Proxmox already contains the ACS override patches, so you can just add the pcie_acs_override=downstream or if necessary pcie_acs_override=downstream,multifunction kernel parameters to GRUB or systemd-boot (please check the PVE manual to find out which is used in your case). It usually "breaks" all IOMMU group and there allows you to ignore security isolation of the IOMMU groups. PCI(e) devices can do DMA (DIrect memory access, as in reading and writing any part of the VM memory) and talk to other PCI(e) devices in the same group. This is a security issue and your should not use it if you run untrusted software or allow untrusted users to access your VMs. Also, there are no guarantees that it will work. It just allows you to ignore ACS as your own risk.
查询直通分组信息:
for d in /sys/kernel/iommu_groups/*/devices/*; do n=${d#*/iommu_groups/*}; n=${n%%/*}; printf 'IOMMU group %s ' "$n"; lspci -nns "${d##*/}"; done
没有评论:
发表评论