| | |
The purpose of virtio and this specification is that virtual environments and guests should have a straightforward, efficient, standard and extensible mechanism for virtual devices, rather than boutique per-environment or per-OS mechanisms.
Technical Committee members should send comments on this specification to the Technical Committee’s email list. Others should send comments to the Technical Committee by using the “Send A Comment” button on the Technical Committee’s web page at https://www.oasis-open.org/committees/virtio/.
This specification is provided under the Non-Assertion Mode of the OASIS IPR Policy, the mode chosen when the Technical Committee was established. For information on whether any patents have been disclosed that may be essential to implementing this specification, and any offers of patent licensing terms, please refer to the Intellectual Property Rights page in the TC’s GitHub repository (https://github.com/oasis-tcs/virtio-admin/blob/master/IPR.md).
Note that any machine-readable content (Computer Language Definitions) declared Normative for this Work Product is provided in separate plain text files. In the event of a discrepancy between any such plain text file and display content in the Work Product’s prose narrative document(s), the content in the separate plain text file prevails.
[VIRTIO-v1.2]
Virtual I/O Device (VIRTIO) Version 1.2. Edited by Michael S. Tsirkin and
Cornelia Huck. 09 May 2022. OASIS Committee Specification Draft 01.
https://docs.oasis-open.org/virtio/virtio/v1.2/csd01/virtio-v1.2-csd01.html.
Latest stage: https://docs.oasis-open.org/virtio/virtio/v1.2/virtio-v1.2.html.
__________________________________________________________________
Copyright © OASIS Open 2022. All Rights Reserved.
All capitalized terms in the following text have the meanings assigned to them in the OASIS Intellectual Property Rights Policy (the "OASIS IPR Policy"). The full Policy may be found at the OASIS website.
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published, and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this section are included on all such copies and derivative works. However, this document itself may not be modified in any way, including by removing the copyright notice or references to OASIS, except as needed for the purpose of developing any document or deliverable produced by an OASIS Technical Committee (in which case the rules applicable to copyrights, as set forth in the OASIS IPR Policy, must be followed) or as required to translate it into languages other than English.
The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.
This document and the information contained herein is provided on an "AS IS" basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. OASIS AND ITS MEMBERS WILL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF ANY USE OF THIS DOCUMENT OR ANY PART THEREOF.
As stated in the OASIS IPR Policy, the following three paragraphs in brackets apply to OASIS Standards Final Deliverable documents (Committee Specifications, OASIS Standards, or Approved Errata).
[OASIS requests that any OASIS Party or any other party that believes it has patent claims that would necessarily be infringed by implementations of this OASIS Committee Specification or OASIS Standard, to notify OASIS TC Administrator and provide an indication of its willingness to grant patent licenses to such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that produced this specification.]
[OASIS invites any party to contact the OASIS TC Administrator if it is aware of a claim of ownership of any patent claims that would necessarily be infringed by implementations of this specification by a patent holder that is not willing to provide a license to such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that produced this specification. OASIS may include such claims on its website, but disclaims any obligation to do so.]
[OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on OASIS’ procedures with respect to rights in any document or deliverable produced by an OASIS Technical Committee can be found on the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this OASIS Committee Specification or OASIS Standard, can be obtained from the OASIS TC Administrator. OASIS makes no representation that any information or list of intellectual property rights will at any time be complete, or that any claims in such list are, in fact, Essential Claims.]
The name "OASIS" is a trademark of OASIS, the owner and developer of this
specification, and should be used only to refer to the organization and its official
outputs. OASIS welcomes reference to, and implementation and use of, specifications,
while reserving the right to enforce its marks against misleading uses. Please see
https://www.oasis-open.org/policies-guidelines/trademark/ for above guidance.
__________________________________________________________________
The purpose of virtio and this specification is that virtual environments and guests should have a straightforward, efficient, standard and extensible mechanism for virtual devices, rather than boutique per-environment or per-OS mechanisms.
| [RFC2119] |
Bradner S., “Key words for use in RFCs to Indicate Requirement Levels”, BCP 14,
RFC 2119, March 1997. |
| [RFC4122] |
Leach, P., Mealling, M., and R. Salz, “A Universally Unique IDentifier (UUID) URN
Namespace”, RFC 4122, DOI 10.17487/RFC4122, July 2005. |
| [S390 PoP] |
z/Architecture Principles of Operation, IBM Publication SA22-7832, |
| [S390 Common I/O] |
ESA/390 Common I/O-Device and Self-Description, IBM Publication SA22-7204, |
| [PCI] |
Conventional PCI Specifications, |
| [PCIe] |
PCI Express Specifications |
| [IEEE 802] |
IEEE Standard for Local and Metropolitan Area Networks: Overview and
Architecture, |
| [SAM] |
SCSI Architectural Model, |
| [SCSI MMC] |
SCSI Multimedia Commands, |
| [FUSE] |
Linux FUSE interface, |
| [eMMC] |
eMMC Electrical Standard (5.1), JESD84-B51, |
| [HDA] |
High Definition Audio Specification, |
| [I2C] |
I2C-bus specification and user manual, |
| [SCMI] |
Arm System Control and Management Interface, DEN0056, |
| [Virtio PCI Draft] |
Virtio PCI Draft Specification |
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in [RFC2119].
Specification drafts preceding version 1.0 of this specification (e.g. see [Virtio PCI Draft]) defined a similar, but different interface between the driver and the device. Since these are widely deployed, this specification accommodates OPTIONAL features to simplify transition from these earlier draft interfaces.
Specifically devices and drivers MAY support:
Legacy devices and legacy drivers are not compliant with this specification.
To simplify transition from these earlier draft interfaces, a device MAY implement:
Similarly, a driver MAY implement:
Devices or drivers with no legacy compatibility are referred to as non-transitional devices and drivers, respectively.
For devices and drivers already implementing the legacy interface, some changes will have to be made to support this specification.
In this case, it might be beneficial for the reader to focus on sections tagged "Legacy Interface" in the section title. These highlight the changes made since the earlier drafts.
Many device and driver in-memory structure layouts are documented using the C struct syntax. All structures are assumed to be without additional padding. To stress this, cases where common C compilers are known to insert extra padding within structures are tagged using the GNU C __attribute__((packed)) syntax.
For the integer data types used in the structure definitions, the following conventions are used:
Some of the fields to be defined in this specification don’t start or don’t end on a byte boundary. Such fields are called bit-fields. A set of bit-fields is always a sub-division of an integer typed field.
Bit-fields within integer fields are always listed in order, from the least significant to the most significant bit. The bit-fields are considered unsigned integers of the specified width with the next in significance relationship of the bits preserved.
For example:
documents the value A stored in the low 15 bit of x and the value B stored in the high bit of x, the 16-bit integer x in turn stored using the big-endian byte order at the beginning of the structure S, and being followed immediately by an unsigned integer y stored in big-endian byte order at an offset of 2 bytes (16 bits) from the beginning of the structure.
Note that this notation somewhat resembles the C bitfield syntax but should not be naively converted to a bitfield notation for portable code: it matches the way bitfields are packed by C compilers on little-endian architectures but not the way bitfields are packed by C compilers on big-endian architectures.
Assuming that CPU_TO_BE16 converts a 16-bit integer from a native CPU to the big-endian byte order, the following is the equivalent portable C code to generate a value to be stored into x:
In many cases, numeric values used in the interface between the device and the driver are documented using the C #define and /* */ comment syntax. Multiple related values are grouped together with a common name as a prefix, using _ as a separator. Using _XXX as a suffix refers to all values in a group. For example:
documents two numeric values for a field Fld, with Fld having value 1 referring to A and Fld having value 2 referring to B. Note that << refers to the shift-left operation.
Further, in this case VIRTIO_FLD_A and VIRTIO_FLD_B refer to values 1 and 2 of Fld respectively. Further, VIRTIO_FLD_XXX refers to either VIRTIO_FLD_A or VIRTIO_FLD_B.
During device initialization by a driver, the driver follows the sequence of steps specified in 3.1.
The device status field provides a simple low-level indication of the completed steps of this sequence. It’s most useful to imagine it hooked up to traffic lights on the console indicating the status of each device. The following bits are defined (listed below in the order in which they would be typically set):
The device status field starts out as 0, and is reinitialized to 0 by the device during reset.
The driver MUST update device status, setting bits to indicate the completed steps of the driver initialization sequence specified in 3.1. The driver MUST NOT clear a device status bit. If the driver sets the FAILED bit, the driver MUST later reset the device before attempting to re-initialize.
The driver SHOULD NOT rely on completion of operations of a device if DEVICE_NEEDS_RESET is set. Note: For example, the driver can’t assume requests in flight will be completed if DEVICE_NEEDS_RESET is set, nor can it assume that they have not been completed. A good implementation will try to recover by issuing a reset.
The device MUST NOT consume buffers or send any used buffer notifications to the driver before DRIVER_OK.
The device SHOULD set DEVICE_NEEDS_RESET when it enters an error state that a reset is needed. If DRIVER_OK is set, after it sets DEVICE_NEEDS_RESET, the device MUST send a device configuration change notification to the driver.
Each virtio device offers all the features it understands. During device initialization, the driver reads this and tells the device the subset that it accepts. The only way to renegotiate is to reset the device.
This allows for forwards and backwards compatibility: if the device is enhanced with a new feature bit, older drivers will not write that feature bit back to the device. Similarly, if a driver is enhanced with a feature that the device doesn’t support, it see the new feature is not offered.
Feature bits are allocated as follows:
In particular, new fields in the device configuration space are indicated by offering a new feature bit.
The driver MUST NOT accept a feature which the device did not offer, and MUST NOT accept a feature which requires another feature which was not accepted.
The driver SHOULD go into backwards compatibility mode if the device does not offer a feature it understands, otherwise MUST set the FAILED device status bit and cease initialization.
The device MUST NOT offer a feature which requires another feature which was not offered. The device SHOULD accept any valid subset of features the driver accepts, otherwise it MUST fail to set the FEATURES_OK device status bit when the driver writes it.
If a device has successfully negotiated a set of features at least once (by accepting the FEATURES_OK device status bit during device initialization), then it SHOULD NOT fail re-negotiation of the same set of features after a device or system reset. Failure to do so would interfere with resuming from suspend and error recovery.
Transitional Drivers MUST detect Legacy Devices by detecting that the feature bit VIRTIO_F_VERSION_1 is not offered. Transitional devices MUST detect Legacy drivers by detecting that VIRTIO_F_VERSION_1 has not been acknowledged by the driver.
In this case device is used through the legacy interface.
Legacy interface support is OPTIONAL. Thus, both transitional and non-transitional devices and drivers are compliant with this specification.
Requirements pertaining to transitional devices and drivers is contained in sections named ’Legacy Interface’ like this one.
When device is used through the legacy interface, transitional devices and transitional drivers MUST operate according to the requirements documented within these legacy interface sections. Specification text within these sections generally does not apply to non-transitional devices.
The notion of sending a notification (driver to device or device to driver) plays an important role in this specification. The modus operandi of the notifications is transport specific.
There are three types of notifications:
Configuration change notifications and used buffer notifications are sent by the device, the recipient is the driver. A configuration change notification indicates that the device configuration space has changed; a used buffer notification indicates that a buffer may have been made used on the virtqueue designated by the notification.
Available buffer notifications are sent by the driver, the recipient is the device. This type of notification indicates that a buffer may have been made available on the virtqueue designated by the notification.
The semantics, the transport-specific implementations, and other important aspects of the different notifications are specified in detail in the following chapters.
Most transports implement notifications sent by the device to the driver using interrupts. Therefore, in previous versions of this specification, these notifications were often called interrupts. Some names defined in this specification still retain this interrupt terminology. Occasionally, the term event is used to refer to a notification or a receipt of a notification.
The driver may want to initiate a device reset at various times; notably, it is required to do so during device initialization and device cleanup.
The mechanism used by the driver to initiate the reset is transport specific.
A device MUST reinitialize device status to 0 after receiving a reset.
A device MUST NOT send notifications or interact with the queues after indicating completion of the reset by reinitializing device status to 0, until the driver re-initializes the device.
The driver SHOULD consider a driver-initiated reset complete when it reads device status as 0.
Device configuration space is generally used for rarely-changing or initialization-time parameters. Where configuration fields are optional, their existence is indicated by feature bits: Future versions of this specification will likely extend the device configuration space by adding extra fields at the tail. Note: The device configuration space uses the little-endian format for multi-byte fields.
Each transport also provides a generation count for the device configuration space, which will change whenever there is a possibility that two accesses to the device configuration space can see different versions of that space.
Drivers MUST NOT assume reads from fields greater than 32 bits wide are atomic, nor are reads from multiple fields: drivers SHOULD read device configuration space fields like so:
For optional configuration space fields, the driver MUST check that the corresponding feature is offered before accessing that part of the configuration space. Note: See section 3.1 for details on feature negotiation.
Drivers MUST NOT limit structure size and device configuration space size. Instead, drivers SHOULD only check that device configuration space is large enough to contain the fields necessary for device operation. Note: For example, if the specification states that device configuration space ’includes a single 8-bit field’ drivers should understand this to mean that the device configuration space might also include an arbitrary amount of tail padding, and accept any device configuration space size equal to or greater than the specified 8-bit size.
The device MUST allow reading of any device-specific configuration field before FEATURES_OK is set by the driver. This includes fields which are conditional on feature bits, as long as those feature bits are offered by the device.
Note that for legacy interfaces, device configuration space is generally the guest’s native endian, rather than PCI’s little-endian. The correct endian-ness is documented for each device.
Legacy devices did not have a configuration generation field, thus are susceptible to race conditions if configuration is updated. This affects the block capacity (see 5.2.4) and network mac (see 5.1.4) fields; when using the legacy interface, drivers SHOULD read these fields multiple times until two reads generate a consistent result.
The mechanism for bulk data transport on virtio devices is pretentiously called a virtqueue. Each device can have zero or more virtqueues3.
Driver makes requests available to device by adding an available buffer to the queue, i.e., adding a buffer describing the request to a virtqueue, and optionally triggering a driver event, i.e., sending an available buffer notification to the device.
Device executes the requests and - when complete - adds a used buffer to the queue, i.e., lets the driver know by marking the buffer as used. Device can then trigger a device event, i.e., send a used buffer notification to the driver.
Device reports the number of bytes it has written to memory for each buffer it uses. This is referred to as “used length”.
Device is not generally required to use buffers in the same order in which they have been made available by the driver.
Some devices always use descriptors in the same order in which they have been made available. These devices can offer the VIRTIO_F_IN_ORDER feature. If negotiated, this knowledge might allow optimizations or simplify driver and/or device code.
Each virtqueue can consist of up to 3 parts:
Two formats are supported: Split Virtqueues (see 2.7 Split Virtqueues) and Packed Virtqueues (see 2.8 Packed Virtqueues).
Every driver and device supports either the Packed or the Split Virtqueue format, or both.
When VIRTIO_F_RING_RESET is negotiated, the driver can reset a virtqueue individually. The way to reset the virtqueue is transport specific.
Virtqueue reset is divided into two parts. The driver first resets a queue and can afterwards optionally re-enable it.
The device MUST reset any state of a virtqueue to the default state, including the available state and the used state.
After the queue has been successfully reset, the driver MAY release any resource associated with that virtqueue.
This process is the same as the initialization process of a single queue during the initialization of the entire device.
The split virtqueue format was the only format supported by the version 1.0 (and earlier) of this standard.
The split virtqueue format separates the virtqueue into several parts, where each part is write-able by either the driver or the device, but not both. Multiple parts and/or locations within a part need to be updated when making a buffer available and when marking it as used.
Each queue has a 16-bit queue size parameter, which sets the number of entries and implies the total size of the queue.
Each virtqueue consists of three parts:
where each part is physically-contiguous in guest memory, and has different alignment requirements.
The memory alignment and size requirements, in bytes, of each part of the virtqueue are summarized in the following table:
| Virtqueue Part | Alignment | Size |
| Descriptor Table | 16 | 16∗(Queue Size) |
| Available Ring | 2 | 6 + 2∗(Queue Size) |
| Used Ring | 4 | 6 + 8∗(Queue Size) |
The Alignment column gives the minimum alignment for each part of the virtqueue.
The Size column gives the total number of bytes for each part of the virtqueue.
Queue Size corresponds to the maximum number of buffers in the virtqueue4. Queue Size value is always a power of 2. The maximum Queue Size value is 32768. This value is specified in a bus-specific way.
When the driver wants to send a buffer to the device, it fills in a slot in the descriptor table (or chains several together), and writes the descriptor index into the available ring. It then notifies the device. When the device has finished a buffer, it writes the descriptor index into the used ring, and sends a used buffer notification.
The driver MUST ensure that the physical address of the first byte of each virtqueue part is a multiple of the specified alignment value in the above table.
For Legacy Interfaces, several additional restrictions are placed on the virtqueue layout:
Each virtqueue occupies two or more physically-contiguous pages (usually defined as 4096 bytes, but depending on the transport; henceforth referred to as Queue Align) and consists of three parts:
| Descriptor Table | Available Ring (…padding…) | Used Ring |
The bus-specific Queue Size field controls the total number of bytes for the virtqueue. When using the legacy interface, the transitional driver MUST retrieve the Queue Size field from the device and MUST allocate the total number of bytes for the virtqueue according to the following formula (Queue Align given in qalign and Queue Size given in qsz):
This wastes some space with padding. When using the legacy interface, both transitional devices and drivers MUST use the following virtqueue layout structure to locate elements of the virtqueue:
Note that when using the legacy interface, transitional devices and drivers MUST use the native endian of the guest as the endian of fields and in the virtqueue. This is opposed to little-endian for non-legacy interface as specified by this standard. It is assumed that the host is already aware of the guest endian.
The framing of messages with descriptors is independent of the contents of the buffers. For example, a network transmit buffer consists of a 12 byte header followed by the network packet. This could be most simply placed in the descriptor table as a 12 byte output descriptor followed by a 1514 byte output descriptor, but it could also consist of a single 1526 byte output descriptor in the case where the header and packet are adjacent, or even three or more descriptors (possibly with loss of efficiency in that case).
Note that, some device implementations have large-but-reasonable restrictions on total descriptor size (such as based on IOV_MAX in the host OS). This has not been a problem in practice: little sympathy will be given to drivers which create unreasonably-sized descriptors such as by dividing a network packet into 1500 single-byte descriptors!
The device MUST NOT make assumptions about the particular arrangement of descriptors. The device MAY have a reasonable limit of descriptors it will allow in a chain.
The driver MUST place any device-writable descriptor elements after any device-readable descriptor elements.
The driver SHOULD NOT use an excessive number of descriptors to describe a buffer.
Regrettably, initial driver implementations used simple layouts, and devices came to rely on it, despite this specification wording. In addition, the specification for virtio_blk SCSI commands required intuiting field lengths from frame boundaries (see 5.2.6.3 Legacy Interface: Device Operation)
Thus when using the legacy interface, the VIRTIO_F_ANY_LAYOUT feature indicates to both the device and the driver that no assumptions were made about framing. Requirements for transitional drivers when this is not negotiated are included in each device section.
The descriptor table refers to the buffers the driver is using for the device. addr is a physical address, and the buffers can be chained via next. Each descriptor describes a buffer which is read-only for the device (“device-readable”) or write-only for the device (“device-writable”), but a chain of descriptors can contain both device-readable and device-writable buffers.
The actual contents of the memory offered to the device depends on the device type. Most common is to begin the data with a header (containing little-endian fields) for the device to read, and postfix it with a status tailer for the device to write.
The number of descriptors in the table is defined by the queue size for this virtqueue: this is the maximum possible descriptor chain length.
If VIRTIO_F_IN_ORDER has been negotiated, driver uses descriptors in ring order: starting from offset 0 in the table, and wrapping around at the end of the table. Note: The legacy [Virtio PCI Draft] referred to this structure as vring_desc, and the constants as VRING_DESC_F_NEXT, etc, but the layout and values were identical.
A device MUST NOT write to a device-readable buffer, and a device SHOULD NOT read a device-writable buffer (it MAY do so for debugging or diagnostic purposes). A device MUST NOT write to any descriptor table entry.
Drivers MUST NOT add a descriptor chain longer than 232 bytes in total; this implies that loops in the descriptor chain are forbidden!
If VIRTIO_F_IN_ORDER has been negotiated, and when making a descriptor with VRING_DESC_F_NEXT set in flags at offset x in the table available to the device, driver MUST set next to 0 for the last descriptor in the table (where x = queue_size − 1) and to x + 1 for the rest of the descriptors.
Some devices benefit by concurrently dispatching a large number of large requests. The VIRTIO_F_INDIRECT_DESC feature allows this (see A virtio_queue.h). To increase ring capacity the driver can store a table of indirect descriptors anywhere in memory, and insert a descriptor in main virtqueue (with flags&VIRTQ_DESC_F_INDIRECT on) that refers to memory buffer containing this indirect descriptor table; addr and len refer to the indirect table address and length in bytes, respectively.
