From: projectmikey <projectmikey@proton.me>
To: "discuss@spectrum-os.org" <discuss@spectrum-os.org>
Subject: Questions About Virtio-GPU Patchset for Cloud Hypervisor
Date: Tue, 20 Aug 2024 14:48:15 +0000 [thread overview]
Message-ID: <8d6dfbgv0soRgcAY-w0_7dUYnfhtYt8kWoGIBSwT0Z82Zmvgd5Fww2c54a5gOWD5mo6dHKMpvZeKJAKJ41kSXxVvdq7l0yVauo-Mk3KkPBo=@proton.me> (raw)
[-- Attachment #1: Type: text/plain, Size: 2240 bytes --]
Dear Spectrum Team,
I hope this email finds you well.
I am reaching out with a question about your patchset for Cloud Hypervisor with support for virtio-gpu [https://spectrum-os.org/software/cloud-hypervisor/]. First, I want to say thanks for the work that has been done — it is much appreciated!
I have successfully implemented the latest version of your patchset in my current environment. I am now curious if it can be used with multiple L2 guests, each securely utilizing different GPUs, running concurrently on an L1, and requiring that each L2 guest's resources be kept private and isolated from the others.
To provide some more context, I am currently trying to achieve GPU acceleration within a nested L2 VM on GCP (L1: KVM on GCP => L2: Cloud Hypervisor). I'm using GCP rather than a bare metal environment because GCP supports nested virtualization on their affordable N1 and G2 series VMs.
Since I have limited access to the GCP environment, specifically to the L0 hypervisor and L1 hypervisor layers, I am unable to modify or access BIOS settings or certain underlying configurations at those levels. I am uncertain whether my attempts to configure the environment was entirely correct. However, after extensive online research, I couldn’t find a definitive answer on whether using VFIO is possible in GCP VMs. Despite my efforts, I have not been able to bind to vfio-pci without first enabling No-IOMMU mode on the system.
If secure VFIO usage cannot be achieved, I'm open to exploring alternatives like virtio or vfio-user, provided they can securely allocate GPU access within the L2s without memory or resource sharing between the VMs or other potential security issues that I'm not yet aware of.
Do you know if this is possible with the current version of your patchset? If not, do you have any suggestions on how to achieve this in a nested setup like this one [https://cloud.google.com/compute/docs/instances/nested-virtualization/overview]? Any other insights you could share that might point me in the right direction for accomplishing this securely would be incredibly helpful, as my knowledge in this area is limited.
Thanks again.
-Mike Calendo
Sent with [Proton Mail](https://proton.me/) secure email.
[-- Attachment #2: Type: text/html, Size: 3391 bytes --]
next reply other threads:[~2024-08-25 10:19 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-20 14:48 projectmikey [this message]
2024-08-25 11:02 ` Questions About Virtio-GPU Patchset for Cloud Hypervisor Alyssa Ross
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='8d6dfbgv0soRgcAY-w0_7dUYnfhtYt8kWoGIBSwT0Z82Zmvgd5Fww2c54a5gOWD5mo6dHKMpvZeKJAKJ41kSXxVvdq7l0yVauo-Mk3KkPBo=@proton.me' \
--to=projectmikey@proton.me \
--cc=discuss@spectrum-os.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).