|
Background:
Turns out that both my onboard and PCI NIC are in the same IOMMU group. Which means I would have to passthrough both devices to get passthrough working at all. To solve this, I found out about the linux-acs-kernel patch to breakout the devices into separate IOMMU groups. I downloaded a patched kernel and set pcie_acs_override=downstream,multifunction in /etc/default/grub and applied it with sudo update-grub and a reboot. Doing find /sys/kernel/iommu_groups/ -type l after the reboot shows that both NICs are now in different IOMMU groups. Great. However now when I try to pass the onboard NIC by following this guide doing a lspci -nnv gives me Kernel driver in use: r8165 (or whatever it is) whereas before applying the ACS patch I could do the exact same process in the guide and that would give me Kernel driver in use: vfio-pci I cannot for the life of me get this to work with the ACS patch applied. So that brings me to my current question: If I scrap the VFIO passthrough and just run the WAN interface as macvtap with virtio - Private and isolate the traffic with VLANs (basically following my initial network diagram, but cross out the words "IOMMU Passthrough") are there any major security implications of this? Will that be enough to isolate the hostOS? Or will the host still see all of the traffic and still be exposed to the open internet? [edit] All of those code blocks were annoying to read so I replaced them with bold italics MustardFacial fucked around with this message at 20:57 on Nov 21, 2019 |
# ? Nov 21, 2019 19:56 |
|
|
# ? Apr 30, 2024 18:50 |
|
Turns out you only need to do boot time binding to vfio-pci for devices that don't like hot plugging (like GPU's). So all I had to do was remove all of the modprobe.d stuff and add the device as custom hardware in virt-manager. Two weeks of loving around because I didn't finish reading to docs and missed a checkbox.
|
# ? Nov 22, 2019 04:01 |