The indirect table layout structure looks like this (len is the length of the descriptor that refers to this table, which is a variable, so this code won’t compile):
The first indirect descriptor is located at start of the indirect descriptor table (index 0), additional indirect descriptors are chained by next. An indirect descriptor without a valid next (with flags&VIRTQ_DESC_F_NEXT off) signals the end of the descriptor. A single indirect descriptor table can include both device-readable and device-writable descriptors.
If VIRTIO_F_IN_ORDER has been negotiated, indirect descriptors use sequential indices, in-order: index 0 followed by index 1 followed by index 2, etc.
A driver MUST NOT create a descriptor chain longer than the Queue Size of the device.
A driver MUST NOT set both VIRTQ_DESC_F_INDIRECT and VIRTQ_DESC_F_NEXT in flags.
If VIRTIO_F_IN_ORDER has been negotiated, indirect descriptors MUST appear sequentially, with next taking the value of 1 for the 1st descriptor, 2 for the 2nd one, etc.
The device MUST handle the case of zero or more normal chained descriptors followed by a single descriptor with flags&VIRTQ_DESC_F_INDIRECT. Note: While unusual (most implementations either create a chain solely using non-indirect descriptors, or use a single indirect element), such a layout is valid.
The available ring has the following layout structure:
The driver uses the available ring to offer buffers to the device: each ring entry refers to the head of a descriptor chain. It is only written by the driver and read by the device.
idx field indicates where the driver would put the next descriptor entry in the ring (modulo the queue size). This starts at 0, and increases. Note: The legacy [Virtio PCI Draft] referred to this structure as vring_avail, and the constant as VRING_AVAIL_F_NO_INTERRUPT, but the layout and value were identical.
A driver MUST NOT decrement the available idx on a virtqueue (ie. there is no way to “unexpose” buffers).
If the VIRTIO_F_EVENT_IDX feature bit is not negotiated, the flags field in the available ring offers a crude mechanism for the driver to inform the device that it doesn’t want notifications when buffers are used. Otherwise used_event is a more performant alternative where the driver specifies how far the device can progress before a notification is required.
Neither of these notification suppression methods are reliable, as they are not synchronized with the device, but they serve as useful optimizations.
If the VIRTIO_F_EVENT_IDX feature bit is not negotiated:
Otherwise, if the VIRTIO_F_EVENT_IDX feature bit is negotiated:
The driver MUST handle spurious notifications from the device.
If the VIRTIO_F_EVENT_IDX feature bit is not negotiated:
Otherwise, if the VIRTIO_F_EVENT_IDX feature bit is negotiated:
VIRTIO_F_EVENT_IDX would send a used buffer notification to the driver after the first buffer is used (and again after the 65536th buffer, etc).
The used ring has the following layout structure:
The used ring is where the device returns buffers once it is done with them: it is only written to by the device, and read by the driver.
Each entry in the ring is a pair: id indicates the head entry of the descriptor chain describing the buffer (this matches an entry placed in the available ring by the guest earlier), and len the total of bytes written into the buffer. Note: len is particularly useful for drivers using untrusted buffers: if a driver does not know exactly how much has been written by the device, the driver would have to zero the buffer in advance to ensure no data leakage occurs.
For example, a network driver may hand a received buffer directly to an unprivileged userspace application. If the network device has not overwritten the bytes which were in that buffer, this could leak the contents of freed memory from other processes to the application.
idx field indicates where the device would put the next descriptor entry in the ring (modulo the queue size). This starts at 0, and increases. Note: The legacy [Virtio PCI Draft] referred to these structures as vring_used and vring_used_elem, and the constant as VRING_USED_F_NO_NOTIFY, but the layout and value were identical.
Historically, many drivers ignored the len value, as a result, many devices set len incorrectly. Thus, when using the legacy interface, it is generally a good idea to ignore the len value in used ring entries if possible. Specific known issues are listed per device type.
The device MUST set len prior to updating the used idx.
The device MUST write at least len bytes to descriptor, beginning at the first device-writable buffer, prior to updating the used idx.
The device MAY write more than len bytes to descriptor. Note: There are potential error cases where a device might not know what parts of the buffers have been written. This is why len is permitted to be an underestimate: that’s preferable to the driver believing that uninitialized memory has been overwritten when it has not.
The driver MUST NOT make assumptions about data in device-writable buffers beyond the first len bytes, and SHOULD ignore this data.
Some devices always use descriptors in the same order in which they have been made available. These devices can offer the VIRTIO_F_IN_ORDER feature. If negotiated, this knowledge allows devices to notify the use of a batch of buffers to the driver by only writing out a single used ring entry with the id corresponding to the head entry of the descriptor chain describing the last buffer in the batch.
The device then skips forward in the ring according to the size of the batch. Accordingly, it increments the used idx by the size of the batch.
The driver needs to look up the used id and calculate the batch size to be able to advance to where the next used ring entry will be written by the device.
This will result in the used ring entry at an offset matching the first available ring entry in the batch, the used ring entry for the next batch at an offset matching the first available ring entry in the next batch, etc.
The skipped buffers (for which no used ring entry was written) are assumed to have been used (read or written) by the device completely.
The device can suppress available buffer notifications in a manner analogous to the way drivers can suppress used buffer notifications as detailed in section 2.7.7. The device manipulates flags or avail_event in the used ring the same way the driver manipulates flags or used_event in the available ring.
The driver MUST initialize flags in the used ring to 0 when allocating the used ring.
If the VIRTIO_F_EVENT_IDX feature bit is not negotiated:
Otherwise, if the VIRTIO_F_EVENT_IDX feature bit is negotiated:
If the VIRTIO_F_EVENT_IDX feature bit is not negotiated:
Otherwise, if the VIRTIO_F_EVENT_IDX feature bit is negotiated:
The device MUST handle spurious notifications from the driver.
The Linux Kernel Source code contains the definitions above and helper routines in a more usable form, in include/uapi/linux/virtio_ring.h. This was explicitly licensed by IBM and Red Hat under the (3-clause) BSD license so that it can be freely used by all other projects, and is reproduced (with slight variation) in A virtio_queue.h.
There are two parts to virtqueue operation: supplying new available buffers to the device, and processing used buffers from the device. Note: As an example, the simplest virtio network device has two virtqueues: the transmit virtqueue and the receive virtqueue. The driver adds outgoing (device-readable) packets to the transmit virtqueue, and then frees them after they are used. Similarly, incoming (device-writable) buffers are added to the receive virtqueue, and processed after they are used.
What follows is the requirements of each of these two parts when using the split virtqueue format in more detail.
The driver offers buffers to one of the device’s virtqueues as follows:
Note that the above code does not take precautions against the available ring buffer wrapping around: this is not possible since the ring buffer is the same size as the descriptor table, so step (1) will prevent such a condition.
In addition, the maximum queue size is 32768 (the highest power of 2 which fits in 16 bits), so the 16-bit idx value can always distinguish between a full and empty buffer.
What follows is the requirements of each stage in more detail.
A buffer consists of zero or more device-readable physically-contiguous elements followed by zero or more physically-contiguous device-writable elements (each has at least one element). This algorithm maps it into the descriptor table to form a descriptor chain:
for each buffer element, b:
In practice, d.next is usually used to chain free descriptors, and a separate count kept to check there are enough free descriptors before beginning the mappings.
The descriptor chain head is the first d in the algorithm above, ie. the index of the descriptor table entry referring to the first part of the buffer. A naive driver implementation MAY do the following (with the appropriate conversion to-and-from little-endian assumed):
However, in general the driver MAY add many descriptor chains before it updates idx (at which point they become visible to the device), so it is common to keep a counter of how many the driver has added:
idx always increments, and wraps naturally at 65536:
Once available idx is updated by the driver, this exposes the descriptor and its contents. The device MAY access the descriptor chains the driver created and the memory they refer to immediately.
The actual method of device notification is bus-specific, but generally it can be expensive. So the device MAY suppress such notifications if it doesn’t need them, as detailed in section 2.7.10.
The driver has to be careful to expose the new idx value before checking if notifications are suppressed.
Once the device has used buffers referred to by a descriptor (read from or written to them, or parts of both, depending on the nature of the virtqueue and the device), it sends a used buffer notification to the driver as detailed in section 2.7.7. Note:
For optimal performance, a driver MAY disable used buffer notifications while processing the used ring, but beware the problem of missing notifications between emptying the ring and reenabling notifications. This is usually handled by re-checking for more used buffers after notifications are re-enabled:
Packed virtqueues is an alternative compact virtqueue layout using read-write memory, that is memory that is both read and written by both host and guest.
Use of packed virtqueues is negotiated by the VIRTIO_F_RING_PACKED feature bit.
Packed virtqueues support up to 215 entries each.
With current transports, virtqueues are located in guest memory allocated by the driver. Each packed virtqueue consists of three parts:
Where the Descriptor Ring in turn consists of descriptors, and where each descriptor can contain the following parts:
A buffer consists of zero or more device-readable physically-contiguous elements followed by zero or more physically-contiguous device-writable elements (each buffer has at least one element).
When the driver wants to send such a buffer to the device, it writes at least one available descriptor describing elements of the buffer into the Descriptor Ring. The descriptor(s) are associated with a buffer by means of a Buffer ID stored within the descriptor.
The driver then notifies the device. When the device has finished processing the buffer, it writes a used device descriptor including the Buffer ID into the Descriptor Ring (overwriting a driver descriptor previously made available), and sends a used event notification.
The Descriptor Ring is used in a circular manner: the driver writes descriptors into the ring in order. After reaching the end of the ring, the next descriptor is placed at the head of the ring. Once the ring is full of driver descriptors, the driver stops sending new requests and waits for the device to start processing descriptors and to write out some used descriptors before making new driver descriptors available.
Similarly, the device reads descriptors from the ring in order and detects that a driver descriptor has been made available. As processing of descriptors is completed, used descriptors are written by the device back into the ring.
Note: after reading driver descriptors and starting their processing in order, the device might complete their processing out of order. Used device descriptors are written in the order in which their processing is complete.
The Device Event Suppression data structure is write-only by the device. It includes information for reducing the number of device events, i.e., sending fewer available buffer notifications to the device.
The Driver Event Suppression data structure is read-only by the device. It includes information for reducing the number of driver events, i.e., sending fewer used buffer notifications to the driver.
Each of the driver and the device are expected to maintain, internally, a single-bit ring wrap counter initialized to 1.
The counter maintained by the driver is called the Driver Ring Wrap Counter. The driver changes the value of this counter each time it makes available the last descriptor in the ring (after making the last descriptor available).
The counter maintained by the device is called the Device Ring Wrap Counter. The device changes the value of this counter each time it uses the last descriptor in the ring (after marking the last descriptor used).
It is easy to see that the Driver Ring Wrap Counter in the driver matches the Device Ring Wrap Counter in the device when both are processing the same descriptor, or when all available descriptors have been used.
To mark a descriptor as available and used, both the driver and the device use the following two flags:
To mark a descriptor as available, the driver sets the VIRTQ_DESC_F_AVAIL bit in Flags to match the internal Driver Ring Wrap Counter. It also sets the VIRTQ_DESC_F_USED bit to match the inverse value (i.e. to not match the internal Driver Ring Wrap Counter).
To mark a descriptor as used, the device sets the VIRTQ_DESC_F_USED bit in Flags to match the internal Device Ring Wrap Counter. It also sets the VIRTQ_DESC_F_AVAIL bit to match the same value.
Thus VIRTQ_DESC_F_AVAIL and VIRTQ_DESC_F_USED bits are different for an available descriptor and equal for a used descriptor.
Note that this observation is mostly useful for sanity-checking as these are necessary but not sufficient conditions - for example, all descriptors are zero-initialized. To detect used and available descriptors it is possible for drivers and devices to keep track of the last observed value of VIRTQ_DESC_F_USED/VIRTQ_DESC_F_AVAIL. Other techniques to detect VIRTQ_DESC_F_AVAIL/VIRTQ_DESC_F_USED bit changes might also be possible.
Writes of device and driver descriptors can generally be reordered, but each side (driver and device) are only required to poll (or test) a single location in memory: the next device descriptor after the one they processed previously, in circular order.
Sometimes the device needs to only write out a single used descriptor after processing a batch of multiple available descriptors. As described in more detail below, this can happen when using descriptor chaining or with in-order use of descriptors. In this case, the device writes out a used descriptor with the buffer id of the last descriptor in the group. After processing the used descriptor, both device and driver then skip forward in the ring the number of the remaining descriptors in the group until processing (reading for the driver and writing for the device) the next used descriptor.
In an available descriptor, the VIRTQ_DESC_F_WRITE bit within Flags is used to mark a descriptor as corresponding to a write-only or read-only element of a buffer.
In a used descriptor, this bit is used to specify whether any data has been written by the device into any parts of the buffer.
In an available descriptor, Element Address corresponds to the physical address of the buffer element. The length of the element assumed to be physically contiguous is stored in Element Length.
In a used descriptor, Element Address is unused. Element Length specifies the length of the buffer that has been initialized (written to) by the device.
Element Length is reserved for used descriptors without the VIRTQ_DESC_F_WRITE flag, and is ignored by drivers.
Some drivers need an ability to supply a list of multiple buffer elements (also known as a scatter/gather list) with a request. Two features support this: descriptor chaining and indirect descriptors.
If neither feature is in use by the driver, each buffer is physically-contiguous, either read-only or write-only and is described completely by a single descriptor.
While unusual (most implementations either create all lists solely using non-indirect descriptors, or always use a single indirect element), if both features have been negotiated, mixing indirect and non-indirect descriptors in a ring is valid, as long as each list only contains descriptors of a given type.
Scatter/gather lists only apply to available descriptors. A single used descriptor corresponds to the whole list.
The device limits the number of descriptors in a list through a transport-specific and/or device-specific value. If not limited, the maximum number of descriptors in a list is the virt queue size.
The packed ring format allows the driver to supply a scatter/gather list to the device by using multiple descriptors, and setting the VIRTQ_DESC_F_NEXT bit in Flags for all but the last available descriptor.
Buffer ID is included in the last descriptor in the list.
The driver always makes the first descriptor in the list available after the rest of the list has been written out into the ring. This guarantees that the device will never observe a partial scatter/gather list in the ring.
Note: all flags, including VIRTQ_DESC_F_AVAIL, VIRTQ_DESC_F_USED, VIRTQ_DESC_F_WRITE must be set/cleared correctly in all descriptors in the list, not just the first one.
The device only writes out a single used descriptor for the whole list. It then skips forward according to the number of descriptors in the list. The driver needs to keep track of the size of the list corresponding to each buffer ID, to be able to skip to where the next used descriptor is written by the device.
For example, if descriptors are used in the same order in which they are made available, this will result in the used descriptor overwriting the first available descriptor in the list, the used descriptor for the next list overwriting the first available descriptor in the next list, etc.
VIRTQ_DESC_F_NEXT is reserved in used descriptors, and should be ignored by drivers.
Some devices benefit by concurrently dispatching a large number of large requests. The VIRTIO_F_INDIRECT_DESC feature allows this. To increase ring capacity the driver can store a (read-only by the device) table of indirect descriptors anywhere in memory, and insert a descriptor in the main virtqueue (with Flags bit VIRTQ_DESC_F_INDIRECT on) that refers to a buffer element containing this indirect descriptor table; addr and len refer to the indirect table address and length in bytes, respectively.
The indirect table layout structure looks like this (len is the Buffer Length of the descriptor that refers to this table, which is a variable):
The first descriptor is located at the start of the indirect descriptor table, additional indirect descriptors come immediately afterwards. The VIRTQ_DESC_F_WRITE flags bit is the only valid flag for descriptors in the indirect table. Others are reserved and are ignored by the device. Buffer ID is also reserved and is ignored by the device.
In descriptors with VIRTQ_DESC_F_INDIRECT set VIRTQ_DESC_F_WRITE is reserved and is ignored by the device.
Some devices always use descriptors in the same order in which they have been made available. These devices can offer the VIRTIO_F_IN_ORDER feature. If negotiated, this knowledge allows devices to notify the use of a batch of buffers to the driver by only writing out a single used descriptor with the Buffer ID corresponding to the last descriptor in the batch.
The device then skips forward in the ring according to the size of the batch. The driver needs to look up the used Buffer ID and calculate the batch size to be able to advance to where the next used descriptor will be written by the device.
This will result in the used descriptor overwriting the first available descriptor in the batch, the used descriptor for the next batch overwriting the first available descriptor in the next batch, etc.
The skipped buffers (for which no used descriptor was written) are assumed to have been used (read or written) by the device completely.
Some devices combine multiple buffers as part of processing of a single request. These devices always mark the descriptor corresponding to the first buffer in the request used after the rest of the descriptors (corresponding to rest of the buffers) in the request - which follow the first descriptor in ring order - has been marked used and written out into the ring. This guarantees that the driver will never observe a partial request in the ring.
In many systems used and available buffer notifications involve significant overhead. To mitigate this overhead, each virtqueue includes two identical structures used for controlling notifications between the device and the driver.
The Driver Event Suppression structure is read-only by the device and controls the used buffer notifications sent by the device to the driver.
The Device Event Suppression structure is read-only by the driver and controls the available buffer notifications sent by the driver to the device.
Each of these Event Suppression structures includes the following fields:
After writing out some descriptors, both the device and the driver are expected to consult the relevant structure to find out whether a used respectively an available buffer notification should be sent.
Each part of the virtqueue is physically-contiguous in guest memory, and has different alignment requirements.
The memory alignment and size requirements, in bytes, of each part of the virtqueue are summarized in the following table:
| Virtqueue Part | Alignment | Size |
| Descriptor Ring | 16 | 16∗(Queue Size) |
| Device Event Suppression | 4 | 4 |
| Driver Event Suppression | 4 | 4 |
The Alignment column gives the minimum alignment for each part of the virtqueue.
The Size column gives the total number of bytes for each part of the virtqueue.
Queue Size corresponds to the maximum number of descriptors in the virtqueue5. The Queue Size value does not have to be a power of 2.
The driver MUST ensure that the physical address of the first byte of each virtqueue part is a multiple of the specified alignment value in the above table.
The device MUST start processing driver descriptors in the order in which they appear in the ring. The device MUST start writing device descriptors into the ring in the order in which they complete. The device MAY reorder descriptor writes once they are started.
The available descriptor refers to the buffers the driver is sending to the device. addr is a physical address, and the descriptor is identified with a buffer using the id field.
The descriptor ring is zero-initialized.
The following structure is used to reduce the number of notifications sent between driver and device.
A device MUST NOT write to a device-readable buffer, and a device SHOULD NOT read a device-writable buffer. A device MUST NOT use a descriptor unless it observes the VIRTQ_DESC_F_AVAIL bit in its flags being changed (e.g. as compared to the initial zero value). A device MUST NOT change a descriptor after changing it’s the VIRTQ_DESC_F_USED bit in its flags.
A driver MUST NOT change a descriptor unless it observes the VIRTQ_DESC_F_USED bit in its flags being changed. A driver MUST NOT change a descriptor after changing the VIRTQ_DESC_F_AVAIL bit in its flags. When notifying the device, driver MUST set next_off and next_wrap to match the next descriptor not yet made available to the device. A driver MAY send multiple available buffer notifications without making any new descriptors available to the device.
A driver MUST NOT create a descriptor list longer than allowed by the device.
A driver MUST NOT create a descriptor list longer than the Queue Size.
This implies that loops in the descriptor list are forbidden!
The driver MUST place any device-writable descriptor elements after any device-readable descriptor elements.
A driver MUST NOT depend on the device to use more descriptors to be able to write out all descriptors in a list. A driver MUST make sure there’s enough space in the ring for the whole list before making the first descriptor in the list available to the device.
A driver MUST NOT make the first descriptor in the list available before all subsequent descriptors comprising the list are made available.
The device MUST use descriptors in a list chained by the VIRTQ_DESC_F_NEXT flag in the same order that they were made available by the driver.
The device MAY limit the number of buffers it will allow in a list.
The driver MUST NOT set the VIRTQ_DESC_F_INDIRECT flag unless the VIRTIO_F_INDIRECT_DESC feature was negotiated. The driver MUST NOT set any flags except DESC_F_WRITE within an indirect descriptor.
A driver MUST NOT create a descriptor chain longer than allowed by the device.
A driver MUST NOT write direct descriptors with VIRTQ_DESC_F_INDIRECT set in a scatter-gather list linked by VIRTQ_DESC_F_NEXT. flags.
There are two parts to virtqueue operation: supplying new available buffers to the device, and processing used buffers from the device.
What follows is the requirements of each of these two parts when using the packed virtqueue format in more detail.
The driver offers buffers to one of the device’s virtqueues as follows:
What follows are the requirements of each stage in more detail.
For each buffer element, b:
This makes a single descriptor buffer available. However, in general the driver MAY make use of a batch of descriptors as part of a single request. In that case, it defers updating the descriptor flags for the first descriptor (and the previous memory barrier) until after the rest of the descriptors have been initialized.
