vfio-pci unused=ixgbe
80 0000:82:00.1 '82599EB 10-GbE NIC' drv=vfio-pci unused=ixgbe
82 Network devices using kernel driver
83 ===================================
84 0000:04:00.0 'I350 1-GbE NIC' if=em0 drv=igb unused=vfio-pci *Active*
85 0000:04:00.1 'I350 1-GbE NIC' if=eth1 drv=igb unused=vfio-pci
86 0000:04:00.2 'I350 1-GbE NIC' if=eth2 drv=igb unused=vfio-pci
87 0000:04:00.3 'I350 1-GbE NIC' if=eth3 drv=igb unused=vfio-pci
93 To bind device ``eth1``,``04:00.1``, to the ``vfio-pci`` driver:
95 .. code-block:: console
97 ./usertools/dpdk-devbind.py --bind=vfio-pci 04:00.1
101 .. code-block:: console
103 ./usertools/dpdk-devbind.py --bind=vfio-pci eth1
105 When specifying device ids, wildcards can be used for the final part of the address.
106 To restore device ``82:00.0`` and ``82:00.1`` to their original kernel binding:
108 .. code-block:: console
110 ./usertools/dpdk-devbind.py --bind=ixgbe 82:00.*
115 VFIO is a robust and secure driver that relies on IOMMU protection.
116 To make use of VFIO, the ``vfio-pci`` module must be loaded:
118 .. code-block:: console
120 sudo modprobe vfio-pci
122 VFIO kernel is usually present by default in all distributions,
123 however please consult your distributions documentation to make sure that is the case.
125 To make use of full VFIO functionality,
126 both kernel and BIOS must support and be configured
127 to use IO virtualization (such as Intel\ |reg| VT-d).
131 In most cases, specifying "iommu=on" as kernel parameter should be enough to
132 configure the Linux kernel to use IOMMU.
134 For proper operation of VFIO when running DPDK applications as a non-privileged user, correct permissions should also be set up.
135 For more information, please refer to :ref:`Running_Without_Root_Privileges`.
138 VFIO Memory Mapping Limits
139 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
141 For DMA mapping of either external memory or hugepages, VFIO interface is used.
142 VFIO does not support partial unmap of once mapped memory. Hence DPDK's memory is
143 mapped in hugepage granularity or system page granularity. Number of DMA
144 mappings is limited by kernel with user locked memory limit of a process (rlimit)
145 for system/hugepage memory. Another per-container overall limit applicable both
146 for external memory and system memory was added in kernel 5.1 defined by
147 VFIO module parameter ``dma_entry_limit`` with a default value of 64K.
148 When application is out of DMA entries, these limits need to be adjusted to
149 increase the allowed limit.
151 Creating Virtual Functions using vfio-pci
152 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
154 Since Linux version 5.7,
155 the ``vfio-pci`` module supports the creation of virtual functions.
156 After the PF is bound to ``vfio-pci`` module,
157 the user can create the VFs using the ``sysfs`` interface,
158 and these VFs will be bound to ``vfio-pci`` module automatically.
160 When the PF is bound to ``vfio-pci``,
161 by default it will have a randomly generated VF token.
162 For security reasons, this token is write only,
163 so the user cannot read it from the kernel directly.
164 To access the VFs, the user needs to create a new token,
165 and use it to initialize both VF and PF devices.
166 The tokens are in UUID format,
167 so any UUID generation tool can be used to create a new token.
169 This VF token can be passed to DPDK by using EAL parameter ``--vfio-vf-token``.
170 The token will be used for all PF and VF ports within the application.
172 #. Generate the VF token by uuid command
174 .. code-block:: console
176 14d63f20-8445-11ea-8900-1f9ce7d5650d
178 #. Load the ``vfio-pci`` module with ``enable_sriov`` parameter set
180 .. code-block:: console
182 sudo modprobe vfio-pci enable_sriov=1
184 Alternatively, pass the ``enable_sriov`` parameter through the ``sysfs`` if the module is already loaded or is built-in:
186 .. code-block:: console
188 echo 1 | sudo tee /sys/module/vfio_pci/parameters/enable_sriov
190 #. Bind the PCI devices to ``vfio-pci`` driver
192 .. code-block:: console
194 ./usertools/dpdk-devbind.py -b vfio-pci 0000:86:00.0
196 #. Create the desired number of VF devices
198 .. code-block:: console
200 echo 2 > /sys/bus/pci/devices/0000:86:00.0/sriov_numvfs
202 #. Start the DPDK application that will manage the PF device
204 .. code-block:: console
206 <build_dir>/app/dpdk-testpmd -l 22-25 -n 4 -a 86:00.0 \
207 --vfio-vf-token=14d63f20-8445-11ea-8900-1f9ce7d5650d --file-prefix=pf -- -i
209 #. Start the DPDK application that will manage the VF device
211 .. code-block:: console
213 <build_dir>/app/dpdk-testpmd -l 26-29 -n 4 -a 86:02.0 \
214 --vfio-vf-token=14d63f20-8445-11ea-8900-1f9ce7d5650d --file-prefix=vf0 -- -i
218 Linux versions earlier than version 5.7 do not support the creation of
219 virtual functions within the VFIO framework.
