Xen project Mailing List

Re: How to express "externally managed" IOMMU domains for VFIO/IOMMUFD ?

To: "Tian, Kevin" <kevin.tian@xxxxxxxxx>

From: Jason Gunthorpe <jgg@xxxxxxxx>

Date: Sat, 9 May 2026 14:00:51 -0300

Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=google header.d=ziepe.ca header.i="@ziepe.ca" header.h="In-Reply-To:Content-Disposition:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date"

Cc: Teddy Astie <teddy.astie@xxxxxxxxxx>, "iommu@xxxxxxxxxxxxxxx" <iommu@xxxxxxxxxxxxxxx>, "linux-kernel@xxxxxxxxxxxxxxx" <linux-kernel@xxxxxxxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Sat, 09 May 2026 17:01:17 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Thu, May 07, 2026 at 08:02:40AM +0000, Tian, Kevin wrote: > > From: Jason Gunthorpe <jgg@xxxxxxxx> > > Sent: Sunday, April 26, 2026 9:30 PM > > > > On Thu, Apr 23, 2026 at 08:01:50AM +0000, Tian, Kevin wrote: > > > > On Xen, we have a dedicated hypercalls for moving a device into another > > > > guest (so it no longer belongs in Dom0, at far as DMA is concerned). > > > > > > > > But it looks like there are no way to describe that idea of "attach that > > > > device to this VM" nor "the device is in a VM"; which makes that > > > > impracticable. > > > > > > > > There may be things that could be done with the vIOMMU objects, but > > > > there would be no "parent domain" in such case, as said earlier it > > > > doesn't exist in the IOMMU subsystem. > > > > > > > > What is expected to be done instead ? > > > > > > > > Teddy > > > > > > > > [1] https://www.youtube.com/watch?v=pLMGRgEJ-Eg > > > > > > > > > > It'd be much easier to collect comments if you can put plain words > > > to explain the problem rather than expecting other folks to watch > > > the video first... > > > > It sounds like CC and pkvm to me so I think it should re-use those > > mechanisms.. > > > > for CC and pkvm the guest memory is still allocated from host. >From an iommu perspective that doesn't entirely matter, what it sees is that the translation is controlled by some secure world and it only needs a way to associate the kvm handle for the secure world with any required call for configuring the viommu. It is not very different from KVM installing encrypted pages that have been completed unmapped from all page tables in the hypervisor into the VM's secure EPT through TDX calls and then iommufd creating a viommu that re-uses the secure EPT. The only thing dealing with the memory map is KVM. I'd expect Xen to work the same, however the invisible memory was affiliated with the VM through KVM the iommu side should pick up the KVM and then request a VIOMMU to be setup for the VFIO device on the target KVM and that should trigger the hypercalls to move the device into the selected guest. Jason

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.