Once the descriptor flags field is updated by the driver, this exposes the descriptor and its contents. The device MAY access the descriptor and any following descriptors the driver created and the memory they refer to immediately.
The actual method of device notification is bus-specific, but generally it can be expensive. So the device MAY suppress such notifications if it doesn’t need them, using the Event Suppression structure comprising the Device Area as detailed in section 2.8.14.
The driver has to be careful to expose the new flags value before checking if notifications are suppressed.
Below is a driver code example. It does not attempt to reduce the number of available buffer notifications, neither does it support the VIRTIO_F_EVENT_IDX feature.
Once the device has used buffers referred to by a descriptor (read from or written to them, or parts of both, depending on the nature of the virtqueue and the device), it sends a used buffer notification to the driver as detailed in section 2.8.14. Note:
For optimal performance, a driver MAY disable used buffer notifications while processing the used buffers, but beware the problem of missing notifications between emptying the ring and reenabling used buffer notifications. This is usually handled by re-checking for more used buffers after notifications are re-enabled:
The driver is sometimes required to send an available buffer notification to the device.
When VIRTIO_F_NOTIFICATION_DATA has not been negotiated, this notification involves sending the virtqueue number to the device (method depending on the transport).
However, some devices benefit from the ability to find out the amount of available data in the queue without accessing the virtqueue in memory: for efficiency or as a debugging aid.
To help with these optimizations, when VIRTIO_F_NOTIFICATION_DATA has been negotiated, driver notifications to the device include the following information:
Note that the driver can send multiple notifications even without making any more buffers available. When VIRTIO_F_NOTIFICATION_DATA has been negotiated, these notifications would then have identical next_off and next_wrap values.
Shared memory regions are an additional facility available to devices that need a region of memory that’s continuously shared between the device and the driver, rather than passed between them in the way virtqueue elements are.
Example uses include shared caches and version pools for versioned data structures.
The memory region is allocated by the device and presented to the driver. Where the device is implemented in software on a host, this arrangement allows the memory region to be allocated by a library on the host, which the device may not have full control over.
A device may have multiple shared memory regions associated with it. Each region has a shmid to identify it, the meaning of which is device-specific.
Enumeration and location of shared memory regions is performed in a transport-specific way.
Memory consistency rules vary depending on the region and the device and they will be specified as required by each device.
References into shared memory regions are represented as offsets from the beginning of the region instead of absolute memory addresses. Offsets are used both for references between structures stored within shared memory and for requests placed in virtqueues that refer to shared memory. The shmid may be explicit or may be inferred from the context of the reference.
Shared memory regions MUST NOT expose shared memory regions which are used to control the operation of the device, nor to stream data.
When an object created by one virtio device needs to be shared with a seperate virtio device, the first device can export the object by generating a UUID which can then be passed to the second device to identify the object.
What constitutes an object, how to export objects, and how to import objects are defined by the individual device types. It is RECOMMENDED that devices generate version 4 UUIDs as specified by [RFC4122].
The driver MUST follow this sequence to initialize a device:
If any of these steps go irrecoverably wrong, the driver SHOULD set the FAILED status bit to indicate that it has given up on the device (it can reset the device later to restart if desired). The driver MUST NOT continue initialization in that case.
The driver MUST NOT send any buffer available notifications to the device before setting DRIVER_OK.
Legacy devices did not support the FEATURES_OK status bit, and thus did not have a graceful way for the device to indicate unsupported feature combinations. They also did not provide a clear mechanism to end feature negotiation, which meant that devices finalized features on first-use, and no features could be introduced which radically changed the initial operation of the device.
Legacy driver implementations often used the device before setting the DRIVER_OK bit, and sometimes even before writing the feature bits to the device.
The result was the steps 5 and 6 were omitted, and steps 4, 7 and 8 were conflated.
Therefore, when using the legacy interface:
When operating the device, each field in the device configuration space can be changed by either the driver or the device.
Whenever such a configuration change is triggered by the device, driver is notified. This makes it possible for drivers to cache device configuration, avoiding expensive configuration reads unless notified.
For devices where the device-specific configuration information can be changed, a configuration change notification is sent when a device-specific configuration change occurs.
In addition, this notification is triggered by the device setting DEVICE_NEEDS_RESET (see 2.1.2).
Once the driver has set the DRIVER_OK status bit, all the configured virtqueue of the device are considered live. None of the virtqueues of a device are live once the device has been reset.
A driver MUST NOT alter virtqueue entries for exposed buffers, i.e., buffers which have been made available to the device (and not been used by the device) of a live virtqueue.
Thus a driver MUST ensure a virtqueue isn’t live (by device reset) before removing exposed buffers.
Virtio devices are commonly implemented as PCI devices.
A Virtio device can be implemented as any kind of PCI device: a Conventional PCI device or a PCI Express device. To assure designs meet the latest level requirements, see the PCI-SIG home page at http://www.pcisig.com for any approved changes.
A Virtio device using Virtio Over PCI Bus MUST expose to guest an interface that meets the specification requirements of the appropriate PCI specification: [PCI] and [PCIe] respectively.
Any PCI device with PCI Vendor ID 0x1AF4, and PCI Device ID 0x1000 through 0x107F inclusive is a virtio device. The actual value within this range indicates which virtio device is supported by the device. The PCI Device ID is calculated by adding 0x1040 to the Virtio Device ID, as indicated in section 5. Additionally, devices MAY utilize a Transitional PCI Device ID range, 0x1000 to 0x103F depending on the device type.
Devices MUST have the PCI Vendor ID 0x1AF4. Devices MUST either have the PCI Device ID calculated by adding 0x1040 to the Virtio Device ID, as indicated in section 5 or have the Transitional PCI Device ID depending on the device type, as follows:
| Transitional PCI Device ID | Virtio Device |
| 0x1000 | network card |
| 0x1001 | block device |
| 0x1002 | memory ballooning (traditional) |
| 0x1003 | console |
| 0x1004 | SCSI host |
| 0x1005 | entropy source |
| 0x1009 | 9P transport |
For example, the network card device with the Virtio Device ID 1 has the PCI Device ID 0x1041 or the Transitional PCI Device ID 0x1000.
The PCI Subsystem Vendor ID and the PCI Subsystem Device ID MAY reflect the PCI Vendor and Device ID of the environment (for informational purposes by the driver).
Non-transitional devices SHOULD have a PCI Device ID in the range 0x1040 to 0x107f. Non-transitional devices SHOULD have a PCI Revision ID of 1 or higher. Non-transitional devices SHOULD have a PCI Subsystem Device ID of 0x40 or higher.
This is to reduce the chance of a legacy driver attempting to drive the device.
Drivers MUST match devices with the PCI Vendor ID 0x1AF4 and the PCI Device ID in the range 0x1040 to 0x107f, calculated by adding 0x1040 to the Virtio Device ID, as indicated in section 5. Drivers for device types listed in section 4.1.2 MUST match devices with the PCI Vendor ID 0x1AF4 and the Transitional PCI Device ID indicated in section 4.1.2.
Drivers MUST match any PCI Revision ID value. Drivers MAY match any PCI Subsystem Vendor ID and any PCI Subsystem Device ID value.
Transitional devices MUST have a PCI Revision ID of 0. Transitional devices MUST have the PCI Subsystem Device ID matching the Virtio Device ID, as indicated in section 5. Transitional devices MUST have the Transitional PCI Device ID in the range 0x1000 to 0x103f.
This is to match legacy drivers.
The device is configured via I/O and/or memory regions (though see 4.1.4.9 for access via the PCI configuration space), as specified by Virtio Structure PCI Capabilities.
Fields of different sizes are present in the device configuration regions. All 64-bit, 32-bit and 16-bit fields are little-endian. 64-bit fields are to be treated as two 32-bit fields, with low 32 bit part followed by the high 32 bit part.
For device configuration access, the driver MUST use 8-bit wide accesses for 8-bit wide fields, 16-bit wide and aligned accesses for 16-bit wide fields and 32-bit wide and aligned accesses for 32-bit and 64-bit wide fields. For 64-bit fields, the driver MAY access each of the high and low 32-bit parts of the field independently.
For 64-bit device configuration fields, the device MUST allow driver independent access to high and low 32-bit parts of the field.
The virtio device configuration layout includes several structures:
Each structure can be mapped by a Base Address register (BAR) belonging to the function, or accessed via the special VIRTIO_PCI_CAP_PCI_CFG field in the PCI configuration space.
The location of each structure is specified using a vendor-specific PCI capability located on the capability list in PCI configuration space of the device. This virtio structure capability uses little-endian format; all fields are read-only for the driver unless stated otherwise:
This structure can be followed by extra data, depending on cfg_type, as documented below.
The fields are interpreted as follows:
Any other value is reserved for future use.
Each structure is detailed individually below.
The device MAY offer more than one structure of any type - this makes it possible for the device to expose multiple interfaces to drivers. The order of the capabilities in the capability list specifies the order of preference suggested by the device. A device may specify that this ordering mechanism be overridden by the use of the id field. Note: For example, on some hypervisors, notifications using IO accesses are faster than memory accesses. In this case, the device would expose two capabilities with cfg_type set to VIRTIO_PCI_CAP_NOTIFY_CFG: the first one addressing an I/O BAR, the second one addressing a memory BAR. In this example, the driver would use the I/O BAR if I/O resources are available, and fall back on memory BAR when I/O resources are unavailable.
Any other value is reserved for future use.
length MAY include padding, or fields unused by the driver, or future extensions. Note: For example, a future device might present a large structure size of several MBytes. As current devices never utilize structures larger than 4KBytes in size, driver MAY limit the mapped structure size to e.g. 4KBytes (thus ignoring parts of structure after the first 4KBytes) to allow forward compatibility with such devices without loss of functionality and without wasting resources.
A variant of this type, struct virtio_pci_cap64, is defined for those capabilities that require offsets or lengths larger than 4GiB:
Given that the cap.length and cap.offset fields are only 32 bit, the additional offset_hi and length_hi fields provide the most significant 32 bits of a total 64 bit offset and length within the BAR specified by cap.bar.
The driver MUST ignore any vendor-specific capability structure which has a reserved cfg_type value.
The driver SHOULD use the first instance of each virtio structure type they can support.
The driver MUST accept a cap_len value which is larger than specified here.
The driver MUST ignore any vendor-specific capability structure which has a reserved bar value.
The drivers SHOULD only map part of configuration structure large enough for device operation. The drivers MUST handle an unexpectedly large length, but MAY check that length is large enough for device operation.
The driver MUST NOT write into any field of the capability structure, with the exception of those with cap_type VIRTIO_PCI_CAP_PCI_CFG as detailed in 4.1.4.9.2.
The device MUST include any extra data (from the beginning of the cap_vndr field through end of the extra data fields if any) in cap_len. The device MAY append extra data or padding to any structure beyond that.
If the device presents multiple structures of the same type, it SHOULD order them from optimal (first) to least-optimal (last).
The common configuration structure is found at the bar and offset within the VIRTIO_PCI_CAP_COMMON_CFG capability; its layout is below.
The device MUST present at least one common configuration capability.
The device MUST present the feature bits it is offering in device_feature, starting at bit device_feature_select ∗ 32 for any device_feature_select written by the driver. Note: This means that it will present 0 for any device_feature_select other than 0 or 1, since no feature defined here exceeds 63.
The device MUST present any valid feature bits the driver has written in driver_feature, starting at bit driver_feature_select ∗ 32 for any driver_feature_select written by the driver. Valid feature bits are those which are subset of the corresponding device_feature bits. The device MAY present invalid bits written by the driver. Note: This means that a device can ignore writes for feature bits it never offers, and simply present 0 on reads. Or it can just mirror what the driver wrote (but it will still have to check them when the driver sets FEATURES_OK). Note: A driver shouldn’t write invalid bits anyway, as per 3.1.1, but this attempts to handle it.
The device MUST present a changed config_generation after the driver has read a device-specific configuration value which has changed since any part of the device-specific configuration was last read. Note: As config_generation is an 8-bit value, simply incrementing it on every configuration change could violate this requirement due to wrap. Better would be to set an internal flag when it has changed, and if that flag is set when the driver reads from the device-specific configuration, increment config_generation and clear the flag.
The device MUST reset when 0 is written to device_status, and present a 0 in device_status once that is done.
The device MUST present a 0 in queue_enable on reset.
If VIRTIO_F_RING_RESET has been negotiated, the device MUST present a 0 in queue_reset on reset.
If VIRTIO_F_RING_RESET has been negotiated, the device MUST present a 0 in queue_reset after the virtqueue is enabled with queue_enable.
The device MUST reset the queue when 1 is written to queue_reset. The device MUST continue to present 1 in queue_reset as long as the queue reset is ongoing. The device MUST present 0 in both queue_reset and queue_enable when queue reset has completed. (see 2.6.1).
The device MUST present a 0 in queue_size if the virtqueue corresponding to the current queue_select is unavailable.
If VIRTIO_F_RING_PACKED has not been negotiated, the device MUST present either a value of 0 or a power of 2 in queue_size.
If VIRTIO_F_RING_PACKED has been negotiated, the driver MUST NOT write the value 0 to queue_size. If VIRTIO_F_RING_PACKED has not been negotiated, the driver MUST NOT write a value which is not a power of 2 to queue_size.
The driver MUST configure the other virtqueue fields before enabling the virtqueue with queue_enable.
After writing 0 to device_status, the driver MUST wait for a read of device_status to return 0 before reinitializing the device.
The driver MUST NOT write a 0 to queue_enable.
If VIRTIO_F_RING_RESET has been negotiated, after the driver writes 1 to queue_reset to reset the queue, the driver MUST NOT consider queue reset to be complete until it reads back 0 in queue_reset. The driver MAY re-enable the queue by writing 1 to queue_enable after ensuring that other virtqueue fields have been set up correctly. The driver MAY set driver-writeable queue configuration values to different values than those that were used before the queue reset. (see 2.6.1).
The notification location is found using the VIRTIO_PCI_CAP_NOTIFY_CFG capability. This capability is immediately followed by an additional field, like so:
notify_off_multiplier is combined with the queue_notify_off to derive the Queue Notify address within a BAR for a virtqueue:
The cap.offset and notify_off_multiplier are taken from the notification capability structure above, and the queue_notify_off is taken from the common configuration structure. Note: For example, if notifier_off_multiplier is 0, the device uses the same Queue Notify address for all queues.
For devices not offering VIRTIO_F_NOTIFICATION_DATA:
The cap.offset MUST be 2-byte aligned.
The device MUST either present notify_off_multiplier as an even power of 2, or present notify_off_multiplier as 0.
The value cap.length presented by the device MUST be at least 2 and MUST be large enough to support queue notification offsets for all supported queues in all possible configurations.
For all queues, the value cap.length presented by the device MUST satisfy:
For devices offering VIRTIO_F_NOTIFICATION_DATA:
The device MUST either present notify_off_multiplier as a number that is a power of 2 that is also a multiple 4, or present notify_off_multiplier as 0.
The cap.offset MUST be 4-byte aligned.
The value cap.length presented by the device MUST be at least 4 and MUST be large enough to support queue notification offsets for all supported queues in all possible configurations.
For all queues, the value cap.length presented by the device MUST satisfy:
The VIRTIO_PCI_CAP_ISR_CFG capability refers to at least a single byte, which contains the 8-bit ISR status field to be used for INT#x interrupt handling.
The offset for the ISR status has no alignment requirements.
The ISR bits allow the driver to distinguish between device-specific configuration change interrupts and normal virtqueue interrupts:
| Bits | 0 | 1 | 2 to 31 |
| Purpose | Queue Interrupt | Device Configuration Interrupt | Reserved |
To avoid an extra access, simply reading this register resets it to 0 and causes the device to de-assert the interrupt.
In this way, driver read of ISR status causes the device to de-assert an interrupt.
See sections 4.1.5.3 and 4.1.5.4 for how this is used.
The device MUST set the Device Configuration Interrupt bit in ISR status before sending a device configuration change notification to the driver.
If MSI-X capability is disabled, the device MUST set the Queue Interrupt bit in ISR status before sending a virtqueue notification to the driver.
If MSI-X capability is disabled, the device MUST set the Interrupt Status bit in the PCI Status register in the PCI Configuration Header of the device to the logical OR of all bits in ISR status of the device. The device then asserts/deasserts INT#x interrupts unless masked according to standard PCI rules [PCI].
The device MUST reset ISR status to 0 on driver read.
The device MUST present at least one VIRTIO_PCI_CAP_DEVICE_CFG capability for any device type which has a device-specific configuration.
Shared memory regions 2.10 are enumerated on the PCI transport as a sequence of VIRTIO_PCI_CAP_SHARED_MEMORY_CFG capabilities, one per region.
The capability is defined by a struct virtio_pci_cap64 and utilises the cap.id to allow multiple shared memory regions per device. The identifier in cap.id does not denote a certain order of preference; it is only used to uniquely identify a region.
The cap.id MUST be unique for any one device instance.
The optional Vendor data capability allows the device to present vendor-specific data to the driver, without conflicts, for debugging and/or reporting purposes, and without conflicting with standard functionality.
This capability augments but does not replace the standard subsystem ID and subsystem vendor ID fields (offsets 0x2C and 0x2E in the PCI configuration space header) as specified by [PCI].
Vendor data capability is enumerated on the PCI transport as a VIRTIO_PCI_CAP_VENDOR_CFG capability.
The capability has the following structure:
Where vendor_id identifies the PCI-SIG assigned Vendor ID as specified by [PCI].
Note that the capability size is required to be a multiple of 4.
To make it safe for a generic driver to access the capability, reads from this capability MUST NOT have any side effects.
Devices CAN present multiple Vendor data capabilities with either different or identical vendor_id values.
The value vendor_id MUST NOT equal 0x1AF4.
The size of the Vendor data capability MUST be a multiple of 4 bytes.
Reads of the Vendor data capability by the driver MUST NOT have any side effects.
The driver MUST qualify the vendor_id before interpreting or writing into the Vendor data capability.
The VIRTIO_PCI_CAP_PCI_CFG capability creates an alternative (and likely suboptimal) access method to the common configuration, notification, ISR and device-specific configuration regions.
The capability is immediately followed by an additional field like so:
The fields cap.bar, cap.length, cap.offset and pci_cfg_data are read-write (RW) for the driver.
To access a device region, the driver writes into the capability structure (ie. within the PCI configuration space) as follows:
At that point, pci_cfg_data will provide a window of size cap.length into the given cap.bar at offset cap.offset.
Upon detecting driver write access to pci_cfg_data, the device MUST execute a write access at offset cap.offset at BAR selected by cap.bar using the first cap.length bytes from pci_cfg_data.
Upon detecting driver read access to pci_cfg_data, the device MUST execute a read access of length cap.length at offset cap.offset at BAR selected by cap.bar and store the first cap.length bytes in pci_cfg_data.
The driver MUST NOT read or write pci_cfg_data unless cap.bar, cap.length and cap.offset address cap.length bytes within a BAR range specified by some other Virtio Structure PCI Capability of type other than VIRTIO_PCI_CAP_PCI_CFG.
Transitional devices MUST present part of configuration registers in a legacy configuration structure in BAR0 in the first I/O region of the PCI device, as documented below. When using the legacy interface, transitional drivers MUST use the legacy configuration structure in BAR0 in the first I/O region of the PCI device, as documented below.
When using the legacy interface the driver MAY access the device-specific configuration region using any width accesses, and a transitional device MUST present driver with the same results as when accessed using the “natural” access method (i.e. 32-bit accesses for 32-bit fields, etc).
Note that this is possible because while the virtio common configuration structure is PCI (i.e. little) endian, when using the legacy interface the device-specific configuration region is encoded in the native endian of the guest (where such distinction is applicable).
When used through the legacy interface, the virtio common configuration structure looks as follows:
| Bits | 32 | 32 | 32 | 16 | 16 | 16 | 8 | 8 |
| Read / Write | R | R+W | R+W | R | R+W | R+W | R+W | R |
| Purpose | Device Features bits 0:31 | Driver Features bits 0:31 | Queue Address | queue_size | queue_select | Queue Notify | Device Status | ISR Status |
If MSI-X is enabled for the device, two additional fields immediately follow this header:
| Bits | 16 | 16 |
| Read/Write | R+W | R+W |
| Purpose (MSI-X) | config_msix_vector | queue_msix_vector |
Note: When MSI-X capability is enabled, device-specific configuration starts at byte offset 24 in virtio common configuration structure structure. When MSI-X capability is not enabled, device-specific configuration starts at byte offset 20 in virtio header. ie. once you enable MSI-X on the device, the other fields move. If you turn it off again, they move back!
Any device-specific configuration space immediately follows these general headers:
| Bits | Device Specific |
… |
| Read / Write | Device Specific | |
| Purpose | Device Specific | |
When accessing the device-specific configuration space using the legacy interface, transitional drivers MUST access the device-specific configuration space at an offset immediately following the general headers.