226 If there is no IOMMU available on the system, VFIO can still be used,
227 but it has to be loaded with an additional module parameter:
229 .. code-block:: console
231 modprobe vfio enable_unsafe_noiommu_mode=1
233 Alternatively, one can also enable this option in an already loaded kernel module:
235 .. code-block:: console
237 echo 1 > /sys/module/vfio/parameters/enable_unsafe_noiommu_mode
239 After that, VFIO can be used with hardware devices as usual.
243 It may be required to unload all VFIO related-modules before probing
244 the module again with ``enable_unsafe_noiommu_mode=1`` parameter.
248 Since no-IOMMU mode forgoes IOMMU protection, it is inherently unsafe.
249 That said, it does make it possible for the user
250 to keep the degree of device access and programming that VFIO has,
251 in situations where IOMMU is not available.
260 Using UIO drivers is inherently unsafe due to this method lacking IOMMU protection,
261 and can only be done by root user.
263 In situations where using VFIO is not an option, there are alternative drivers one can use.
264 In many cases, the standard ``uio_pci_generic`` module included in the Linux kernel
265 can be used as a substitute for VFIO. This module can be loaded using the command:
267 .. code-block:: console
269 sudo modprobe uio_pci_generic
273 ``uio_pci_generic`` module doesn't support the creation of virtual functions.
275 As an alternative to the ``uio_pci_generic``, there is the ``igb_uio`` module
276 which can be found in the repository `dpdk-kmods <http://git.dpdk.org/dpdk-kmods>`_.
277 It can be loaded as shown below:
279 .. code-block:: console
282 sudo insmod igb_uio.ko
286 For some devices which lack support for legacy interrupts, e.g. virtual function
287 (VF) devices, the ``igb_uio`` module may be needed in place of ``uio_pci_generic``.
291 If UEFI secure boot is enabled,
292 the Linux kernel may disallow the use of UIO on the system.
293 Therefore, devices for use by DPDK should be bound to the ``vfio-pci`` kernel module
294 rather than any UIO-based module.
295 For more details see :ref:`linux_gsg_binding_kernel` below.
299 If the devices used for DPDK are bound to a UIO-based kernel module,
300 please make sure that the IOMMU is disabled or is in passthrough mode.
301 One can add ``intel_iommu=off`` or ``amd_iommu=off`` or ``intel_iommu=on iommu=pt``
302 in GRUB command line on x86_64 systems,
303 or add ``iommu.passthrough=1`` on aarch64 systems.
305 .. _bifurcated_driver:
310 PMDs which use the bifurcated driver co-exists with the device kernel driver.
311 On such model the NIC is controlled by the kernel, while the data
312 path is performed by the PMD directly on top of the device.
314 Such model has the following benefits:
316 - It is secure and robust, as the memory management and isolation
317 is done by the kernel.
318 - It enables the user to use legacy linux tools such as ``ethtool`` or
319 ``ifconfig`` while running DPDK application on the same network ports.
320 - It enables the DPDK application to filter only part of the traffic,
321 while the rest will be directed and handled by the kernel driver.
322 The flow bifurcation is performed by the NIC hardware.
323 As an example, using :ref:`flow_isolated_mode` allows to choose
324 strictly what is received in DPDK.
326 More about the bifurcated driver can be found in
327 `Mellanox Bifurcated DPDK PMD
328 <https://www.dpdk.org/wp-content/uploads/sites/35/2016/10/Day02-Session04-RonyEfraim-Userspace2016.pdf>`__.
333 In certain situations, using ``dpdk-devbind.py`` script
334 to bind a device to VFIO driver may fail.
335 The first place to check is the kernel messages:
337 .. code-block:: console
341 [ 1297.875090] vfio-pci: probe of 0000:31:00.0 failed with error -22
344 In most cases, the ``error -22`` indicates that the VFIO subsystem
345 could not be enabled because there is no IOMMU support.
347 To check whether the kernel has been booted with correct parameters,
348 one can check the kernel command-line:
350 .. code-block:: console
354 Please refer to earlier sections on how to configure kernel parameters
355 correctly for your system.
357 If the kernel is configured correctly, one also has to make sure that
358 the BIOS configuration has virtualization features (such as Intel\ |reg| VT-d).
359 There is no standard way to check if the platform is configured correctly,
360 so please check with your platform documentation to see if it has such features,
361 and how to enable them.
363 In certain distributions, default kernel configuration is such that
364 the no-IOMMU mode is disabled altogether at compile time.
365 This can be checked in the boot configuration of your system:
367 .. code-block:: console
369 cat /boot/config-$(uname -r) | grep NOIOMMU
370 # CONFIG_VFIO_NOIOMMU is not set
372 If ``CONFIG_VFIO_NOIOMMU`` is not enabled in the kernel configuration,
373 VFIO driver will not support the no-IOMMU mode,
374 and other alternatives (such as UIO drivers) will have to be used.