Hi,

This series implements support for using iommufd to propagate DMA
mappings to the kernel for VM-assigned host devices in a qemu VM.

We add a new 'iommufd' attribute for hostdev devices to be
associated with the iommufd object.

For instance, specifying the iommufd object and associated hostdev in a
VM definition:

  <devices>
...
    <hostdev mode='subsystem' type='pci' managed='no'>
      <driver iommufd='yes'/>
      <source>
        <address domain='0x0009' bus='0x01' slot='0x00' function='0x0'/>
      </source>
      <address type='pci' domain='0x0000' bus='0x15' slot='0x00' function='0x0'/>
    </hostdev>
    <hostdev mode='subsystem' type='pci' managed='no'>
      <driver iommufd='yes'/>
      <source>
        <address domain='0x0019' bus='0x01' slot='0x00' function='0x0'/>
      </source>
      <address type='pci' domain='0x0000' bus='0x16' slot='0x00' function='0x0'/>
    </hostdev>
...
  </devices>

This would get translated to a qemu command line with the arguments below.
Note that libvirt will open the /dev/iommu and VFIO cdev, passing the
associated fd number to qemu:

 -object '{"qom-type":"iommufd","id":"iommufd0","fd":"24"}' \
 -device '{"driver":"vfio-pci","host":"0009:01:00.0","id":"hostdev0","iommufd":"iommufd0","fd":"22","bus":"pci.21","addr":"0x0"}' \
 -device '{"driver":"vfio-pci","host":"0019:01:00.0","id":"hostdev1","iommufd":"iommufd0","fd":"25","bus":"pci.22","addr":"0x0"}' \

This series is on Github:
https://github.com/NathanChenNVIDIA/libvirt/tree/iommufd-10-23-25

Thanks,
Nathan

Signed-off-by: Nathan Chen <nathanc@nvidia.com>

Nathan Chen (4):
  qemu: Implement support for associating iommufd to hostdev
  qemu: open iommufd FDs from libvirt backend
  qemu: Update Cgroup, namespace, and seclabel for qemu to access
    iommufd paths
  tests: qemuxmlconfdata: provide iommufd sample XML and CLI args

 docs/formatdomain.rst                         |   8 +
 src/conf/device_conf.c                        |   9 +
 src/conf/device_conf.h                        |   1 +
 src/conf/schemas/basictypes.rng               |   5 +
 src/qemu/qemu_cgroup.c                        |  61 +++++
 src/qemu/qemu_cgroup.h                        |   1 +
 src/qemu/qemu_command.c                       |  62 ++++-
 src/qemu/qemu_command.h                       |   3 +-
 src/qemu/qemu_domain.c                        |   8 +
 src/qemu/qemu_domain.h                        |   7 +
 src/qemu/qemu_hotplug.c                       |   2 +-
 src/qemu/qemu_namespace.c                     |  44 ++++
 src/qemu/qemu_process.c                       | 232 ++++++++++++++++++
 src/security/security_apparmor.c              |  15 ++
 src/security/security_dac.c                   |  34 +++
 src/security/security_selinux.c               |  34 +++
 src/security/virt-aa-helper.c                 |  11 +-
 src/util/virpci.c                             |  68 +++++
 src/util/virpci.h                             |   1 +
 .../iommufd-q35.x86_64-latest.args            |  41 ++++
 .../iommufd-q35.x86_64-latest.xml             |  60 +++++
 tests/qemuxmlconfdata/iommufd-q35.xml         |  38 +++
 .../iommufd-virt.aarch64-latest.args          |  33 +++
 .../iommufd-virt.aarch64-latest.xml           |  34 +++
 tests/qemuxmlconfdata/iommufd-virt.xml        |  22 ++
 .../iommufd.x86_64-latest.args                |  35 +++
 .../qemuxmlconfdata/iommufd.x86_64-latest.xml |  38 +++
 tests/qemuxmlconfdata/iommufd.xml             |  30 +++
 tests/qemuxmlconftest.c                       |   4 +
 29 files changed, 934 insertions(+), 7 deletions(-)
 create mode 100644 tests/qemuxmlconfdata/iommufd-q35.x86_64-latest.args
 create mode 100644 tests/qemuxmlconfdata/iommufd-q35.x86_64-latest.xml
 create mode 100644 tests/qemuxmlconfdata/iommufd-q35.xml
 create mode 100644 tests/qemuxmlconfdata/iommufd-virt.aarch64-latest.args
 create mode 100644 tests/qemuxmlconfdata/iommufd-virt.aarch64-latest.xml
 create mode 100644 tests/qemuxmlconfdata/iommufd-virt.xml
 create mode 100644 tests/qemuxmlconfdata/iommufd.x86_64-latest.args
 create mode 100644 tests/qemuxmlconfdata/iommufd.x86_64-latest.xml
 create mode 100644 tests/qemuxmlconfdata/iommufd.xml