When using the legacy interface, transitional devices MUST present the device-specific configuration space if any at an offset immediately following the general headers.
Note that only Feature Bits 0 to 31 are accessible through the Legacy Interface. When used through the Legacy Interface, Transitional Devices MUST assume that Feature Bits 32 to 63 are not acknowledged by Driver.
As legacy devices had no config_generation field, see 2.5.4 Legacy Interface: Device Configuration Space for workarounds.
All known legacy drivers check either the PCI Revision or the Device and Vendor IDs, and thus won’t attempt to drive a non-transitional device.
A buggy legacy driver might mistakenly attempt to drive a non-transitional device. If support for such drivers is required (as opposed to fixing the bug), the following would be the recommended way to detect and handle them. Note: Such buggy drivers are not currently known to be used in production.
This documents PCI-specific steps executed during Device Initialization.
Legacy devices did not have the Virtio PCI Capability in their capability list.
Therefore:
Transitional devices MUST expose the Legacy Interface in I/O space in BAR0.
Transitional drivers MUST look for the Virtio PCI Capabilities on the capability list. If these are not present, driver MUST assume a legacy device, and use it through the legacy interface.
Non-transitional drivers MUST look for the Virtio PCI Capabilities on the capability list. If these are not present, driver MUST assume a legacy device, and fail gracefully.
Writing a valid MSI-X Table entry number, 0 to 0x7FF, to config_msix_vector/queue_msix_vector maps interrupts triggered by the configuration change/selected queue events respectively to the corresponding MSI-X vector. To disable interrupts for an event type, the driver unmaps this event by writing a special NO_VECTOR value:
Note that mapping an event to vector might require device to allocate internal device resources, and thus could fail.
Device MUST support mapping any event type to any valid vector 0 to MSI-X Table Size. Device MUST support unmapping any event type.
The device MUST return vector mapped to a given event, (NO_VECTOR if unmapped) on read of config_msix_vector/queue_msix_vector. The device MUST have all queue and configuration change events are unmapped upon reset.
Devices SHOULD NOT cause mapping an event to vector to fail unless it is impossible for the device to satisfy the mapping request. Devices MUST report mapping failures by returning the NO_VECTOR value when the relevant config_msix_vector/queue_msix_vector field is read.
Driver MAY intepret the Table Size as a hint from the device for the suggested number of MSI-X vectors to use.
Driver MUST NOT attempt to map an event to a vector outside the MSI-X Table supported by the device, as reported by Table Size in the MSI-X Capability.
After mapping an event to vector, the driver MUST verify success by reading the Vector field value: on success, the previously written value is returned, and on failure, NO_VECTOR is returned. If a mapping failure is detected, the driver MAY retry mapping with fewer vectors, disable MSI-X or report device failure.
The driver typically does this as follows, for each virtqueue a device has:
When VIRTIO_F_NOTIFICATION_DATA has not been negotiated, the driver sends an available buffer notification to the device by writing the 16-bit virtqueue index of this virtqueue to the Queue Notify address.
When VIRTIO_F_NOTIFICATION_DATA has been negotiated, the driver sends an available buffer notification to the device by writing the following 32-bit value to the Queue Notify address:
See 2.9 Driver Notifications for the definition of the components.
See 4.1.4.4 for how to calculate the Queue Notify address.
If a used buffer notification is necessary for a virtqueue, the device would typically act as follows:
Some virtio PCI devices can change the device configuration state, as reflected in the device-specific configuration region of the device. In this case:
A single interrupt MAY indicate both that one or more virtqueue has been used and that the configuration space has changed.
The driver interrupt handler would typically:
Virtual environments without PCI support (a common situation in embedded devices models) might use simple memory mapped device (“virtio-mmio”) instead of the PCI device.
The memory mapped virtio device behaviour is based on the PCI device specification. Therefore most operations including device initialization, queues configuration and buffer transfers are nearly identical. Existing differences are described in the following sections.
Unlike PCI, MMIO provides no generic device discovery mechanism. For each device, the guest OS will need to know the location of the registers and interrupt(s) used. The suggested binding for systems using flattened device trees is shown in this example:
MMIO virtio devices provide a set of memory mapped control registers followed by a device-specific configuration space, described in the table 4.1.
All register values are organized as Little Endian.
| Table 4.1: MMIO Device Register Layout | |
|
Name |
Function |
|
|
|
|
MagicValue |
Magic value |
|
Version |
Device version number
|
|
DeviceID |
Virtio Subsystem Device ID |
|
VendorID |
Virtio Subsystem Vendor ID |
|
DeviceFeatures |
Flags representing features the device supports |
|
DeviceFeaturesSel
|
Device (host) features word selection. |
|
DriverFeatures |
Flags representing device features understood and
activated by the driver |
|
DriverFeaturesSel
|
Activated (guest) features word selection |
|
QueueSel |
Virtual queue index |
|
QueueNumMax
|
Maximum virtual queue size |
|
QueueNum |
Virtual queue size |
|
QueueReady |
Virtual queue ready bit |
|
QueueNotify |
Queue notifier When VIRTIO_F_NOTIFICATION_DATA has not been negotiated, the value written is the queue index. When VIRTIO_F_NOTIFICATION_DATA has been negotiated, the Notification data value has the following format: See 2.9 Driver Notifications for the definition of the components. |
|
InterruptStatus
|
Interrupt status
|
|
InterruptACK |
Interrupt acknowledge |
|
Status |
Device status |
|
QueueDescLow
|
Virtual queue’s Descriptor Area 64 bit long physical
address |
|
QueueDriverLow
|
Virtual queue’s Driver Area 64 bit long physical address
|
|
QueueDeviceLow
|
Virtual queue’s Device Area 64 bit long physical address
|
|
SHMSel |
Shared memory id |
|
|
|
|
SHMLenLow |
Shared memory region 64 bit long length |
|
SHMBaseLow |
Shared memory region 64 bit long physical address |
|
QueueReset |
Virtual queue reset bit |
|
ConfigGeneration
|
Configuration atomicity value |
|
Config |
Configuration space |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The device MUST return 0x74726976 in MagicValue.
The device MUST return value 0x2 in Version.
The device MUST present each event by setting the corresponding bit in InterruptStatus from the moment it takes place, until the driver acknowledges the interrupt by writing a corresponding bit mask to the InterruptACK register. Bits which do not represent events which took place MUST be zero.
Upon reset, the device MUST clear all bits in InterruptStatus and ready bits in the QueueReady register for all queues in the device.
The device MUST change value returned in ConfigGeneration if there is any risk of a driver seeing an inconsistent configuration state.
The device MUST NOT access virtual queue contents when QueueReady is zero (0x0).
If VIRTIO_F_RING_RESET has been negotiated, the device MUST present a 0 in QueueReset on reset.
If VIRTIO_F_RING_RESET has been negotiated, The device MUST present a 0 in QueueReset after the virtqueue is enabled with QueueReady.
The device MUST reset the queue when 1 is written to QueueReset. The device MUST continue to present 1 in QueueReset as long as the queue reset is ongoing. The device MUST present 0 in both QueueReset and QueueReady when queue reset has completed. (see 2.6.1).
The driver MUST NOT access memory locations not described in the table 4.1 (or, in case of the configuration space, described in the device specification), MUST NOT write to the read-only registers (direction R) and MUST NOT read from the write-only registers (direction W).
The driver MUST only use 32 bit wide and aligned reads and writes to access the control registers described in table 4.1. For the device-specific configuration space, the driver MUST use 8 bit wide accesses for 8 bit wide fields, 16 bit wide and aligned accesses for 16 bit wide fields and 32 bit wide and aligned accesses for 32 and 64 bit wide fields.
The driver MUST ignore a device with MagicValue which is not 0x74726976, although it MAY report an error.
The driver MUST ignore a device with Version which is not 0x2, although it MAY report an error.
The driver MUST ignore a device with DeviceID 0x0, but MUST NOT report any error.
Before reading from DeviceFeatures, the driver MUST write a value to DeviceFeaturesSel.
Before writing to the DriverFeatures register, the driver MUST write a value to the DriverFeaturesSel register.
The driver MUST write a value to QueueNum which is less than or equal to the value presented by the device in QueueNumMax.
When QueueReady is not zero, the driver MUST NOT access QueueNum, QueueDescLow, QueueDescHigh, QueueDriverLow, QueueDriverHigh, QueueDeviceLow, QueueDeviceHigh.
To stop using the queue the driver MUST write zero (0x0) to this QueueReady and MUST read the value back to ensure synchronization.
The driver MUST ignore undefined bits in InterruptStatus.
The driver MUST write a value with a bit mask describing events it handled into InterruptACK when it finishes handling an interrupt and MUST NOT set any of the undefined bits in the value.
If VIRTIO_F_RING_RESET has been negotiated, after the driver writes 1 to QueueReset to reset the queue, the driver MUST NOT consider queue reset to be complete until it reads back 0 in QueueReset. The driver MAY re-enable the queue by writing 1 to QueueReady after ensuring that other virtqueue fields have been set up correctly. The driver MAY set driver-writeable queue configuration values to different values than those that were used before the queue reset. (see 2.6.1).
Drivers not expecting shared memory MUST NOT use the shared memory registers.
Further initialization MUST follow the procedure described in 3.1 Device Initialization.
The driver will typically initialize the virtual queue in the following way:
When VIRTIO_F_NOTIFICATION_DATA has not been negotiated, the driver sends an available buffer notification to the device by writing the 16-bit virtqueue index of the queue to be notified to QueueNotify.
When VIRTIO_F_NOTIFICATION_DATA has been negotiated, the driver sends an available buffer notification to the device by writing the following 32-bit value to QueueNotify:
See 2.9 Driver Notifications for the definition of the components.
The memory mapped virtio device is using a single, dedicated interrupt signal, which is asserted when at least one of the bits described in the description of InterruptStatus is set. This is how the device sends a used buffer notification or a configuration change notification to the device.
The legacy MMIO transport used page-based addressing, resulting in a slightly different control register layout, the device initialization and the virtual queue configuration procedure.
Table 4.2 presents control registers layout, omitting descriptions of registers which did not change their function nor behaviour:
| Table 4.2: MMIO Device Legacy Register Layout | |
|
Name |
Function |
|
|
|
|
MagicValue |
Magic value |
|
Version |
Device version number |
|
DeviceID |
Virtio Subsystem Device ID |
|
VendorID |
Virtio Subsystem Vendor ID |
|
HostFeatures |
Flags representing features the device supports |
|
HostFeaturesSel
|
Device (host) features word selection. |
|
GuestFeatures |
Flags representing device features understood and
activated by the driver |
|
GuestFeaturesSel
|
Activated (guest) features word selection |
|
GuestPageSize |
Guest page size |
|
QueueSel |
Virtual queue index |
|
QueueNumMax
|
Maximum virtual queue size |
|
QueueNum |
Virtual queue size |
|
QueueAlign |
Used Ring alignment in the virtual queue |
|
QueuePFN |
Guest physical page number of the virtual queue |
|
QueueNotify |
Queue notifier |
|
InterruptStatus
|
Interrupt status |
|
InterruptACK |
Interrupt acknowledge |
|
Status |
Device status |
|
Config |
Configuration space |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The virtual queue page size is defined by writing to GuestPageSize, as written by the guest. The driver does this before the virtual queues are configured.
The virtual queue layout follows p. 2.7.2 Legacy Interfaces: A Note on Virtqueue Layout, with the alignment defined in QueueAlign.
The virtual queue is configured as follows:
Notification mechanisms did not change.
S/390 based virtual machines support neither PCI nor MMIO, so a different transport is needed there.
virtio-ccw uses the standard channel I/O based mechanism used for the majority of devices on S/390. A virtual channel device with a special control unit type acts as proxy to the virtio device (similar to the way virtio-pci uses a PCI device) and configuration and operation of the virtio device is accomplished (mostly) via channel commands. This means virtio devices are discoverable via standard operating system algorithms, and adding virtio support is mainly a question of supporting a new control unit type.
As the S/390 is a big endian machine, the data structures transmitted via channel commands are big-endian: this is made clear by use of the types be16, be32 and be64.
As a proxy device, virtio-ccw uses a channel-attached I/O control unit with a special control unit type (0x3832) and a control unit model corresponding to the attached virtio device’s subsystem device ID, accessed via a virtual I/O subchannel and a virtual channel path of type 0x32. This proxy device is discoverable via normal channel subsystem device discovery (usually a STORE SUBCHANNEL loop) and answers to the basic channel commands:
For a virtio-ccw proxy device, SENSE ID will return the following information:
| Bytes | Description | Contents |
| 0 | reserved | 0xff |
| 1-2 | control unit type | 0x3832 |
| 3 | control unit model | |
| 4-5 | device type | zeroes (unset) |
| 6 | device model | zeroes (unset) |
| 7-255 | extended SenseId data | zeroes (unset) |
A virtio-ccw proxy device facilitates:
In addition to the basic channel commands, virtio-ccw defines a set of channel commands related to configuration and operation of virtio:
Available buffer notifications are realized as a hypercall. No additional setup by the driver is needed. The operation of available buffer notifications is described in section 4.3.3.2.
Used buffer notifications are realized either as so-called classic or adapter I/O interrupts depending on a transport level negotiation. The initialization is described in sections 4.3.2.6.1 and 4.3.2.6.3 respectively. The operation of each flavor is described in sections 4.3.3.1.1 and 4.3.3.1.2 respectively.
Configuration change notifications are done using so-called classic I/O interrupts. The initialization is described in section 4.3.2.6.2 and the operation in section 4.3.3.1.1.
The virtio-ccw device acts like a normal channel device, as specified in [S390 PoP] and [S390 Common I/O]. In particular:
A driver for virtio-ccw devices MUST check for a control unit type of 0x3832 and MUST ignore the device type and model.
A driver SHOULD attempt to provide the correct length in a channel command even if it suppresses length checks for that command.
virtio-ccw uses several channel commands to set up a device.
CCW_CMD_SET_VIRTIO_REV is issued by the driver to set the revision of the virtio-ccw transport it intends to drive the device with. It uses the following communication structure:
revision contains the desired revision id, length the length of the data portion and data revision-dependent additional desired options.
The following values are supported:
| revision | length | data | remarks |
| 0 | 0 | | legacy interface; transitional devices only |
| 1 | 0 | | Virtio 1 |
| 2 | 0 | | CCW_CMD_READ_STATUS support |
| 3-n | reserved for later revisions | ||
Note that a change in the virtio standard does not necessarily correspond to a change in the virtio-ccw revision.
A device SHOULD answer with command reject to any virtio-ccw specific channel command that is not contained in the revision selected by the driver.
A device MUST answer with command reject to any attempt to select a different revision after a revision has been successfully selected by the driver.
A device MUST treat the revision as unset from the time the associated subchannel has been enabled until a revision has been successfully set by the driver. This implies that revisions are not persistent across disabling and enabling of the associated subchannel.
A driver MUST NOT issue any other virtio-ccw specific channel commands prior to setting the revision.
After a revision has been successfully selected by the driver, it MUST NOT attempt to select a different revision.
A legacy driver will not issue the CCW_CMD_SET_VIRTIO_REV prior to issuing other virtio-ccw specific channel commands. A non-transitional device therefore MUST answer any such attempts with a command reject. A transitional device MUST assume in this case that the driver is a legacy driver and continue as if the driver selected revision 0. This implies that the device MUST reject any command not valid for revision 0, including a subsequent CCW_CMD_SET_VIRTIO_REV.
CCW_CMD_READ_VQ_CONF is issued by the driver to obtain information about a queue. It uses the following structure for communicating:
The requested number of buffers for queue index is returned in max_num.
Afterwards, CCW_CMD_SET_VQ is issued by the driver to inform the device about the location used for its queue. The transmitted structure is
desc, driver and device contain the guest addresses for the descriptor area, available area and used area for queue index, respectively. The actual virtqueue size (number of allocated buffers) is transmitted in num.
queue contains the guest address for queue index, num the number of buffers and align the alignment. The queue layout follows 2.7.2 Legacy Interfaces: A Note on Virtqueue Layout.
The driver changes the status of a device via the CCW_CMD_WRITE_STATUS command, which transmits an 8 bit status value.
As described in 2.2.2, a device sometimes fails to set the device status field: For example, it might fail to accept the FEATURES_OK status bit during device initialization.
With revision 2, CCW_CMD_READ_STATUS is defined: It reads an 8 bit status value from the device and acts as a reverse operation to CCW_CMD_WRITE_STATUS.
If at least revision 2 has been negotiated, the driver SHOULD use the CCW_CMD_READ_STATUS command to retrieve the device status field after a configuration change has been detected.
If not at least revision 2 has been negotiated, the driver MUST NOT attempt to issue the CCW_CMD_READ_STATUS command.
If at least revision 2 has been negotiated, the device MUST return the current device status field if the CCW_CMD_READ_STATUS command is issued.
Feature bits are arranged in an array of 32 bit values, making for a total of 8192 feature bits. Feature bits are in little-endian byte order.
The CCW commands dealing with features use the following communication block:
features are the 32 bits of features currently accessed, while index describes which of the feature bit values is to be accessed. No padding is added at the end of the structure, it is exactly 5 bytes in length.
The guest obtains the device’s device feature set via the CCW_CMD_READ_FEAT command. The device stores the features at index to features.
For communicating its supported features to the device, the driver uses the CCW_CMD_WRITE_FEAT command, denoting a features/index combination.
The device’s configuration space is located in host memory.
To obtain information from the configuration space, the driver uses CCW_CMD_READ_CONF, specifying the guest memory for the device to write to.
For changing configuration information, the driver uses CCW_CMD_WRITE_CONF, specifying the guest memory for the device to read from.
In both cases, the complete configuration space is transmitted. This allows the driver to compare the new configuration space with the old version, and keep a generation count internally whenever it changes.
In order to set up the indicator bits for host->guest notification, the driver uses different channel commands depending on whether it wishes to use traditional I/O interrupts tied to a subchannel or adapter I/O interrupts for virtqueue notifications. For any given device, the two mechanisms are mutually exclusive.
For the configuration change indicators, only a mechanism using traditional I/O interrupts is provided, regardless of whether traditional or adapter I/O interrupts are used for virtqueue notifications.
To communicate the location of the indicator bits for host->guest notification, the driver uses the CCW_CMD_SET_IND command, pointing to a location containing the guest address of the indicators in a 64 bit value.
If the driver has already set up two-staged queue indicators via the CCW_CMD_SET_IND_ADAPTER command, the device MUST post a unit check with command reject to any subsequent CCW_CMD_SET_IND command.
To communicate the location of the indicator bits used in the configuration change host->guest notification, the driver issues the CCW_CMD_SET_CONF_IND command, pointing to a location containing the guest address of the indicators in a 64 bit value.
To communicate the location of the summary and queue indicator bits, the driver uses the CCW_CMD_SET_IND_ADAPTER command with the following payload:
summary_indicator contains the guest address of the 8 bit summary indicator. indicator contains the guest address of an area wherein the indicators for the devices are contained, starting at bit_nr, one bit per virtqueue of the device. Bit numbers start at the left, i.e. the most significant bit in the first byte is assigned the bit number 0. isc contains the I/O interruption subclass to be used for the adapter I/O interrupt. It MAY be different from the isc used by the proxy virtio-ccw device’s subchannel. No padding is added at the end of the structure, it is exactly 25 bytes in length.
There are two modes of operation regarding host->guest notification, classic I/O interrupts and adapter I/O interrupts. The mode to be used is determined by the driver by using CCW_CMD_SET_IND respectively CCW_CMD_SET_IND_ADAPTER to set up queue indicators.
For configuration changes, the driver always uses classic I/O interrupts.
For notifying the driver of virtqueue buffers, the device sets the corresponding bit in the guest-provided indicators. If an interrupt is not already pending for the subchannel, the device generates an unsolicited I/O interrupt.
If the device wants to notify the driver about configuration changes, it sets bit 0 in the configuration indicators and generates an unsolicited I/O interrupt, if needed. This also applies if adapter I/O interrupts are used for queue notifications.
For notifying the driver of virtqueue buffers, the device sets the bit in the guest-provided indicator area at the corresponding offset. The guest-provided summary indicator is set to 0x01. An adapter I/O interrupt for the corresponding interruption subclass is generated.
The recommended way to process an adapter I/O interrupt by the driver is as follows:
For notifying the device of virtqueue buffers, the driver unfortunately can’t use a channel command (the asynchronous characteristics of channel I/O interact badly with the host block I/O backend). Instead, it uses a diagnose 0x500 call with subcode 3 specifying the queue, as follows:
| GPR | Input Value | Output Value |
| 1 | 0x3 | |
| 2 | Subchannel ID | Host Cookie |
| 3 | Notification data | |
| 4 | Host Cookie | |
When VIRTIO_F_NOTIFICATION_DATA has not been negotiated, the Notification data contains the Virtqueue number.
