From: Anatoly Burakov Date: Thu, 19 Nov 2020 11:32:30 +0000 (+0000) Subject: doc: reword VFIO and UIO sections in Linux guide X-Git-Url: http://git.droids-corp.org/?a=commitdiff_plain;h=9180da676615d3797ad7905c7f4976833be5da25;p=dpdk.git doc: reword VFIO and UIO sections in Linux guide Make sure that we always prioritize VFIO over UIO. Also, minor wording corrections and improvements. Signed-off-by: Anatoly Burakov --- diff --git a/doc/guides/linux_gsg/enable_func.rst b/doc/guides/linux_gsg/enable_func.rst index 45fd53ba36..7bd6b03f10 100644 --- a/doc/guides/linux_gsg/enable_func.rst +++ b/doc/guides/linux_gsg/enable_func.rst @@ -59,6 +59,8 @@ The application can then determine what action to take, if any, if the HPET is n These generic APIs can work with either TSC or HPET time sources, depending on what is requested by an application call to ``rte_eal_hpet_init()``, if any, and on what is available on the system at runtime. +.. _Running_Without_Root_Privileges: + Running DPDK Applications Without Root Privileges ------------------------------------------------- diff --git a/doc/guides/linux_gsg/linux_drivers.rst b/doc/guides/linux_gsg/linux_drivers.rst index 91ef270880..dfe0c8042c 100644 --- a/doc/guides/linux_gsg/linux_drivers.rst +++ b/doc/guides/linux_gsg/linux_drivers.rst @@ -9,8 +9,8 @@ Linux Drivers ============= Different PMDs may require different kernel drivers in order to work properly. -Depends on the PMD being used, a corresponding kernel driver should be load -and bind to the network ports. +Depending on the PMD being used, a corresponding kernel driver should be loaded, +and network ports should be bound to that driver. VFIO ---- @@ -22,50 +22,85 @@ To make use of VFIO, the ``vfio-pci`` module must be loaded: sudo modprobe vfio-pci -Note that in order to use VFIO, your kernel must support it. -VFIO kernel modules have been included in the Linux kernel since version 3.6.0 and are usually present by default, +VFIO kernel is usually present by default in all distributions, however please consult your distributions documentation to make sure that is the case. -The ``vfio-pci`` module since Linux version 5.7 supports the creation of virtual -functions. After the PF is bound to vfio-pci module, the user can create the VFs -by sysfs interface, and these VFs are bound to vfio-pci module automatically. +Since Linux version 5.7, +the ``vfio-pci`` module supports the creation of virtual functions. +After the PF is bound to ``vfio-pci`` module, +the user can create the VFs using the ``sysfs`` interface, +and these VFs will be bound to ``vfio-pci`` module automatically. -When the PF is bound to vfio-pci, it has initial VF token generated by random. For -security reason, this token is write only, the user can't read it from the kernel -directly. To access the VF, the user needs to start the PF with token parameter to -setup a VF token in UUID format, then the VF can be accessed with this new token. +When the PF is bound to ``vfio-pci``, +by default it will have a randomly generated VF token. +For security reasons, this token is write only, +so the user cannot read it from the kernel directly. +To access the VFs, the user needs to create a new token, +and use it to initialize both VF and PF devices. +The tokens are in UUID format, +so any UUID generation tool can be used to create a new token. -Since the ``vfio-pci`` module uses the VF token as internal data to provide the -collaboration between SR-IOV PF and VFs, so DPDK can use the same VF token for all -PF devices which bound to one application. This VF token can be specified by the EAL -parameter ``--vfio-vf-token``. +This VF token can be passed to DPDK by using EAL parameter ``--vfio-vf-token``. +The token will be used for all PF and VF ports within the application. -.. code-block:: console +#. Generate the VF token by uuid command + + .. code-block:: console + + 14d63f20-8445-11ea-8900-1f9ce7d5650d + +#. Load the ``vfio-pci`` module with ``enable_sriov`` parameter set + + .. code-block:: console + + sudo modprobe vfio-pci enable_sriov=1 + +#. Bind the PCI devices to ``vfio-pci`` driver + + .. code-block:: console + + ./usertools/dpdk-devbind.py -b vfio-pci 0000:86:00.0 + +#. Create the desired number of VF devices - 1. Generate the VF token by uuid command - 14d63f20-8445-11ea-8900-1f9ce7d5650d + .. code-block:: console - 2. sudo modprobe vfio-pci enable_sriov=1 + echo 2 > /sys/bus/pci/devices/0000:86:00.0/sriov_numvfs - 2. ./usertools/dpdk-devbind.py -b vfio-pci 0000:86:00.0 +#. Start the DPDK application that will manage the PF device - 3. echo 2 > /sys/bus/pci/devices/0000:86:00.0/sriov_numvfs + .. code-block:: console - 4. Start the PF: - /app/dpdk-testpmd -l 22-25 -n 4 -a 86:00.0 \ - --vfio-vf-token=14d63f20-8445-11ea-8900-1f9ce7d5650d --file-prefix=pf -- -i + /app/dpdk-testpmd -l 22-25 -n 4 -a 86:00.0 \ + --vfio-vf-token=14d63f20-8445-11ea-8900-1f9ce7d5650d --file-prefix=pf -- -i - 5. Start the VF: - /app/dpdk-testpmd -l 26-29 -n 4 -a 86:02.0 \ - --vfio-vf-token=14d63f20-8445-11ea-8900-1f9ce7d5650d --file-prefix=vf0 -- -i +#. Start the DPDK application that will manage the VF device -Also, to use VFIO, both kernel and BIOS must support and be configured to use IO virtualization (such as Intel® VT-d). + .. code-block:: console + + /app/dpdk-testpmd -l 26-29 -n 4 -a 86:02.0 \ + --vfio-vf-token=14d63f20-8445-11ea-8900-1f9ce7d5650d --file-prefix=vf0 -- -i + +To make use of full VFIO functionality, +both kernel and BIOS must support and be configured +to use IO virtualization (such as Intel® VT-d). + +.. note:: + + Linux versions earlier than version 3.6 do not support VFIO. .. note:: - ``vfio-pci`` module doesn't support the creation of virtual