-- 
2.43.0

On a Monday in 2025, Nathan Chen via Devel wrote:
>Hi,
>
>This series implements support for using iommufd to propagate DMA
>mappings to the kernel for VM-assigned host devices in a qemu VM.
>
>We add a new 'iommufd' attribute for hostdev devices to be
>associated with the iommufd object.
>
>For instance, specifying the iommufd object and associated hostdev in a
>VM definition:
>
>  <devices>
>...
>    <hostdev mode='subsystem' type='pci' managed='no'>
>      <driver iommufd='yes'/>
>      <source>
>        <address domain='0x0009' bus='0x01' slot='0x00' function='0x0'/>
>      </source>
>      <address type='pci' domain='0x0000' bus='0x15' slot='0x00' function='0x0'/>
>    </hostdev>
>    <hostdev mode='subsystem' type='pci' managed='no'>
>      <driver iommufd='yes'/>
>      <source>
>        <address domain='0x0019' bus='0x01' slot='0x00' function='0x0'/>
>      </source>
>      <address type='pci' domain='0x0000' bus='0x16' slot='0x00' function='0x0'/>
>    </hostdev>
>...
>  </devices>
>

Are there any hardware/kernel requirements, or something done to be
host? Even when I add the device to the vfio-pci driver, it does not
create /dev/vfio/devices for me:

error: unsupported configuration: VFIO device /dev/vfio/devices/vfio0 not found - ensure device is bound to vfio-pci driver

Kernel: 6.17.6-300.fc43.x86_64 on Fedora
QEMU: v10.1.0-2147-g917ac07f9a (the current master)

Also, I'd expect it to just work with managed='yes'.

Jano

>This would get translated to a qemu command line with the arguments below.
>Note that libvirt will open the /dev/iommu and VFIO cdev, passing the
>associated fd number to qemu:
>
> -object '{"qom-type":"iommufd","id":"iommufd0","fd":"24"}' \
> -device '{"driver":"vfio-pci","host":"0009:01:00.0","id":"hostdev0","iommufd":"iommufd0","fd":"22","bus":"pci.21","addr":"0x0"}' \
> -device '{"driver":"vfio-pci","host":"0019:01:00.0","id":"hostdev1","iommufd":"iommufd0","fd":"25","bus":"pci.22","addr":"0x0"}' \
>
>This series is on Github:
>https://github.com/NathanChenNVIDIA/libvirt/tree/iommufd-10-23-25
>
>Thanks,
>Nathan
>
>Signed-off-by: Nathan Chen <nathanc@nvidia.com>
>
>Nathan Chen (4):
>  qemu: Implement support for associating iommufd to hostdev
>  qemu: open iommufd FDs from libvirt backend
>  qemu: Update Cgroup, namespace, and seclabel for qemu to access
>    iommufd paths
>  tests: qemuxmlconfdata: provide iommufd sample XML and CLI args
>

On 11/6/2025 10:14 AM, Ján Tomko wrote:
>> Hi,
>>
>> This series implements support for using iommufd to propagate DMA
>> mappings to the kernel for VM-assigned host devices in a qemu VM.
>>
>> We add a new 'iommufd' attribute for hostdev devices to be
>> associated with the iommufd object.
>>
>> For instance, specifying the iommufd object and associated hostdev in a
>> VM definition:
>>
>>  <devices>
>> ...
>>    <hostdev mode='subsystem' type='pci' managed='no'>
>>      <driver iommufd='yes'/>
>>      <source>
>>        <address domain='0x0009' bus='0x01' slot='0x00' function='0x0'/>
>>      </source>
>>      <address type='pci' domain='0x0000' bus='0x15' slot='0x00' 
>> function='0x0'/>
>>    </hostdev>
>>    <hostdev mode='subsystem' type='pci' managed='no'>
>>      <driver iommufd='yes'/>
>>      <source>
>>        <address domain='0x0019' bus='0x01' slot='0x00' function='0x0'/>
>>      </source>
>>      <address type='pci' domain='0x0000' bus='0x16' slot='0x00' 
>> function='0x0'/>
>>    </hostdev>
>> ...
>>  </devices>
>>
> 
> Are there any hardware/kernel requirements, or something done to be
> host? Even when I add the device to the vfio-pci driver, it does not
> create /dev/vfio/devices for me:
> 
> error: unsupported configuration: VFIO device /dev/vfio/devices/vfio0 
> not found - ensure device is bound to vfio-pci driver
> 
> Kernel: 6.17.6-300.fc43.x86_64 on Fedora
> QEMU: v10.1.0-2147-g917ac07f9a (the current master)
> 
> Also, I'd expect it to just work with managed='yes'.

The iommufd module should be loaded before adding the device to the 
vfio-pci driver:
# lsmod | grep iommufd
iommufd               327680  1 vfio

I will ensure the iommufd module gets loaded with managed='yes' in the 
next revision, thanks for catching that.

-Nathan