When VIRTIO_F_NOTIFICATION_DATA has been negotiated, the value has the following format:
See 2.9 Driver Notifications for the definition of the components.
The device MAY return a 64-bit host cookie in GPR2 to speed up the notification execution.
In order to reset a device, a driver sends the CCW_CMD_VDEV_RESET command. This command does not carry any payload.
The device signals completion of the virtio reset operation through successful conclusion of the CCW_CMD_VDEV_RESET channel command. In particular, the command not only triggers the reset operation, but the reset operation is already completed when the operation concludes successfully.
The device MUST NOT send notifications or interact with the queues after it signaled successful conclusion of the CCW_CMD_VDEV_RESET command.
The following device IDs are used to identify different types of virtio devices. Some device IDs are reserved for devices which are not currently defined in this standard.
Discovering what devices are available and their type is bus-dependent.
| Device ID | Virtio Device |
| 0 | reserved (invalid) |
| 1 | network card |
| 2 | block device |
| 3 | console |
| 4 | entropy source |
| 5 | memory ballooning (traditional) |
| 6 | ioMemory |
| 7 | rpmsg |
| 8 | SCSI host |
| 9 | 9P transport |
| 10 | mac80211 wlan |
| 11 | rproc serial |
| 12 | virtio CAIF |
| 13 | memory balloon |
| 16 | GPU device |
| 17 | Timer/Clock device |
| 18 | Input device |
| 19 | Socket device |
| 20 | Crypto device |
| 21 | Signal Distribution Module |
| 22 | pstore device |
| 23 | IOMMU device |
| 24 | Memory device |
| 25 | Audio device |
| 26 | file system device |
| 27 | PMEM device |
| 28 | RPMB device |
| 29 | mac80211 hwsim wireless simulation device |
| 30 | Video encoder device |
| 31 | Video decoder device |
| 32 | SCMI device |
| 33 | NitroSecureModule |
| 34 | I2C adapter |
| 35 | Watchdog |
| 36 | CAN device |
| 38 | Parameter Server |
| 39 | Audio policy device |
| 40 | Bluetooth device |
| 41 | GPIO device |
| 42 | RDMA device |
Some of the devices above are unspecified by this document, because they are seen as immature or especially niche. Be warned that some are only specified by the sole existing implementation; they could become part of a future specification, be abandoned entirely, or live on outside this standard. We shall speak of them no further.
The virtio network device is a virtual ethernet card, and is the most complex of the devices supported so far by virtio. It has enhanced rapidly and demonstrates clearly how support for new features are added to an existing device. Empty buffers are placed in one virtqueue for receiving packets, and outgoing packets are enqueued into another for transmission in that order. A third command queue is used to control advanced filtering features.
N=1 if neither VIRTIO_NET_F_MQ nor VIRTIO_NET_F_RSS are negotiated, otherwise N is set by max_virtqueue_pairs.
controlq only exists if VIRTIO_NET_F_CTRL_VQ set.
Some networking feature bits require other networking feature bits (see 2.2.1):
Device configuration fields are listed below, they are read-only for a driver. The mac address field always exists (though is only valid if VIRTIO_NET_F_MAC is set), and status only exists if VIRTIO_NET_F_STATUS is set. Two read-only bits (for the driver) are currently defined for the status field: VIRTIO_NET_S_LINK_UP and VIRTIO_NET_S_ANNOUNCE.
The following driver-read-only field, max_virtqueue_pairs only exists if VIRTIO_NET_F_MQ or VIRTIO_NET_F_RSS is set. This field specifies the maximum number of each of transmit and receive virtqueues (receiveq1…receiveqN and transmitq1…transmitqN respectively) that can be configured once at least one of these features is negotiated.
The following driver-read-only field, mtu only exists if VIRTIO_NET_F_MTU is set. This field specifies the maximum MTU for the driver to use.
The following two fields, speed and duplex, only exist if VIRTIO_NET_F_SPEED_DUPLEX is set.
speed contains the device speed, in units of 1 MBit per second, 0 to 0x7fffffff, or 0xffffffff for unknown speed.
duplex has the values of 0x01 for full duplex, 0x00 for half duplex and 0xff for unknown duplex state.
Both speed and duplex can change, thus the driver is expected to re-read these values after receiving a configuration change notification.
The following field, rss_max_key_size only exists if VIRTIO_NET_F_RSS or VIRTIO_NET_F_HASH_REPORT is set. It specifies the maximum supported length of RSS key in bytes.
The following field, rss_max_indirection_table_length only exists if VIRTIO_NET_F_RSS is set. It specifies the maximum number of 16-bit entries in RSS indirection table.
The next field, supported_hash_types only exists if the device supports hash calculation, i.e. if VIRTIO_NET_F_RSS or VIRTIO_NET_F_HASH_REPORT is set.
Field supported_hash_types contains the bitmask of supported hash types. See 5.1.6.4.3.1 for details of supported hash types.
The device MUST set max_virtqueue_pairs to between 1 and 0x8000 inclusive, if it offers VIRTIO_NET_F_MQ.
The device MUST set mtu to between 68 and 65535 inclusive, if it offers VIRTIO_NET_F_MTU.
The device SHOULD set mtu to at least 1280, if it offers VIRTIO_NET_F_MTU.
The device MUST NOT modify mtu once it has been set.
The device MUST NOT pass received packets that exceed mtu (plus low level ethernet header length) size with gso_type NONE or ECN after VIRTIO_NET_F_MTU has been successfully negotiated.
The device MUST forward transmitted packets of up to mtu (plus low level ethernet header length) size with gso_type NONE or ECN, and do so without fragmentation, after VIRTIO_NET_F_MTU has been successfully negotiated.
The device MUST set rss_max_key_size to at least 40, if it offers VIRTIO_NET_F_RSS or VIRTIO_NET_F_HASH_REPORT.
The device MUST set rss_max_indirection_table_length to at least 128, if it offers VIRTIO_NET_F_RSS.
If the driver negotiates the VIRTIO_NET_F_STANDBY feature, the device MAY act as a standby device for a primary device with the same MAC address.
If VIRTIO_NET_F_SPEED_DUPLEX has been negotiated, speed MUST contain the device speed, in units of 1 MBit per second, 0 to 0x7ffffffff, or 0xfffffffff for unknown.
If VIRTIO_NET_F_SPEED_DUPLEX has been negotiated, duplex MUST have the values of 0x00 for full duplex, 0x01 for half duplex, or 0xff for unknown.
If VIRTIO_NET_F_SPEED_DUPLEX and VIRTIO_NET_F_STATUS have both been negotiated, the device SHOULD NOT change the speed and duplex fields as long as VIRTIO_NET_S_LINK_UP is set in the status.
A driver SHOULD negotiate VIRTIO_NET_F_MAC if the device offers it. If the driver negotiates the VIRTIO_NET_F_MAC feature, the driver MUST set the physical address of the NIC to mac. Otherwise, it SHOULD use a locally-administered MAC address (see IEEE 802, “9.2 48-bit universal LAN MAC addresses”).
If the driver does not negotiate the VIRTIO_NET_F_STATUS feature, it SHOULD assume the link is active, otherwise it SHOULD read the link status from the bottom bit of status.
A driver SHOULD negotiate VIRTIO_NET_F_MTU if the device offers it.
If the driver negotiates VIRTIO_NET_F_MTU, it MUST supply enough receive buffers to receive at least one receive packet of size mtu (plus low level ethernet header length) with gso_type NONE or ECN.
If the driver negotiates VIRTIO_NET_F_MTU, it MUST NOT transmit packets of size exceeding the value of mtu (plus low level ethernet header length) with gso_type NONE or ECN.
A driver SHOULD negotiate the VIRTIO_NET_F_STANDBY feature if the device offers it.
If VIRTIO_NET_F_SPEED_DUPLEX has been negotiated, the driver MUST treat any value of speed above 0x7fffffff as well as any value of duplex not matching 0x00 or 0x01 as an unknown value.
If VIRTIO_NET_F_SPEED_DUPLEX has been negotiated, the driver SHOULD re-read speed and duplex after a configuration change notification.
When using the legacy interface, transitional devices and drivers MUST format status and max_virtqueue_pairs in struct virtio_net_config according to the native endian of the guest rather than (necessarily when not using the legacy interface) little-endian.
When using the legacy interface, mac is driver-writable which provided a way for drivers to update the MAC without negotiating VIRTIO_NET_F_CTRL_MAC_ADDR.
A driver would perform a typical initialization routine like so:
A truly minimal driver would only accept VIRTIO_NET_F_MAC and ignore everything else.
Packets are transmitted by placing them in the transmitq1…transmitqN, and buffers for incoming packets are placed in the receiveq1…receiveqN. In each case, the packet itself is preceded by a header:
The controlq is used to control device features such as filtering.
When using the legacy interface, transitional devices and drivers MUST format the fields in struct virtio_net_hdr according to the native endian of the guest rather than (necessarily when not using the legacy interface) little-endian.
The legacy driver only presented num_buffers in the struct virtio_net_hdr when VIRTIO_NET_F_MRG_RXBUF was negotiated; without that feature the structure was 2 bytes shorter.
When using the legacy interface, the driver SHOULD ignore the used length for the transmit queues and the controlq queue. Note: Historically, some devices put the total descriptor length there, even though no data was actually written.
Transmitting a single packet is simple, but varies depending on the different features the driver negotiated.
If VIRTIO_NET_F_CSUM is not negotiated, the driver MUST set flags to zero and SHOULD supply a fully checksummed packet to the device.
If VIRTIO_NET_F_HOST_TSO4 is negotiated, the driver MAY set gso_type to VIRTIO_NET_HDR_GSO_TCPV4 to request TCPv4 segmentation, otherwise the driver MUST NOT set gso_type to VIRTIO_NET_HDR_GSO_TCPV4.
If VIRTIO_NET_F_HOST_TSO6 is negotiated, the driver MAY set gso_type to VIRTIO_NET_HDR_GSO_TCPV6 to request TCPv6 segmentation, otherwise the driver MUST NOT set gso_type to VIRTIO_NET_HDR_GSO_TCPV6.
If VIRTIO_NET_F_HOST_UFO is negotiated, the driver MAY set gso_type to VIRTIO_NET_HDR_GSO_UDP to request UDP fragmentation, otherwise the driver MUST NOT set gso_type to VIRTIO_NET_HDR_GSO_UDP.
If VIRTIO_NET_F_HOST_USO is negotiated, the driver MAY set gso_type to VIRTIO_NET_HDR_GSO_UDP_L4 to request UDP segmentation, otherwise the driver MUST NOT set gso_type to VIRTIO_NET_HDR_GSO_UDP_L4.
The driver SHOULD NOT send to the device TCP packets requiring segmentation offload which have the Explicit Congestion Notification bit set, unless the VIRTIO_NET_F_HOST_ECN feature is negotiated, in which case the driver MUST set the VIRTIO_NET_HDR_GSO_ECN bit in gso_type.
If the VIRTIO_NET_F_CSUM feature has been negotiated, the driver MAY set the VIRTIO_NET_HDR_F_NEEDS_CSUM bit in flags, if so:
If none of the VIRTIO_NET_F_HOST_TSO4, TSO6, USO or UFO options have been negotiated, the driver MUST set gso_type to VIRTIO_NET_HDR_GSO_NONE.
If gso_type differs from VIRTIO_NET_HDR_GSO_NONE, then the driver MUST also set the VIRTIO_NET_HDR_F_NEEDS_CSUM bit in flags and MUST set gso_size to indicate the desired MSS.
If one of the VIRTIO_NET_F_HOST_TSO4, TSO6, USO or UFO options have been negotiated:
The driver SHOULD accept the VIRTIO_NET_F_GUEST_HDRLEN feature if it has been offered, and if it’s able to provide the exact header length.
The driver MUST NOT set the VIRTIO_NET_HDR_F_DATA_VALID and VIRTIO_NET_HDR_F_RSC_INFO bits in flags.
If VIRTIO_NET_HDR_F_NEEDS_CSUM bit in flags is not set, the device MUST NOT use the csum_start and csum_offset.
If one of the VIRTIO_NET_F_HOST_TSO4, TSO6, USO or UFO options have been negotiated:
If VIRTIO_NET_HDR_F_NEEDS_CSUM is not set, the device MUST NOT rely on the packet checksum being correct.
The normal behavior in this interrupt handler is to retrieve used buffers from the virtqueue and free the corresponding headers and packets.
It is generally a good idea to keep the receive virtqueue as fully populated as possible: if it runs out, network performance will suffer.
If the VIRTIO_NET_F_GUEST_TSO4, VIRTIO_NET_F_GUEST_TSO6 or VIRTIO_NET_F_GUEST_UFO features are used, the maximum incoming packet will be to 65550 bytes long (the maximum size of a TCP or UDP packet, plus the 14 byte ethernet header), otherwise 1514 bytes. The 12-byte struct virtio_net_hdr is prepended to this, making for 65562 or 1526 bytes.
If VIRTIO_NET_F_MQ is negotiated, each of receiveq1…receiveqN that will be used SHOULD be populated with receive buffers.
The device MUST use only a single descriptor if VIRTIO_NET_F_MRG_RXBUF was not negotiated. Note: This means that num_buffers will always be 1 if VIRTIO_NET_F_MRG_RXBUF is not negotiated.
When a packet is copied into a buffer in the receiveq, the optimal path is to disable further used buffer notifications for the receiveq and process packets until no more are found, then re-enable them.
Processing incoming packets involves:
Additionally, VIRTIO_NET_F_GUEST_CSUM, TSO4, TSO6, UDP and ECN features enable receive checksum, large receive offload and ECN support which are the input equivalents of the transmit checksum, transmit segmentation offloading and ECN features, as described in 5.1.6.2:
If applicable, the device calculates per-packet hash for incoming packets as defined in 5.1.6.4.3.
If applicable, the device reports hash information for incoming packets as defined in 5.1.6.4.4.
If VIRTIO_NET_F_MRG_RXBUF has been negotiated, the device MUST set num_buffers to indicate the number of buffers the packet (including the header) is spread over.
If a receive packet is spread over multiple buffers, the device MUST use all buffers but the last (i.e. the first num_buffers - 1 buffers) completely up to the full length of each buffer supplied by the driver.
The device MUST use all buffers used by a single receive packet together, such that at least num_buffers are observed by driver as used.
If VIRTIO_NET_F_GUEST_CSUM is not negotiated, the device MUST set flags to zero and SHOULD supply a fully checksummed packet to the driver.
If VIRTIO_NET_F_GUEST_TSO4 is not negotiated, the device MUST NOT set gso_type to VIRTIO_NET_HDR_GSO_TCPV4.
If VIRTIO_NET_F_GUEST_UDP is not negotiated, the device MUST NOT set gso_type to VIRTIO_NET_HDR_GSO_UDP.
If VIRTIO_NET_F_GUEST_TSO6 is not negotiated, the device MUST NOT set gso_type to VIRTIO_NET_HDR_GSO_TCPV6.
The device SHOULD NOT send to the driver TCP packets requiring segmentation offload which have the Explicit Congestion Notification bit set, unless the VIRTIO_NET_F_GUEST_ECN feature is negotiated, in which case the device MUST set the VIRTIO_NET_HDR_GSO_ECN bit in gso_type.
If the VIRTIO_NET_F_GUEST_CSUM feature has been negotiated, the device MAY set the VIRTIO_NET_HDR_F_NEEDS_CSUM bit in flags, if so:
If none of the VIRTIO_NET_F_GUEST_TSO4, TSO6 or UFO options have been negotiated, the device MUST set gso_type to VIRTIO_NET_HDR_GSO_NONE.
If gso_type differs from VIRTIO_NET_HDR_GSO_NONE, then the device MUST also set the VIRTIO_NET_HDR_F_NEEDS_CSUM bit in flags MUST set gso_size to indicate the desired MSS. If VIRTIO_NET_F_RSC_EXT was negotiated, the device MUST also set VIRTIO_NET_HDR_F_RSC_INFO bit in flags, set csum_start to number of coalesced TCP segments and set csum_offset to number of received duplicated ACK segments.
If VIRTIO_NET_F_RSC_EXT was not negotiated, the device MUST not set VIRTIO_NET_HDR_F_RSC_INFO bit in flags.
If one of the VIRTIO_NET_F_GUEST_TSO4, TSO6 or UFO options have been negotiated, the device SHOULD set hdr_len to a value not less than the length of the headers, including the transport header.
If the VIRTIO_NET_F_GUEST_CSUM feature has been negotiated, the device MAY set the VIRTIO_NET_HDR_F_DATA_VALID bit in flags, if so, the device MUST validate the packet checksum (in case of multiple encapsulated protocols, one level of checksums is validated).
If VIRTIO_NET_HDR_F_NEEDS_CSUM bit in flags is not set or if VIRTIO_NET_HDR_F_RSC_INFO bit flags is set, the driver MUST NOT use the csum_start and csum_offset.
If one of the VIRTIO_NET_F_GUEST_TSO4, TSO6 or UFO options have been negotiated, the driver MAY use hdr_len only as a hint about the transport header size. The driver MUST NOT rely on hdr_len to be correct. Note: This is due to various bugs in implementations.
If neither VIRTIO_NET_HDR_F_NEEDS_CSUM nor VIRTIO_NET_HDR_F_DATA_VALID is set, the driver MUST NOT rely on the packet checksum being correct.
If the feature VIRTIO_NET_F_RSS was negotiated:
If the feature VIRTIO_NET_F_RSS was not negotiated:
Note that if the device offers VIRTIO_NET_F_HASH_REPORT, even if it supports only one pair of virtqueues, it MUST support at least one of commands of VIRTIO_NET_CTRL_MQ class to configure reported hash parameters:
Hash types applicable for IPv6 packets without extension headers
Hash types applicable for IPv6 packets with extension headers
If VIRTIO_NET_F_HASH_REPORT was negotiated but due to any reason the hash was not calculated, the device sets hash_report to VIRTIO_NET_HASH_REPORT_NONE.
Possible values that the device can report in hash_report are defined below. They correspond to supported hash types defined in 5.1.6.4.3.1 as follows:
VIRTIO_NET_HASH_TYPE_XXX = 1 « (VIRTIO_NET_HASH_REPORT_XXX - 1)
The driver uses the control virtqueue (if VIRTIO_NET_F_CTRL_VQ is negotiated) to send commands to manipulate various features of the device which would not easily map into the configuration space.
All commands are of the following form:
The class, command and command-specific-data are set by the driver, and the device sets the ack byte. There is little it can do except issue a diagnostic if ack is not VIRTIO_NET_OK.
If the VIRTIO_NET_F_CTRL_RX_EXTRA feature has been negotiated, the device MUST support the following VIRTIO_NET_CTRL_RX class commands:
If the VIRTIO_NET_F_CTRL_RX_EXTRA feature has not been negotiated, the driver MUST NOT issue commands VIRTIO_NET_CTRL_RX_ALLUNI, VIRTIO_NET_CTRL_RX_NOMULTI, VIRTIO_NET_CTRL_RX_NOUNI or VIRTIO_NET_CTRL_RX_NOBCAST.
The device can filter incoming packets by any number of destination MAC addresses10. This table is set using the class VIRTIO_NET_CTRL_MAC and the command VIRTIO_NET_CTRL_MAC_TABLE_SET. The command-specific-data is two variable length tables of 6-byte MAC addresses (as described in struct virtio_net_ctrl_mac). The first table contains unicast addresses, and the second contains multicast addresses.
The VIRTIO_NET_CTRL_MAC_ADDR_SET command is used to set the default MAC address which rx filtering accepts (and if VIRTIO_NET_F_MAC has been negotiated, this will be reflected in mac in config space).
The command-specific-data for VIRTIO_NET_CTRL_MAC_ADDR_SET is the 6-byte MAC address.
The device MUST update the MAC filtering table before it consumes the VIRTIO_NET_CTRL_MAC_TABLE_SET command.
The device MUST update mac in config space before it consumes the VIRTIO_NET_CTRL_MAC_ADDR_SET command, if VIRTIO_NET_F_MAC has been negotiated.
The device SHOULD drop incoming packets which have a destination MAC which matches neither the mac (or that set with VIRTIO_NET_CTRL_MAC_ADDR_SET) nor the MAC filtering table.
If VIRTIO_NET_F_CTRL_RX has been negotiated, the driver SHOULD issue VIRTIO_NET_CTRL_MAC_ADDR_SET to set the default mac if it is different from mac.
The driver MUST follow the VIRTIO_NET_CTRL_MAC_TABLE_SET command by a le32 number, followed by that number of non-multicast MAC addresses, followed by another le32 number, followed by that number of multicast addresses. Either number MAY be 0.
Legacy drivers that didn’t negotiate VIRTIO_NET_F_CTRL_MAC_ADDR changed mac in config space when NIC is accepting incoming packets. These drivers always wrote the mac value from first to last byte, therefore after detecting such drivers, a transitional device MAY defer MAC update, or MAY defer processing incoming packets until driver writes the last byte of mac in the config space.
Both the VIRTIO_NET_CTRL_VLAN_ADD and VIRTIO_NET_CTRL_VLAN_DEL command take a little-endian 16-bit VLAN id as the command-specific-data.
The driver checks VIRTIO_NET_S_ANNOUNCE bit in the device configuration status field when it notices the changes of device configuration. The command VIRTIO_NET_CTRL_ANNOUNCE_ACK is used to indicate that driver has received the notification and device clears the VIRTIO_NET_S_ANNOUNCE bit in status.
Processing this notification involves:
A device MAY support one of these features or both. The driver MAY negotiate any set of these features that the device supports.
Multiqueue is disabled by default.
The driver enables multiqueue by sending a command using class VIRTIO_NET_CTRL_MQ. The command selects the mode of multiqueue operation, as follows:
If more than one multiqueue mode is negotiated, the resulting device configuration is defined by the last command sent by the driver.
The driver enables multiqueue by sending the VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET command, specifying the number of the transmit and receive queues to be used up to max_virtqueue_pairs; subsequently, transmitq1…transmitqn and receiveq1…receiveqn where n=virtqueue_pairs MAY be used.
When multiqueue is enabled by VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET command, the device MUST use automatic receive steering based on packet flow. Programming of the receive steering classificator is implicit. After the driver transmitted a packet of a flow on transmitqX, the device SHOULD cause incoming packets for that flow to be steered to receiveqX. For uni-directional protocols, or where no packets have been transmitted yet, the device MAY steer a packet to a random queue out of the specified receiveq1…receiveqn.
Multiqueue is disabled by VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET with virtqueue_pairs to 1 (this is the default) and waiting for the device to use the command buffer.
The driver MUST NOT request a virtqueue_pairs of 0 or greater than max_virtqueue_pairs in the device configuration space.
The driver MUST queue packets only on any transmitq1 before the VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET command.
The driver MUST NOT queue packets on transmit queues greater than virtqueue_pairs once it has placed the VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET command in the available ring.
The device MUST NOT queue packets on receive queues greater than virtqueue_pairs once it has placed the VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET command in a used buffer.
The driver provides parameters for hash calculation as follows:
class VIRTIO_NET_CTRL_MQ, command VIRTIO_NET_CTRL_MQ_HASH_CONFIG.
The command-specific-data has following format:
Field hash_types contains a bitmask of allowed hash types as defined in 5.1.6.4.3.1. Initially the device has all hash types disabled and reports only VIRTIO_NET_HASH_REPORT_NONE.
Field reserved MUST contain zeroes. It is defined to make the structure to match the layout of virtio_net_rss_config structure, defined in 5.1.6.5.7.
Fields hash_key_length and hash_key_data define the key to be used in hash calculation.
A driver queries RSS capabilities of the device by reading device configuration as defined in 5.1.4
Field hash_types contains a bitmask of allowed hash types as defined in 5.1.6.4.3.1.
Field indirection_table_mask is a mask to be applied to the calculated hash to produce an index in the indirection_table array. Number of entries in indirection_table is (indirection_table_mask + 1).
Field unclassified_queue contains the 0-based index of the receive virtqueue to place unclassified packets in. Index 0 corresponds to receiveq1.
Field indirection_table contains an array of 0-based indices of receive virtqueus. Index 0 corresponds to receiveq1.
A driver sets max_tx_vq to inform a device how many transmit virtqueues it may use (transmitq1…transmitq max_tx_vq).
Fields hash_key_length and hash_key_data define the key to be used in hash calculation.
A driver MUST fill the indirection_table array only with indices of enabled queues. Index 0 corresponds to receiveq1.
The number of entries in indirection_table (indirection_table_mask + 1) MUST be a power of two.
A driver MUST use indirection_table_mask values that are less than rss_max_indirection_table_length reported by a device.
A driver MUST NOT set any VIRTIO_NET_HASH_TYPE_ flags that are not supported by a device.
The class VIRTIO_NET_CTRL_GUEST_OFFLOADS has one command: VIRTIO_NET_CTRL_GUEST_OFFLOADS_SET applies the new offloads configuration.
le64 value passed as command data is a bitmask, bits set define offloads to be enabled, bits cleared - offloads to be disabled.
There is a corresponding device feature for each offload. Upon feature negotiation corresponding offload gets enabled to preserve backward compatibility.
When using legacy interfaces, transitional drivers which have not negotiated VIRTIO_F_ANY_LAYOUT MUST use a single descriptor for the struct virtio_net_hdr on both transmit and receive, with the network data in the following descriptors.
Additionally, when using the control virtqueue (see 5.1.6.5) , transitional drivers which have not negotiated VIRTIO_F_ANY_LAYOUT MUST:
See 2.7.4.
The virtio block device is a simple virtual block device (ie. disk). Read and write requests (and other exotic requests) are placed in one of its queues, and serviced (probably out of order) by the device except where noted.
N=1 if VIRTIO_BLK_F_MQ is not negotiated, otherwise N is set by num_queues.
The capacity of the device (expressed in 512-byte sectors) is always present. The availability of the others all depend on various feature bits as indicated above.
The field num_queues only exists if VIRTIO_BLK_F_MQ is set. This field specifies the number of queues.
The parameters in the configuration space of the device max_discard_sectors discard_sector_alignment are expressed in 512-byte units if the VIRTIO_BLK_F_DISCARD feature bit is negotiated. The max_write_zeroes_sectors is expressed in 512-byte units if the VIRTIO_BLK_F_WRITE_ZEROES feature bit is negotiated. The parameters in the configuration space of the device max_secure_erase_sectors secure_erase_sector_alignment are expressed in 512-byte units if the VIRTIO_BLK_F_SECURE_ERASE feature bit is negotiated.
When using the legacy interface, transitional devices and drivers MUST format the fields in struct virtio_blk_config according to the native endian of the guest rather than (necessarily when not using the legacy interface) little-endian.
Drivers SHOULD NOT negotiate VIRTIO_BLK_F_FLUSH if they are incapable of sending VIRTIO_BLK_T_FLUSH commands.
If neither VIRTIO_BLK_F_CONFIG_WCE nor VIRTIO_BLK_F_FLUSH are negotiated, the driver MAY deduce the presence of a writethrough cache. If VIRTIO_BLK_F_CONFIG_WCE was not negotiated but VIRTIO_BLK_F_FLUSH was, the driver SHOULD assume presence of a writeback cache.
The driver MUST NOT read writeback before setting the FEATURES_OK device status bit.
Devices SHOULD always offer VIRTIO_BLK_F_FLUSH, and MUST offer it if they offer VIRTIO_BLK_F_CONFIG_WCE.
If VIRTIO_BLK_F_CONFIG_WCE is negotiated but VIRTIO_BLK_F_FLUSH is not, the device MUST initialize writeback to 0.
The device MUST initialize padding bytes unused0 and unused1 to 0.
Because legacy devices do not have FEATURES_OK, transitional devices MUST implement slightly different behavior around feature negotiation when used through the legacy interface. In particular, when using the legacy interface:
The driver queues requests to the virtqueues, and they are used by the device (not necessarily in order). Each request is of form:
The type of the request is either a read (VIRTIO_BLK_T_IN), a write (VIRTIO_BLK_T_OUT), a discard (VIRTIO_BLK_T_DISCARD), a write zeroes (VIRTIO_BLK_T_WRITE_ZEROES), a flush (VIRTIO_BLK_T_FLUSH), a get device ID string command (VIRTIO_BLK_T_GET_ID), a secure erase (VIRTIO_BLK_T_SECURE_ERASE), or a get device lifetime command (VIRTIO_BLK_T_GET_LIFETIME).
The sector number indicates the offset (multiplied by 512) where the read or write is to occur. This field is unused and set to 0 for commands other than read or write.
VIRTIO_BLK_T_IN requests populate data with the contents of sectors read from the block device (in multiples of 512 bytes). VIRTIO_BLK_T_OUT requests write the contents of data to the block device (in multiples of 512 bytes).
The data used for discard, secure erase or write zeroes commands consists of one or more segments. The maximum number of segments is max_discard_seg for discard commands, max_secure_erase_seg for secure erase commands and max_write_zeroes_seg for write zeroes commands. Each segment is of form:
sector indicates the starting offset (in 512-byte units) of the segment, while num_sectors indicates the number of sectors in each discarded range. unmap is only used in write zeroes commands and allows the device to discard the specified range, provided that following reads return zeroes.
VIRTIO_BLK_T_GET_ID requests fetch the device ID string from the device into data. The device ID string is a NUL-padded ASCII string up to 20 bytes long. If the string is 20 bytes long then there is no NUL terminator.
The data used for VIRTIO_BLK_T_GET_LIFETIME requests is populated by the device, and is of the form
The pre_eol_info specifies the percentage of reserved blocks that are consumed and will have one of these values:
The device_lifetime_est_typ_a refers to wear of SLC cells and is provided in increments of 10used, and so on, thru to 11 meaning estimated lifetime exceeded. All values above 11 are reserved.
The device_lifetime_est_typ_b refers to wear of MLC cells and is provided with the same semantics as device_lifetime_est_typ_a.
The final status byte is written by the device: either VIRTIO_BLK_S_OK for success, VIRTIO_BLK_S_IOERR for device or driver error or VIRTIO_BLK_S_UNSUPP for a request unsupported by device:
The status of individual segments is indeterminate when a discard or write zero command produces VIRTIO_BLK_S_IOERR. A segment may have completed successfully, failed, or not been processed by the device.
A driver MUST NOT submit a request which would cause a read or write beyond capacity.
A driver SHOULD accept the VIRTIO_BLK_F_RO feature if offered.
A driver MUST set sector to 0 for a VIRTIO_BLK_T_FLUSH request. A driver SHOULD NOT include any data in a VIRTIO_BLK_T_FLUSH request.
The length of data MUST be a multiple of 512 bytes for VIRTIO_BLK_T_IN and VIRTIO_BLK_T_OUT requests.
The length of data MUST be a multiple of the size of struct virtio_blk_discard_write_zeroes for VIRTIO_BLK_T_DISCARD, VIRTIO_BLK_T_SECURE_ERASE and VIRTIO_BLK_T_WRITE_ZEROES requests.
The length of data MUST be 20 bytes for VIRTIO_BLK_T_GET_ID requests.
VIRTIO_BLK_T_DISCARD requests MUST NOT contain more than max_discard_seg struct virtio_blk_discard_write_zeroes segments in data.
VIRTIO_BLK_T_SECURE_ERASE requests MUST NOT contain more than max_secure_erase_seg struct virtio_blk_discard_write_zeroes segments in data.
VIRTIO_BLK_T_WRITE_ZEROES requests MUST NOT contain more than max_write_zeroes_seg struct virtio_blk_discard_write_zeroes segments in data.
If the VIRTIO_BLK_F_CONFIG_WCE feature is negotiated, the driver MAY switch to writethrough or writeback mode by writing respectively 0 and 1 to the writeback field. After writing a 0 to writeback, the driver MUST NOT assume that any volatile writes have been committed to persistent device backend storage.
The unmap bit MUST be zero for discard commands. The driver MUST NOT assume anything about the data returned by read requests after a range of sectors has been discarded.
A driver MUST NOT assume that individual segments in a multi-segment VIRTIO_BLK_T_DISCARD or VIRTIO_BLK_T_WRITE_ZEROES request completed successfully, failed, or were processed by the device at all if the request failed with VIRTIO_BLK_S_IOERR.
A device MUST set the status byte to VIRTIO_BLK_S_IOERR for a write request if the VIRTIO_BLK_F_RO feature if offered, and MUST NOT write any data.
The device MUST set the status byte to VIRTIO_BLK_S_UNSUPP for discard, secure erase and write zeroes commands if any unknown flag is set. Furthermore, the device MUST set the status byte to VIRTIO_BLK_S_UNSUPP for discard commands if the unmap flag is set.
For discard commands, the device MAY deallocate the specified range of sectors in the device backend storage.
For write zeroes commands, if the unmap is set, the device MAY deallocate the specified range of sectors in the device backend storage, as if the discard command had been sent. After a write zeroes command is completed, reads of the specified ranges of sectors MUST return zeroes. This is true independent of whether unmap was set or clear.
The device SHOULD clear the write_zeroes_may_unmap field of the virtio configuration space if and only if a write zeroes request cannot result in deallocating one or more sectors. The device MAY change the content of the field during operation of the device; when this happens, the device SHOULD trigger a configuration change notification.
A write is considered volatile when it is submitted; the contents of sectors covered by a volatile write are undefined in persistent device backend storage until the write becomes stable. A write becomes stable once it is completed and one or more of the following conditions is true:
If the device is backed by persistent storage, the device MUST ensure that stable writes are committed to it, before reporting completion of the write (cases 1 and 2) or the flush (case 3). Failure to do so can cause data loss in case of a crash.
If the driver changes writeback between the submission of the write and its completion, the write could be either volatile or stable when its completion is reported; in other words, the exact behavior is undefined.
If VIRTIO_BLK_F_FLUSH was not offered by the device12, the device MAY also commit writes to persistent device backend storage before reporting their completion. Unlike case 1, however, this is not an absolute requirement of the specification. Note: An implementation that does not offer VIRTIO_BLK_F_FLUSH and does not commit completed writes will not be resilient to data loss in case of crashes. Not offering VIRTIO_BLK_F_FLUSH is an absolute requirement for implementations that do not wish to be safe against such data losses.
If the device is backed by storage providing lifetime metrics (such as eMMC or UFS persistent storage), the device SHOULD offer the VIRTIO_BLK_F_LIFETIME flag. The flag MUST NOT be offered if the device is backed by storage for which the lifetime metrics described in this document cannot be obtained or for which such metrics have no useful meaning. If the metrics are offered, the device MUST NOT send any reserved values, as defined in this specification. Note: The device lifetime metrics pre_eol_info, device_lifetime_est_a and device_lifetime_est_b are discussed in the JESD84-B50 specification.
The complete JESD84-B50 is available at the JEDEC website (https://www.jedec.org) pursuant to JEDEC’s licensing terms and conditions. This information is provided to simplfy passthrough implementations from eMMC devices.
When using the legacy interface, transitional devices and drivers MUST format the fields in struct virtio_blk_req according to the native endian of the guest rather than (necessarily when not using the legacy interface) little-endian.
When using the legacy interface, transitional drivers SHOULD ignore the used length values. Note: Historically, some devices put the total descriptor length, or the total length of device-writable buffers there, even when only the status byte was actually written.
The reserved field was previously called ioprio. ioprio is a hint about the relative priorities of requests to the device: higher numbers indicate more important requests.
The command VIRTIO_BLK_T_FLUSH_OUT was a synonym for VIRTIO_BLK_T_FLUSH; a driver MUST treat it as a VIRTIO_BLK_T_FLUSH command.
If the device has VIRTIO_BLK_F_BARRIER feature the high bit (VIRTIO_BLK_T_BARRIER) indicates that this request acts as a barrier and that all preceding requests SHOULD be complete before this one, and all following requests SHOULD NOT be started until this is complete. Note: A barrier does not flush caches in the underlying backend device in host, and thus does not serve as data consistency guarantee. Only a VIRTIO_BLK_T_FLUSH request does that.
Some older legacy devices did not commit completed writes to persistent device backend storage when VIRTIO_BLK_F_FLUSH was offered but not negotiated. In order to work around this, the driver MAY set the writeback to 0 (if available) or it MAY send an explicit flush request after every completed write.
If the device has VIRTIO_BLK_F_SCSI feature, it can also support scsi packet command requests, each of these requests is of form:
A request type can also be a scsi packet command (VIRTIO_BLK_T_SCSI_CMD or VIRTIO_BLK_T_SCSI_CMD_OUT). The two types are equivalent, the device does not distinguish between them:
The cmd field is only present for scsi packet command requests, and indicates the command to perform. This field MUST reside in a single, separate device-readable buffer; command length can be derived from the length of this buffer.
Note that these first three (four for scsi packet commands) fields are always device-readable: data is either device-readable or device-writable, depending on the request. The size of the read or write can be derived from the total size of the request buffers.
sense is only present for scsi packet command requests, and indicates the buffer for scsi sense data.
data_len is only present for scsi packet command requests, this field is deprecated, and SHOULD be ignored by the driver. Historically, devices copied data length there.
sense_len is only present for scsi packet command requests and indicates the number of bytes actually written to the sense buffer.
residual field is only present for scsi packet command requests and indicates the residual size, calculated as data length - number of bytes actually transferred.
When using legacy interfaces, transitional drivers which have not negotiated VIRTIO_F_ANY_LAYOUT:
See 2.7.4.
The virtio console device is a simple device for data input and output. A device MAY have one or more ports. Each port has a pair of input and output virtqueues. Moreover, a device has a pair of control IO virtqueues. The control virtqueues are used to communicate information between the device and the driver about ports being opened and closed on either side of the connection, indication from the device about whether a particular port is a console port, adding new ports, port hot-plug/unplug, etc., and indication from the driver about whether a port or a device was successfully added, port open/close, etc. For data IO, one or more empty buffers are placed in the receive queue for incoming data and outgoing characters are placed in the transmit queue.
The port 0 receive and transmit queues always exist: other queues only exist if VIRTIO_CONSOLE_F_MULTIPORT is set.
The size of the console is supplied in the configuration space if the VIRTIO_CONSOLE_F_SIZE feature is set. Furthermore, if the VIRTIO_CONSOLE_F_MULTIPORT feature is set, the maximum number of ports supported by the device can be fetched.
If VIRTIO_CONSOLE_F_EMERG_WRITE is set then the driver can use emergency write to output a single character without initializing virtio queues, or even acknowledging the feature.
When using the legacy interface, transitional devices and drivers MUST format the fields in struct virtio_console_config according to the native endian of the guest rather than (necessarily when not using the legacy interface) little-endian.
The device MUST allow a write to emerg_wr, even on an unconfigured device.
The device SHOULD transmit the lower byte written to emerg_wr to an appropriate log or output method.
The driver MUST NOT put a device-readable buffer in a receiveq. The driver MUST NOT put a device-writable buffer in a transmitq.
If the driver negotiated the VIRTIO_CONSOLE_F_MULTIPORT, the two control queues are used to manipulate the different console ports: the control receiveq for messages from the device to the driver, and the control sendq for driver-to-device messages. The layout of the control messages is:
The values for event are:
The device MUST NOT specify a port in VIRTIO_CONSOLE_DEVICE_REMOVE which has not been created with a previous VIRTIO_CONSOLE_DEVICE_ADD.
Upon receipt of a VIRTIO_CONSOLE_CONSOLE_PORT message, the driver SHOULD treat the port in a manner suitable for text console access and MUST respond with a VIRTIO_CONSOLE_PORT_OPEN message, which MUST have value set to 1.
When using the legacy interface, transitional devices and drivers MUST format the fields in struct virtio_console_control according to the native endian of the guest rather than (necessarily when not using the legacy interface) little-endian.
When using the legacy interface, the driver SHOULD ignore the used length values for the transmit queues and the control transmitq. Note: Historically, some devices put the total descriptor length there, even though no data was actually written.
When using legacy interfaces, transitional drivers which have not negotiated VIRTIO_F_ANY_LAYOUT MUST use only a single descriptor for all buffers in the control receiveq and control transmitq.
The virtio entropy device supplies high-quality randomness for guest use.
When the driver requires random bytes, it places the descriptor of one or more buffers in the queue. It will be completely filled by random data by the device.
The driver MUST NOT place device-readable buffers into the queue.
The driver MUST examine the length written by the device to determine how many random bytes were received.
The device MUST place one or more random bytes into the buffer, but it MAY use less than the entire buffer length.
This is the traditional balloon device. The device number 13 is reserved for a new memory balloon interface, with different semantics, which is expected in a future version of the standard.
The traditional virtio memory balloon device is a primitive device for managing guest memory: the device asks for a certain amount of memory, and the driver supplies it (or withdraws it, if the device has more than it asks for). This allows the guest to adapt to changes in allowance of underlying physical memory. If the feature is negotiated, the device can also be used to communicate guest memory statistics to the host.
statsq only exists if VIRTIO_BALLOON_F_STATS_VQ is set.
free_page_vq only exists if VIRTIO_BALLOON_F_FREE_PAGE_HINT is set.
reporting_vq only exists if VIRTIO_BALLOON_F_PAGE_REPORTING is set.
The driver SHOULD accept the VIRTIO_BALLOON_F_MUST_TELL_HOST feature if offered by the device.
The driver SHOULD clear the VIRTIO_BALLOON_F_PAGE_POISON flag if it will not immediately write poison_val to deflated pages (e.g., to initialize them, or fill them with a poison value).
If the driver is expecting the pages to retain some initialized value, it MUST NOT accept VIRTIO_BALLOON_F_PAGE_REPORTING unless it also negotiates VIRTIO_BALLOON_F_PAGE_POISON.