functions before Linux version 5.7. + Linux versions earlier than version 5.7 do not support the creation of + virtual functions within the VFIO framework. + +.. note:: + + In most cases, specifying "iommu=on" as kernel parameter should be enough to + configure the Linux kernel to use IOMMU. For proper operation of VFIO when running DPDK applications as a non-privileged user, correct permissions should also be set up. +For more information, please refer to :ref:`Running_Without_Root_Privileges`. .. note:: @@ -79,7 +114,7 @@ UIO In situations where using VFIO is not an option, there are alternative drivers one can use. In many cases, the standard ``uio_pci_generic`` module included in the Linux kernel -can provide the UIO capability. This module can be loaded using the command: +can be used as a substitute for VFIO. This module can be loaded using the command: .. code-block:: console @@ -109,13 +144,15 @@ It can be loaded as shown below: .. note:: If the devices used for DPDK are bound to the ``uio_pci_generic`` kernel module, - please make sure that the IOMMU is disabled or passthrough. + please make sure that the IOMMU is disabled or is in passthrough mode. One can add ``intel_iommu=off`` or ``amd_iommu=off`` or ``intel_iommu=on iommu=pt`` in GRUB command line on x86_64 systems, or add ``iommu.passthrough=1`` on aarch64 systems. -Since DPDK 1.7 onward provides VFIO support, -use of UIO is optional for platforms that support using VFIO. +.. note:: + + Using UIO drivers is inherently unsafe due to this method lacking IOMMU protection, + and can only be done by root user. .. _bifurcated_driver: @@ -149,37 +186,47 @@ Binding and Unbinding Network Ports to/from the Kernel Modules .. note:: - PMDs Which use the bifurcated driver should not be unbind from their kernel drivers. this section is for PMDs which use the UIO or VFIO drivers. + PMDs which use the bifurcated driver should not be unbound from their kernel drivers. + This section is for PMDs which use the UIO or VFIO drivers. As of release 1.4, DPDK applications no longer automatically unbind all supported network ports from the kernel driver in use. -Instead, in case the PMD being used use the UIO or VFIO drivers, all ports that are to be used by a DPDK application must be bound to the -``uio_pci_generic``, ``igb_uio`` or ``vfio-pci`` module before the application is run. +Instead, in case the PMD being used use the VFIO or UIO drivers, +all ports that are to be used by a DPDK application must be bound to +the ``vfio-pci``, ``uio_pci_generic``, or ``igb_uio`` module +before the application is run. For such PMDs, any network ports under Linux* control will be ignored and cannot be used by the application. -To bind ports to the ``uio_pci_generic``, ``igb_uio`` or ``vfio-pci`` module for DPDK use, -and then subsequently return ports to Linux* control, -a utility script called dpdk-devbind.py is provided in the usertools subdirectory. +To bind ports to the ``vfio-pci``, ``uio_pci_generic`` or ``igb_uio`` module +for DPDK use, or to return ports to Linux control, +a utility script called ``dpdk-devbind.py`` is provided in the ``usertools`` subdirectory. This utility can be used to provide a view of the current state of the network ports on the system, -and to bind and unbind those ports from the different kernel modules, including the uio and vfio modules. +and to bind and unbind those ports from the different kernel modules, +including the VFIO and UIO modules. The following are some examples of how the script can be used. -A full description of the script and its parameters can be obtained by calling the script with the ``--help`` or ``--usage`` options. -Note that the uio or vfio kernel modules to be used, should be loaded into the kernel before -running the ``dpdk-devbind.py`` script. +A full description of the script and its parameters can be obtained +by calling the script with the ``--help`` or ``--usage`` options. +Note that the UIO or VFIO kernel modules to be used, +should be loaded into the kernel before running the ``dpdk-devbind.py`` script. .. warning:: - Due to the way VFIO works, there are certain limitations to which devices can be used with VFIO. - Mainly it comes down to how IOMMU groups work. - Any Virtual Function device can be used with VFIO on its own, but physical devices will require either all ports bound to VFIO, - or some of them bound to VFIO while others not being bound to anything at all. + Due to the way VFIO works, there are certain limitations + to which devices can be used with VFIO. + Mainly it comes down to how IOMMU groups work. + Any Virtual Function device can usually be used with VFIO on its own, + but physical devices may require either all ports bound to VFIO, + or some of them bound to VFIO while others not being bound to anything at all. - If your device is behind a PCI-to-PCI bridge, the bridge will then be part of the IOMMU group in which your device is in. - Therefore, the bridge driver should also be unbound from the bridge PCI device for VFIO to work with devices behind the bridge. + If your device is behind a PCI-to-PCI bridge, + the bridge will then be part of the IOMMU group in which your device is in. + Therefore, the bridge driver should also be unbound from the bridge PCI device + for VFIO to work with devices behind the bridge. .. warning:: - While any user can run the dpdk-devbind.py script to view the status of the network ports, - binding or unbinding network ports requires root privileges. + While any user can run the ``dpdk-devbind.py`` script + to view the status of the network ports, + binding or unbinding network ports requires root privileges. To see the status of all network ports on the system: