15.5. PCI passthrough for para-virtualized Xen guests on Red Hat Enterprise Linux

PCI passthrough is used to allow a Xen guest exclusive access to a PCI device, rather than sharing with other guests or with dom0. PCI passthrough for para-virtualized Xen guests is supported on all Red Hat Enterprise Linux 5 systems, however PCI passthrough with fully virtualized guests is only supported on Red Hat Enterprise Linux 5.4 and newer.

Warning

PCI passthrough to para-virtualized guests is considered insecure and is not supported for Red Hat Enterprise Linux 6 guests.
Limitations of Xen PCI passthrough:

Any guest using PCI passthrough will no longer be available for save, restore, or migration capabilities, as it will be tied to a particular non-virtualized hardware configuration.

A guest which has access to a non-virtualized PCI device via PCI passthrough also has the potential to access the DMA address space of dom0, which is a potential security concern.
To link a PCI device to a guest the device must first be hidden from the host. If the host is using the device, the device cannot be assigned to the guest.

Procedure 15.3. Example: attaching a PCI device

  1. Given a network device which uses the bnx2 driver and has a PCI id of 0000:09:00.0, the following lines added to /etc/modprobe.conf hides the device from dom0. Either the bnx2 module must be reloaded or the host must be restarted.
    install bnx2 /sbin/modprobe pciback; /sbin/modprobe --first-time --ignore-install bnx2
    options pciback hide=(0000:09:00.0)
  2. Multiple PCI identifiers can be added to /etc/modprobe.conf to hide multiple devices.
    options pciback hide=(0000:09:00.0)(0000:0a:04.1)
  3. Use one of the following methods to add the passed-through device to the guest's configuration file:

Warning

Due to interrupt tracking, repeatedly hotplugging or hotunplugging an assigned device more than 512 times in a brief period of time can cause a kernel error. Please do not repeatedly hotplug/hotunplug an assigned device.

Note

When running Red Hat Enterprise Linux 5 as a KVM guest, the acpiphp kernel module must be loaded in the guest to support dynamic addition and removal of PCI devices. This module enables the guest to receive insertion and removal notifications from qemu. To manually load this module, run the following command in the guest:
# modprobe acpiphp
To enable this module to be loaded automatically on every guest boot, perform the following commands in the guest:
# echo 'modprobe acpiphp' > /etc/sysconfig/modules/acpiphp.modules
# chmod +x /etc/sysconfig/modules/acpiphp.modules
After reboot, the module should be loaded and can be confirmed with the lsmod | grep acpiphp command. More information on persistent module loading in Red Hat Enterprise Linux 5 can be found in the Red Hat Enterprise Linux 5 Deployment Guide.