If the device offers the VIRTIO_BALLOON_F_MUST_TELL_HOST feature bit, and if the driver did not accept this feature bit, the device MAY signal failure by failing to set FEATURES_OK device status bit when the driver writes it.
num_pages and actual are always available.
free_page_hint_cmd_id is available if VIRTIO_BALLOON_F_FREE_PAGE_HINT has been negotiated. The field is read-only by the driver. poison_val is available if VIRTIO_BALLOON_F_PAGE_POISON has been negotiated.
The device initialization process is outlined below:
The device is driven either by the receipt of a configuration change notification, or by changing guest memory needs, such as performing memory compaction or responding to out of memory conditions.
The driver SHOULD supply pages to the balloon when num_pages is greater than the actual number of pages in the balloon.
The driver MAY use pages from the balloon when num_pages is less than the actual number of pages in the balloon.
The driver MAY supply pages to the balloon when num_pages is greater than or equal to the actual number of pages in the balloon.
If VIRTIO_BALLOON_F_DEFLATE_ON_OOM has not been negotiated, the driver MUST NOT use pages from the balloon when num_pages is less than or equal to the actual number of pages in the balloon.
If VIRTIO_BALLOON_F_DEFLATE_ON_OOM has been negotiated, the driver MAY use pages from the balloon when num_pages is less than or equal to the actual number of pages in the balloon if this is required for system stability (e.g. if memory is required by applications running within the guest).
The driver MUST use the deflateq to inform the device of pages that it wants to use from the balloon.
If the VIRTIO_BALLOON_F_MUST_TELL_HOST feature is negotiated, the driver MUST NOT use pages from the balloon until the device has acknowledged the deflate request.
Otherwise, if the VIRTIO_BALLOON_F_MUST_TELL_HOST feature is not negotiated, the driver MAY begin to re-use pages previously given to the balloon before the device has acknowledged the deflate request.
In any case, the driver MUST NOT use pages from the balloon after adding the pages to the balloon, but before the device has acknowledged the inflate request.
The driver MUST NOT request deflation of pages in the balloon before the device has acknowledged the inflate request.
The driver MUST update actual after changing the number of pages in the balloon.
The driver MAY update actual once after multiple inflate and deflate operations.
The device MAY modify the contents of a page in the balloon after detecting its physical number in an inflate request and before acknowledging the inflate request by using the inflateq descriptor.
If the VIRTIO_BALLOON_F_MUST_TELL_HOST feature is negotiated, the device MAY modify the contents of a page in the balloon after detecting its physical number in an inflate request and before detecting its physical number in a deflate request and acknowledging the deflate request.
When using the legacy interface, the driver MUST write out all 4 bytes each time it updates the actual value in the configuration space, using a single atomic operation.
When using the legacy interface, the device SHOULD NOT use the actual value written by the driver in the configuration space, until the last, most-significant byte of the value has been written. Note: Historically, devices used the actual value, even though when using Virtio Over PCI Bus the device-specific configuration space was not guaranteed to be atomic. Using intermediate values during update by driver is best avoided, except for debugging.
Historically, drivers using Virtio Over PCI Bus wrote the actual value by using multiple single-byte writes in order, from the least-significant to the most-significant value.
The stats virtqueue is atypical because communication is driven by the device (not the driver). The channel becomes active at driver initialization time when the driver adds an empty buffer and notifies the device. A request for memory statistics proceeds as follows:
Within the buffer, statistics are an array of 10-byte entries. Each statistic consists of a 16 bit tag and a 64 bit value. All statistics are optional and the driver chooses which ones to supply. To guarantee backwards compatibility, devices omit unsupported statistics.
The driver MUST make at most one buffer available to the device in the statsq, at all times.
After initializing the device, the driver MUST make an output buffer available in the statsq.
Upon detecting that device has used a buffer in the statsq, the driver MUST make an output buffer available in the statsq.
Before making an output buffer available in the statsq, the driver MUST initialize it, including one struct virtio_balloon_stat entry for each statistic that it supports.
Driver MUST use an output buffer size which is a multiple of 6 bytes for all buffers submitted to the statsq.
Driver MAY supply struct virtio_balloon_stat entries in the output buffer submitted to the statsq in any order, without regard to tag values.
Driver MAY supply a subset of all statistics in the output buffer submitted to the statsq.
Driver MUST supply the same subset of statistics in all buffers submitted to the statsq.
Within an output buffer submitted to the statsq, the device MUST ignore entries with tag values that it does not recognize.
Within an output buffer submitted to the statsq, the device MUST accept struct virtio_balloon_stat entries in any order without regard to tag values.
When using the legacy interface, the device SHOULD ignore all values in the first buffer in the statsq supplied by the driver after device initialization. Note: Historically, drivers supplied an uninitialized buffer in the first buffer.
Free page hinting is designed to be used during migration to determine what pages within the guest are currently unused so that they can be skipped over while migrating the guest. The device will indicate that it is ready to start performing hinting by setting the free_page_hint_cmd_id to one of the non-reserved values that can be used as a command ID. The following values are reserved:
When a hint is provided by the driver it indicates that the data contained in the given page is no longer needed and can be discarded. If the driver writes to the page this overrides the hint and the data will be retained. The contents of any stale pages that have not been written to since the page was hinted may be lost, and if read the contents of such pages will be uninitialized memory.
A request for free page hinting proceeds as follows:
The driver MUST use an output buffer size of 4 bytes for all output buffers submitted to the free_page_vq.
The driver MUST start hinting by providing an output buffer containing the current command ID for the given block of pages.
The driver MUST NOT provide more than one output buffer containing the current command ID.
The driver SHOULD supply pages to the free_page_vq as input buffers when free_page_hint_cmd_id specifies a value of 2 or greater.
The driver SHOULD stop supplying pages for hinting when free_page_hint_cmd_id specifies a value of VIRTIO_BALLOON_CMD_ID_STOP or VIRTIO_BALLOON_CMD_ID_DONE.
If the driver is unable to supply pages, it MUST complete hinting by adding an output buffer containing the command ID VIRTIO_BALLOON_CMD_ID_STOP.
The driver MAY release hinted pages for use by the guest including when the device has not yet used the descriptor containing the hinting request.
The driver MUST treat the content of all hinted pages as uninitialized memory.
The driver MUST initialize the contents of any previously hinted page released before free_page_hint_cmd_id specifies a value of VIRTIO_BALLOON_CMD_ID_DONE.
The driver SHOULD release all previously hinted pages once free_page_hint_cmd_id specifies a value of VIRTIO_BALLOON_CMD_ID_DONE.
The device SHOULD set free_page_hint_cmd_id to VIRTIO_BALLOON_CMD_ID_STOP any time that it will not be able to make use of the hints provided by the driver.
The device MUST NOT reuse a command ID until it has received an output buffer containing VIRTIO_BALLOON_CMD_ID_STOP from the driver.
The device MUST ignore pages that are provided with a command ID that does not match the current value in free_page_hint_cmd_id.
If the content of a previously hinted page has not been modified by the guest since the device issued the free_page_hint_cmd_id associated with the hint, the device MAY modify the contents of the page.
The device MUST NOT modify the content of a previously hinted page after free_page_hint_cmd_id is set to VIRTIO_BALLOON_CMD_ID_DONE.
The device MUST report a value of VIRTIO_BALLOON_CMD_ID_DONE in free_page_hint_cmd_id when it no longer has need for the previously hinted pages.
Page Poison provides a way to notify the host that the guest is initializing free pages with poison_val. When the feature is enabled, pages will be immediately written to by the driver after deflating, and pages reported by free page reporting will retain the value indicated by poison_val.
If the guest is not initializing freed pages, the driver should reject the VIRTIO_BALLOON_F_PAGE_POISON feature.
If VIRTIO_BALLOON_F_PAGE_POISON feature has been negotiated, the driver will place the initialization value into the poison_val configuration field data.
The driver MUST initialize the deflated pages with poison_val when they are reused by the driver.
The driver MUST populate the poison_val configuration data before setting the DRIVER_OK bit.
The driver MUST NOT modify poison_val while the DRIVER_OK bit is set.
The device MAY use the content of poison_val as a hint to guest behavior.
Free Page Reporting provides a mechanism similar to balloon inflation, however it does not provide a deflation queue. Reported free pages can be reused by the driver after the reporting request has been acknowledged without notifying the device.
The driver will begin reporting free pages. When exactly and which free pages are reported is up to the driver.
If the VIRTIO_BALLOON_F_PAGE_POISON feature has not been negotiated, then the driver MUST treat all reported pages as uninitialized memory.
If the VIRTIO_BALLOON_F_PAGE_POISON feature has been negotiated, the driver MUST initialize all free pages with poison_val before reporting them.
The driver MUST NOT use the reported pages until the device has acknowledged the reporting request.
The driver MAY report free pages any time after DRIVER_OK is set.
The driver SHOULD attempt to report large pages rather than smaller ones.
The driver SHOULD avoid reading/writing reported pages if not strictly necessary.
If the VIRTIO_BALLOON_F_PAGE_POISON feature has not been negotiated, the device MAY modify the contents of any page supplied in a report request before acknowledging that request by using the reporting_vq descriptor.
If the VIRTIO_BALLOON_F_PAGE_POISON feature has been negotiated, the device MUST NOT modify the the content of a reported page to a value other than poison_val.
The virtio SCSI host device groups together one or more virtual logical units (such as disks), and allows communicating to them using the SCSI protocol. An instance of the device represents a SCSI host to which many targets and LUNs are attached.
The virtio SCSI device services two kinds of requests:
The device is also able to send out notifications about added and removed logical units. Together, these capabilities provide a SCSI transport protocol that uses virtqueues as the transfer medium. In the transport protocol, the virtio driver acts as the initiator, while the virtio SCSI host provides one or more targets that receive and process the requests.
This section relies on definitions from SAM.
All fields of this configuration are always available.
The driver MUST NOT write to device configuration fields other than sense_size and cdb_size.
The driver MUST NOT send more than cmd_per_lun linked commands to one LUN, and MUST NOT send more than the virtqueue size number of linked commands to one LUN.
On reset, the device MUST set sense_size to 96 and cdb_size to 32.
When using the legacy interface, transitional devices and drivers MUST format the fields in struct virtio_scsi_config according to the native endian of the guest rather than (necessarily when not using the legacy interface) little-endian.
On initialization the driver SHOULD first discover the device’s virtqueues.
If the driver uses the eventq, the driver SHOULD place at least one buffer in the eventq.
The driver MAY immediately issue requests16 or task management functions17.
Device operation consists of operating request queues, the control queue and the event queue.
The driver queues requests to an arbitrary request queue, and they are used by the device on that same queue. It is the responsibility of the driver to ensure strict request ordering for commands placed on different queues, because they will be consumed with no order constraints.
Requests have the following format:
lun addresses the REPORT LUNS well-known logical unit, or a target and logical unit in the virtio-scsi device’s SCSI domain. When used to address the REPORT LUNS logical unit, lun is 0xC1, 0x01 and six zero bytes. The virtio-scsi device SHOULD implement the REPORT LUNS well-known logical unit.
When used to address a target and logical unit, the only supported format for lun is: first byte set to 1, second byte set to target, third and fourth byte representing a single level LUN structure, followed by four zero bytes. With this representation, a virtio-scsi device can serve up to 256 targets and 16384 LUNs per target. The device MAY also support having a well-known logical units in the third and fourth byte.
id is the command identifier (“tag”).
task_attr defines the task attribute as in the table above, but all task attributes MAY be mapped to SIMPLE by the device. Some commands are defined by SCSI standards as "implicit head of queue"; for such commands, all task attributes MAY also be mapped to HEAD OF QUEUE. Drivers and applications SHOULD NOT send a command with the ORDERED task attribute if the command has an implicit HEAD OF QUEUE attribute, because whether the ORDERED task attribute is honored is vendor-specific.
crn may also be provided by clients, but is generally expected to be 0. The maximum CRN value defined by the protocol is 255, since CRN is stored in an 8-bit integer.
The CDB is included in cdb and its size, cdb_size, is taken from the configuration space.
All of these fields are defined in SAM and are always device-readable.
pi_bytesout determines the size of the pi_out field in bytes. If it is nonzero, the pi_out field contains outgoing protection information for write operations. pi_bytesin determines the size of the pi_in field in the device-writable section, in bytes. All three fields are only present if VIRTIO_SCSI_F_T10_PI has been negotiated.
The remainder of the device-readable part is the data output buffer, dataout.
sense and subsequent fields are always device-writable. sense_len indicates the number of bytes actually written to the sense buffer.
residual indicates the residual size, calculated as “data_length - number_of_transferred_bytes”, for read or write operations. For bidirectional commands, the number_of_transferred_bytes includes both read and written bytes. A residual that is less than the size of datain means that dataout was processed entirely. A residual that exceeds the size of datain means that dataout was processed partially and datain was not processed at all.
If the pi_bytesin is nonzero, the pi_in field contains incoming protection information for read operations. pi_in is only present if VIRTIO_SCSI_F_T10_PI has been negotiated18.
The remainder of the device-writable part is the data input buffer, datain.
The device MUST write the response byte as one of the following:
All commands must be completed before the virtio-scsi device is reset or unplugged. The device MAY choose to abort them, or if it does not do so MUST pick the VIRTIO_SCSI_S_FAILURE response.
Upon receiving a VIRTIO_SCSI_S_TARGET_FAILURE response, the driver SHOULD NOT retry the request on other paths.
The controlq is used for other SCSI transport operations. Requests have the following format:
The type identifies the remaining fields.
The following commands are defined:
The type is VIRTIO_SCSI_T_TMF; subtype defines which task management function. All fields except response are filled by the driver.
Other fields which are irrelevant for the requested TMF are ignored but they are still present. lun is in the same format specified for request queues; the single level LUN is ignored when the task management function addresses a whole I_T nexus. When relevant, the value of id is matched against the id values passed on the requestq.
The outcome of the task management function is written by the device in response. The command-specific response values map 1-to-1 with those defined in SAM.
Task management function can affect the response value for commands that are in the request queue and have not been completed yet. For example, the device MUST complete all active commands on a logical unit or target (possibly with a VIRTIO_SCSI_S_RESET response code) upon receiving a "logical unit reset" or "I_T nexus reset" TMF. Similarly, the device MUST complete the selected commands (possibly with a VIRTIO_SCSI_S_ABORTED response code) upon receiving an "abort task" or "abort task set" TMF. Such effects MUST take place before the TMF itself is successfully completed, and the device MUST use memory barriers appropriately in order to ensure that the driver sees these writes in the correct order.
By sending this command, the driver asks the device which events the given LUN can report, as described in paragraphs 6.6 and A.6 of SCSI MMC. The driver writes the events it is interested in into event_requested; the device responds by writing the events that it supports into event_actual.
The type is VIRTIO_SCSI_T_AN_QUERY. lun and event_requested are written by the driver. event_actual and response fields are written by the device.
No command-specific values are defined for the response byte.
By sending this command, the driver asks the specified LUN to report events for its physical interface, again as described in SCSI MMC. The driver writes the events it is interested in into event_requested; the device responds by writing the events that it supports into event_actual.
Event types are the same as for the asynchronous notification query message.
The type is VIRTIO_SCSI_T_AN_SUBSCRIBE. lun and event_requested are written by the driver. event_actual and response are written by the device.
No command-specific values are defined for the response byte.
The eventq is populated by the driver for the device to report information on logical units that are attached to it. In general, the device will not queue events to cope with an empty eventq, and will end up dropping events if it finds no buffer ready. However, when reporting events for many LUNs (e.g. when a whole target disappears), the device can throttle events to avoid dropping them. For this reason, placing 10-15 buffers on the event queue is sufficient.
Buffers returned by the device on the eventq will be referred to as “events” in the rest of this section. Events have the following format:
The devices sets bit 31 in event to report lost events due to missing buffers.
The meaning of reason depends on the contents of event. The following events are defined:
This event is fired in the following cases:
By sending this event, the device signals that a logical unit on a target has been reset, including the case of a new device appearing or disappearing on the bus. The device fills in all fields. event is set to VIRTIO_SCSI_T_TRANSPORT_RESET. lun addresses a logical unit in the SCSI host.
The reason value is one of the three #define values appearing above:
The “removed” and “rescan” events can happen when VIRTIO_SCSI_F_HOTPLUG feature was negotiated; when sent for LUN 0, they MAY apply to the entire target so the driver can ask the initiator to rescan the target to detect this.
Events will also be reported via sense codes (this obviously does not apply to newly appeared buses or targets, since the application has never discovered them):
The preferred way to detect transport reset is always to use events, because sense codes are only seen by the driver when it sends a SCSI command to the logical unit or target. However, in case events are dropped, the initiator will still be able to synchronize with the actual state of the controller if the driver asks the initiator to rescan of the SCSI bus. During the rescan, the initiator will be able to observe the above sense codes, and it will process them as if it the driver had received the equivalent event.
By sending this event, the device signals that an asynchronous event was fired from a physical interface.
All fields are written by the device. event is set to VIRTIO_SCSI_T_ASYNC_NOTIFY. lun addresses a logical unit in the SCSI host. reason is a subset of the events that the driver has subscribed to via the “Asynchronous notification subscription” command.
By sending this event, the device signals a change in the configuration parameters of a logical unit, for example the capacity or cache mode. event is set to VIRTIO_SCSI_T_PARAM_CHANGE. lun addresses a logical unit in the SCSI host.
The same event SHOULD also be reported as a unit attention condition. reason contains the additional sense code and additional sense code qualifier, respectively in bits 0…7 and 8…15. Note: For example, a change in capacity will be reported as asc 0x2a, ascq 0x09 (CAPACITY DATA HAS CHANGED).
For MMC devices (inquiry type 5) there would be some overlap between this event and the asynchronous notification event, so for simplicity the host never reports this event for MMC devices.
If event has bit 31 set, the driver SHOULD poll the logical units for unit attention conditions, and/or do whatever form of bus scan is appropriate for the guest operating system and SHOULD poll for asynchronous events manually using SCSI commands.
When receiving a VIRTIO_SCSI_T_TRANSPORT_RESET message with reason set to VIRTIO_SCSI_EVT_RESET_REMOVED or VIRTIO_SCSI_EVT_RESET_RESCAN for LUN 0, the driver SHOULD ask the initiator to rescan the target, in order to detect the case when an entire target has appeared or disappeared.
The device MUST NOT send VIRTIO_SCSI_T_TRANSPORT_RESET messages with reason set to VIRTIO_SCSI_EVT_RESET_REMOVED or VIRTIO_SCSI_EVT_RESET_RESCAN unless VIRTIO_SCSI_F_HOTPLUG was negotiated.
The device MUST NOT report VIRTIO_SCSI_T_PARAM_CHANGE for MMC devices.
When using legacy interfaces, transitional drivers which have not negotiated VIRTIO_F_ANY_LAYOUT MUST use a single descriptor for the lun, id, task_attr, prio, crn and cdb fields, and MUST only use a single descriptor for the sense_len, residual, status_qualifier, status, response and sense fields.
virtio-gpu is a virtio based graphics adapter. It can operate in 2D mode and in 3D mode. 3D mode will offload rendering ops to the host gpu and therefore requires a gpu with 3D support on the host machine.
In 2D mode the virtio-gpu device provides support for ARGB Hardware cursors and multiple scanouts (aka heads).
Both queues have the same format. Each request and each response have a fixed header, followed by command specific data fields. The separate cursor queue is the "fast track" for cursor commands (VIRTIO_GPU_CMD_UPDATE_CURSOR and VIRTIO_GPU_CMD_MOVE_CURSOR), so they go through without being delayed by time-consuming commands in the control queue.
GPU device configuration uses the following layout structure and definitions:
The driver SHOULD query the display information from the device using the VIRTIO_GPU_CMD_GET_DISPLAY_INFO command and use that information for the initial scanout setup. In case EDID support is negotiated (VIRTIO_GPU_F_EDID feature flag) the device SHOULD also fetch the EDID information using the VIRTIO_GPU_CMD_GET_EDID command. If no information is available or all displays are disabled the driver MAY choose to use a fallback, such as 1024x768 at display 0.
The driver SHOULD query all shared memory regions supported by the device. If the device supports shared memory, the shmid of a region MUST (see 2.10 Shared Memory Regions) be one of the following:
The shared memory region with VIRTIO_GPU_SHM_ID_HOST_VISIBLE is referred as the "host visible memory region". The device MUST support the VIRTIO_GPU_CMD_RESOURCE_MAP_BLOB and VIRTIO_GPU_CMD_RESOURCE_UNMAP_BLOB if the host visible memory region is available.
The virtio-gpu is based around the concept of resources private to the host. The guest must DMA transfer into these resources, unless shared memory regions are supported. This is a design requirement in order to interface with future 3D rendering. In the unaccelerated 2D mode there is no support for DMA transfers from resources, just to them.
Resources are initially simple 2D resources, consisting of a width, height and format along with an identifier. The guest must then attach backing store to the resources in order for DMA transfers to work. This is like a GART in a real GPU.
