Shared device assignment: the groundwork of direct I/O in confidential VMs
Shared device assignment, also known as bounce buffer device assignment, refers to the capability of assigning a hardware PCI device to a confidential VM where that device can issue DMA to shared/unprotected memory. This can improve I/O performance of confidential VMs, offering he benefits similar to normal VMs.
In addition to serving as a transitional solution for the Trusted Execution Environment (TEE) I/O which allows the device can issue DMA to private memory, shared device assignment lays the groundwork for comprehensive TEE I/O implementation. For instance, some TEE I/O technologies (like TDX connect) rely on the ability to manage devices using shared memory during initialization and error recovery scenarios.
In this session, we will introduce the basic support for shared device assignment. Additionally, we will clarify the future expansion directions, starting with the relationship to some ongoing projects. This includes handling partial unmap situations through the support of cut mapping in IOMMUFD, and changes in the conversion path brought about by the new guest_memfd in-place conversion direction modifications. Furthermore, the RamDiscardManager framework used in the basic implementation of QEMU lacks scalability. In the future, to support more functionalities and state management (like virtio-mem/live migration in confidential VMs), a new framework will be necessary.