KVM Forum 2024

Multi-tenant cloud environments demand secure and cost-effective workload isolation. Single Root I/O Virtualization (SR-IOV) tackles this challenge by extending PCI multifunction's capabilities. It introduces lightweight and isolated "virtual functions (VFs)" managed by a central "physical function (PF)". A PF exposes interfaces to configure the device for specific scenarios and optimize resource allocation.

For example, SR-IOV-enabled network interfaces can create VFs representing virtual network interfaces. This allows a host to assign VFs to guest VMs and configure the offloading of packet switching with the PF, minimizing network virtualization overhead.

However, current SR-IOV utilization is limited because the controllability of SR-IOV is not exposed to guests. We propose emulating SR-IOV on QEMU and integrating it with vDPA to grant guests control over SR-IOV while offloading the data path.
To showcase the effectiveness of this approach, we'll present a detailed performance benchmark using a PoC that offloads network containerazation on the guest. We'll also introduce a design for SR-IOV emulation that provides packet-switching configurability, further motivating its adoption.

Next, we describe the current development status of SR-IOV emulation on QEMU. QEMU already includes some SR-IOV device implementations, but they are based on physical designs, limiting flexibility, and lack datapath offloading. We're addressing this by developing an SR-IOV feature for virtio-net devices, which is fully configurable and enables integration with vDPA. While we leverage QEMU's existing PCI multifunction mechanism to support configuration flexibility, SR-IOV emulation presents unique implementation challenges that we'll discuss as well. The new SR-IOV feature in virtio-net will be valuable for immediate testing and serve as a foundation for the future development of practical SR-IOV designs.