It is possible to create multiple framebuffers, flip between them using VIRTIO_GPU_CMD_SET_SCANOUT and VIRTIO_GPU_CMD_RESOURCE_FLUSH, and update the invisible framebuffer using VIRTIO_GPU_CMD_TRANSFER_TO_HOST_2D.
In case two or more displays are present there are different ways to configure things:
The device MAY process controlq commands asyncronously and return them to the driver before the processing is complete. If the driver needs to know when the processing is finished it can set the VIRTIO_GPU_FLAG_FENCE flag in the request. The device MUST finish the processing before returning the command then.
Note: current qemu implementation does asyncrounous processing only in 3d mode, when offloading the processing to the host gpu.
The mouse cursor image is a normal resource, except that it must be 64x64 in size. The driver MUST create and populate the resource (using the usual VIRTIO_GPU_CMD_RESOURCE_CREATE_2D, VIRTIO_GPU_CMD_RESOURCE_ATTACH_BACKING and VIRTIO_GPU_CMD_TRANSFER_TO_HOST_2D controlq commands) and make sure they are completed (using VIRTIO_GPU_FLAG_FENCE).
Then VIRTIO_GPU_CMD_UPDATE_CURSOR can be sent to the cursorq to set the pointer shape and position. To move the pointer without updating the shape use VIRTIO_GPU_CMD_MOVE_CURSOR instead.
All requests and responses on the virt queues have a fixed header using the following layout structure and definitions:
The fixed header struct virtio_gpu_ctrl_hdr in each request includes the following fields:
On success the device will return VIRTIO_GPU_RESP_OK_NODATA in case there is no payload. Otherwise the type field will indicate the kind of payload.
On error the device will return one of the VIRTIO_GPU_RESP_ERR_* error codes.
For any coordinates given 0,0 is top left, larger x moves right, larger y moves down.
The response contains a list of per-scanout information. The info contains whether the scanout is enabled and what its preferred position and size is.
The size (fields width and height) is similar to the native panel resolution in EDID display information, except that in the virtual machine case the size can change when the host window representing the guest display is gets resized.
The position (fields x and y) describe how the displays are arranged (i.e. which is – for example – the left display).
The enabled field is set when the user enabled the display. It is roughly the same as the connected state of a phyiscal display connector.
The response contains the EDID display data blob (as specified by VESA) for the scanout.
This creates a 2D resource on the host with the specified width, height and format. The resource ids are generated by the guest.
This informs the host that a resource is no longer required by the guest.
This sets the scanout parameters for a single scanout. The resource_id is the resource to be scanned out from, along with a rectangle.
Scanout rectangles must be completely covered by the underlying resource. Overlapping (or identical) scanouts are allowed, typical use case is screen mirroring.
The driver can use resource_id = 0 to disable a scanout.
This flushes a resource to screen. It takes a rectangle and a resource id, and flushes any scanouts the resource is being used on.
This takes a resource id along with an destination offset into the resource, and a box to transfer to the host backing for the resource.
This assign an array of guest pages as the backing store for a resource. These pages are then used for the transfer operations for that resource from that point on.
This detaches any backing pages from a resource, to be used in case of guest swapping or object destruction.
On success, struct virtio_gpu_resp_capset_info contains the capset_id, capset_max_version, capset_max_size associated with capset at the specified capset_idex. fieldcapset_id MUST be one of the following (see listing for values):
The response contains a UUID which identifies the exported object created from the host private resource. Note that if the resource has an attached backing, modifications made to the host private resource through the exported object by other devices are not visible in the attached backing until they are transferred into the backing.
A blob resource is a container for:
The memory properties of the blob resource MUST be described by blob_mem, which MUST be non-zero.
For default and guest-only blob resources, nr_entries guest memory entries may be assigned to the resource. For default blob resources (i.e, when blob_mem is VIRTIO_GPU_BLOB_MEM_HOST3D_GUEST), these memory entries are used as a shadow buffer for the host memory. To facilitate drivers that support swap-in and swap-out, nr_entries may be zero and VIRTIO_GPU_CMD_RESOURCE_ATTACH_BACKING may be subsequently used. VIRTIO_GPU_CMD_RESOURCE_DETACH_BACKING may be used to unassign memory entries.
blob_mem can only be VIRTIO_GPU_BLOB_MEM_HOST3D and VIRTIO_GPU_BLOB_MEM_HOST3D_GUEST if VIRTIO_GPU_F_VIRGL is supported. VIRTIO_GPU_BLOB_MEM_GUEST is valid regardless whether VIRTIO_GPU_F_VIRGL is supported or not.
For VIRTIO_GPU_BLOB_MEM_HOST3D and VIRTIO_GPU_BLOB_MEM_HOST3D_GUEST, the virtio-gpu resource MUST be created from the rendering context local object identified by the blob_id. The actual allocation is done via VIRTIO_GPU_CMD_SUBMIT_3D.
The driver MUST inform the device if the blob resource is used for memory access, sharing between driver instances and/or sharing with other devices. This is done via the blob_flags field.
If VIRTIO_GPU_F_VIRGL is set, both VIRTIO_GPU_CMD_TRANSFER_TO_HOST_3D and VIRTIO_GPU_CMD_TRANSFER_FROM_HOST_3D may be used to update the resource. There is no restriction on the image/buffer view the driver has on the blob resource.
The rectangle r represents the portion of the blob resource being displayed. The rest is the metadata associated with the blob resource. The format MUST be one of enum virtio_gpu_formats. The format MAY be compressed with header and data planes.
These commands are supported by the device if the VIRTIO_GPU_F_VIRGL feature flag is set.
The implementation MUST create a context for the given ctx_id in the hdr. For debugging purposes, a debug_name and it’s length nlen is provided by the driver. If VIRTIO_GPU_F_CONTEXT_INIT is supported, then lower 8 bits of context_init MAY contain the capset_id associated with context. In that case, then the device MUST create a context that can handle the specified command stream.
If the lower 8-bits of the context_init are zero, then the type of the context is determined by the device.
Both cursorq commands use the same command struct.
Full cursor update. Cursor will be loaded from the specified resource_id and will be moved to pos. The driver must transfer the cursor into the resource beforehand (using control queue commands) and make sure the commands to fill the resource are actually processed (using fencing).
Move cursor to the place specified in pos. The other fields are not used and will be ignored by the device.
Applies to Virtio Over PCI only. The GPU device can come with and without VGA compatibility. The PCI class should be DISPLAY_VGA if VGA compatibility is present and DISPLAY_OTHER otherwise.
VGA compatibility: PCI region 0 has the linear framebuffer, standard vga registers are present. Configuring a scanout (VIRTIO_GPU_CMD_SET_SCANOUT) switches the device from vga compatibility mode into native virtio mode. A reset switches it back into vga compatibility mode.
Note: qemu implementation also provides bochs dispi interface io ports and mmio bar at pci region 1 and is therefore fully compatible with the qemu stdvga (see docs/specs/standard-vga.txt in the qemu source tree).
The virtio input device can be used to create virtual human interface devices such as keyboards, mice and tablets. An instance of the virtio device represents one such input device. Device behavior mirrors that of the evdev layer in Linux, making pass-through implementations on top of evdev easy.
This specification defines how evdev events are transported over virtio and how the set of supported events is discovered by a driver. It does not, however, define the semantics of input events as this is dependent on the particular evdev implementation. For the list of events used by Linux input devices, see include/uapi/linux/input-event-codes.h in the Linux source tree.
Device configuration holds all information the guest needs to handle the device, most importantly the events which are supported.
To query a specific piece of information the driver sets select and subsel accordingly, then checks size to see how much information is available. size can be zero if no information is available. Strings do not include a NUL terminator. Related evdev ioctl names are provided for reference.
Similar to EVIOCGNAME ioctl for Linux evdev devices.
Similar to EVIOCGID ioctl for Linux evdev devices.
Similar to EVIOCGPROP ioctl for Linux evdev devices.
Similar to EVIOCGBIT ioctl for Linux evdev devices.
Similar to EVIOCGABS ioctl for Linux evdev devices.
A driver MUST set both select and subsel when querying device configuration, in any order.
A driver MUST NOT write to configuration fields other than select and subsel.
A driver SHOULD check the size field before accessing the configuration information.
A device MUST set the size field to zero if it doesn’t support a given select and subsel combination.
A driver SHOULD keep the eventq populated with buffers. These buffers MUST be device-writable and MUST be at least the size of struct virtio_input_event.
Buffers placed into the statusq by a driver MUST be at least the size of struct virtio_input_event.
A driver SHOULD ignore eventq input events it does not recognize. Note that evdev devices generally maintain backward compatibility by sending redundant events and relying on the consuming side using only the events it understands and ignoring the rest.
A device MAY drop input events if the eventq does not have enough available buffers. It SHOULD NOT drop individual input events if they are part of a sequence forming one input device update. For example, a pointing device update typically consists of several input events, one for each axis, and a terminating EV_SYN event. A device SHOULD either buffer or drop the entire sequence.
The virtio crypto device is a virtual cryptography device as well as a virtual cryptographic accelerator. The virtio crypto device provides the following crypto services: CIPHER, MAC, HASH, and AEAD. Virtio crypto devices have a single control queue and at least one data queue. Crypto operation requests are placed into a data queue, and serviced by the device. Some crypto operation requests are only valid in the context of a session. The role of the control queue is facilitating control operation requests. Sessions management is realized with control operation requests.
Some crypto feature bits require other crypto feature bits (see 2.2.1):
The following crypto services are defined:
The above constants designate bits used to indicate the which of crypto services are offered by the device as described in, see 5.9.5.
The following CIPHER algorithms are defined:
The above constants have two usages:
The following HASH algorithms are defined:
The above constants have two usages:
The following MAC algorithms are defined:
The above constants have two usages:
The following AEAD algorithms are defined:
The above constants have two usages:
Crypto device configuration uses the following layout structure:
The operation of a virtio crypto device is driven by requests placed on the virtqueues. Requests consist of a queue-type specific header (specifying among others the operation) and an operation specific payload.
If VIRTIO_CRYPTO_F_REVISION_1 is negotiated the device may support both session mode (See 5.9.7.2.1) and stateless mode operation requests. In stateless mode all operation parameters are supplied as a part of each request, while in session mode, some or all operation parameters are managed within the session. Stateless mode is guarded by feature bits 0-4 on a service level. If stateless mode is negotiated for a service, the service accepts both session mode and stateless requests; otherwise stateless mode requests are rejected (via operation status).
The device MUST return a status code as part of the operation (both session operation and service operation) result. The valid operation status as follows:
The driver uses the control virtqueue to send control commands to the device, such as session operations (See 5.9.7.2.1).
The header for controlq is of the following form:
The controlq request is composed of four parts:
header is a general header (see above).
op_flf is the opcode (in header) specific fixed-length paramenters.
flf_len depends on the VIRTIO_CRYPTO_F_REVISION_1 feature bit (see below).
op_vlf is the opcode (in header) specific variable-length paramenters.
vlf_len is the size of the specific structure used. Note: The vlf_len of session-destroy operation and the hash-session-create operation is ZERO.
op_outcome stores the result of operation and must be struct virtio_crypto_destroy_session_input for destroy session or struct virtio_crypto_create_session_input for create session.
outcome_len is the size of the structure used.
The following structure stores the result of session creation set by the device:
A request to destroy a session includes the following information:
The length of auth_key is specified in auth_key_len in the struct virtio_crypto_mac_create_session_flf.
The fixed-length and the variable-length parameters of CIPHER session requests are as follows:
The length of cipher_key is specified in key_len in the struct virtio_crypto_cipher_session_flf.
The fixed-length and the variable-length parameters of Chain session requests are as follows:
hash_mode decides the type used by algo_flf.
algo_flf is fixed to 16 bytes and MUST contains or be one of the following types:
The data of unused part (if has) in algo_flf will be ignored.
The length of cipher_key is specified in key_len in cipher_hdr.
The length of auth_key is specified in auth_key_len in struct virtio_crypto_mac_create_session_flf.
The fixed-length parameters of Symmetric session requests are as follows:
op_flf is fixed to 48 bytes, MUST contains or be one of the following types:
The data of unused part (if has) in op_flf will be ignored.
op_type decides the type used by op_flf.
The variable-length parameters of Symmetric session requests are as follows:
op_vlf MUST contains or be one of the following types:
op_type in struct virtio_crypto_sym_create_session_flf decides the type used by op_vlf.
vlf_len is the size of the specific structure used.
The length of key is specified in key_len in struct virtio_crypto_aead_create_session_flf.
The driver uses the data virtqueues to transmit crypto operation requests to the device, and completes the crypto operations.
The header for dataq is as follows:
If VIRTIO_CRYPTO_F_REVISION_1 is negotiated
but VIRTIO_CRYPTO_F_
The dataq request is composed of four parts:
header is a general header (see above).
op_flf is the opcode (in header) specific header.
flf_len depends on the VIRTIO_CRYPTO_F_REVISION_1 feature bit (see below).
op_vlf is the opcode (in header) specific parameters.
vlf_len is the size of the specific structure used.
inhdr is a unified input header that used to return the status of the operations, is defined as follows:
Session mode HASH service requests are as follows:
Each data request uses the virtio_crypto_hash_data_flf structure and the virtio_crypto_hash_data_vlf structure to store information used to run the HASH operations.
src_data is the source data that will be processed. src_data_len is the length of source data. hash_result is the result data and hash_result_len is the length of it.
Stateless mode HASH service requests are as follows:
Session mode MAC service requests are as follows:
Each request uses the virtio_crypto_mac_data_flf structure and the virtio_crypto_mac_data_vlf structure to store information used to run the MAC operations.
src_data is the source data that will be processed. src_data_len is the length of source data. hash_result is the result data and hash_result_len is the length of it.
Stateless mode MAC service requests are as follows:
auth_key is the authenticated key that will be used during the process. auth_key_len is the length of the key.
Session mode CIPHER service requests are as follows:
Session mode requests of algorithm chaining are as follows:
Session mode requests of symmetric algorithm are as follows:
Each request uses the virtio_crypto_sym_data_flf structure and the virtio_crypto_sym_data_flf structure to store information used to run the CIPHER operations.
op_type_flf is the op_type specific header, it MUST starts with or be one of the following structures:
The length of op_type_flf is fixed to 40 bytes, the data of unused part (if has) will be ingored.
op_type_vlf is the op_type specific parameters, it MUST starts with or be one of the following structures:
sym_para_len is the size of the specific structure used.
Stateless mode CIPHER service requests are as follows:
Stateless mode requests of algorithm chaining are as follows:
Stateless mode requests of symmetric algorithm are as follows:
op_type_flf is the op_type specific header, it MUST starts with or be one of the following structures:
The length of op_type_flf is fixed to 72 bytes, the data of unused part (if has) will be ingored.
op_type_vlf is the op_type specific parameters, it MUST starts with or be one of the following structures:
sym_para_len is the size of the specific structure used.
Session mode requests of symmetric algorithm are as follows:
Each request uses the virtio_crypto_aead_data_flf structure and the virtio_crypto_aead_data_flf structure to store information used to run the AEAD operations.
Stateless mode AEAD service requests are as follows:
The virtio socket device is a zero-configuration socket communications device. It facilitates data transfer between the guest and device without using the Ethernet or IP protocols.
If no feature bit is set, only stream socket type is supported. If VIRTIO_VSOCK_F_SEQPACKET has been negotiated, the device MAY act as if VIRTIO_VSOCK_F_STREAM has also been negotiated.
Socket device configuration uses the following layout structure:
The guest_cid field contains the guest’s context ID, which uniquely identifies the device for its lifetime. The upper 32 bits of the CID are reserved and zeroed.
The following CIDs are reserved and cannot be used as the guest’s context ID:
| CID | Notes |
| 0 | Reserved |
| 1 | Reserved |
| 2 | Well-known CID for the host |
| 0xffffffff | Reserved |
| 0xffffffffffffffff | Reserved |
Packets transmitted or received contain a header before the payload:
The upper 32 bits of src_cid and dst_cid are reserved and zeroed.
Most packets simply transfer data but control packets are also used for connection and buffer space management. op is one of the following operation constants:
The tx virtqueue carries packets initiated by applications and replies to received packets. The rx virtqueue carries packets initiated by the device and replies to previously transmitted packets.
If both rx and tx virtqueues are filled by the driver and device at the same time then it appears that a deadlock is reached. The driver has no free tx descriptors to send replies. The device has no free rx descriptors to send replies either. Therefore neither device nor driver can process virtqueues since that may involve sending new replies.
This is solved using additional resources outside the virtqueue to hold packets. With additional resources, it becomes possible to process incoming packets even when outgoing packets cannot be sent.
Eventually even the additional resources will be exhausted and further processing is not possible until the other side processes the virtqueue that it has neglected. This stop to processing prevents one side from causing unbounded resource consumption in the other side.
Flows are identified by a (source, destination) address tuple. An address consists of a (cid, port number) tuple. The header fields used for this are src_cid, src_port, dst_cid, and dst_port.
Currently stream and seqpacket sockets are supported. type is 1 (VIRTIO_VSOCK_TYPE_STREAM) for stream socket types, and 2 (VIRTIO_VSOCK_TYPE_SEQPACKET) for seqpacket socket types.
Stream sockets provide in-order, guaranteed, connection-oriented delivery without message boundaries. Seqpacket sockets provide in-order, guaranteed, connection-oriented delivery with message and record boundaries.
buf_alloc and fwd_cnt are used for buffer space management of stream sockets. The guest and the device publish how much buffer space is available per socket. Only payload bytes are counted and header bytes are not included. This facilitates flow control so data is never dropped.
buf_alloc is the total receive buffer space, in bytes, for this socket. This includes both free and in-use buffers. fwd_cnt is the free-running bytes received counter. The sender calculates the amount of free receive buffer space as follows:
If there is insufficient buffer space, the sender waits until virtqueue buffers are returned and checks buf_alloc and fwd_cnt again. Sending the VIRTIO_VSOCK_OP_CREDIT_REQUEST packet queries how much buffer space is available. The reply to this query is a VIRTIO_VSOCK_OP_CREDIT_UPDATE packet. It is also valid to send a VIRTIO_VSOCK_OP_CREDIT_UPDATE packet without previously receiving a VIRTIO_VSOCK_OP_CREDIT_REQUEST packet. This allows communicating updates any time a change in buffer space occurs.
All packets associated with a stream flow MUST contain valid information in buf_alloc and fwd_cnt fields.
All packets associated with a stream flow MUST contain valid information in buf_alloc and fwd_cnt fields.
The driver queues outgoing packets on the tx virtqueue and incoming packet receive buffers on the rx virtqueue. Packets are of the following form:
Virtqueue buffers for outgoing packets are read-only. Virtqueue buffers for incoming packets are write-only.
A VIRTIO_VSOCK_OP_RST reply MUST be sent if a packet is received with an unknown type value.
A VIRTIO_VSOCK_OP_RST reply MUST be sent if a packet is received with an unknown type value.
Connections are established by sending a VIRTIO_VSOCK_OP_REQUEST packet. If a listening socket exists on the destination a VIRTIO_VSOCK_OP_RESPONSE reply is sent and the connection is established. A VIRTIO_VSOCK_OP_RST reply is sent if a listening socket does not exist on the destination or the destination has insufficient resources to establish the connection.
When a connected socket receives VIRTIO_VSOCK_OP_SHUTDOWN the header flags field bit VIRTIO_VSOCK_SHUTDOWN_F_RECEIVE (bit 0) set indicates that the peer will not receive any more data and bit VIRTIO_VSOCK_SHUTDOWN_F_SEND (bit 1) set indicates that the peer will not send any more data. These hints are permanent once sent and successive packets with bits clear do not reset them.
The VIRTIO_VSOCK_OP_RST packet aborts the connection process or forcibly disconnects a connected socket.
Clean disconnect is achieved by one or more VIRTIO_VSOCK_OP_SHUTDOWN packets that indicate no more data will be sent and received, followed by a VIRTIO_VSOCK_OP_RST response from the peer. If no VIRTIO_VSOCK_OP_RST response is received within an implementation-specific amount of time, a VIRTIO_VSOCK_OP_RST packet is sent to forcibly disconnect the socket.
The clean disconnect process ensures that neither peer reuses the (source, destination) address tuple for a new connection while the other peer is still processing the old connection.
A message contains data sent in a single operation. A single message can be split into multiple RW packets. To provide message boundaries, last RW packet of each message has VIRTIO_VSOCK_SEQ_EOM bit (bit 0) set in the flags of packet’s header.
Record is any number of subsequent messages, where last message is sent with POSIX MSG_EOR flag set. Record boundary means that receiver gets MSG_EOR flag set in the corresponding message where sender set it. To provide record boundaries, last RW packet of each record has VIRTIO_VSOCK_SEQ_EOR bit (bit 1) set in the flags of packet’s header.
Certain events are communicated by the device to the driver using the event virtqueue.
The event buffer is as follows:
The VIRTIO_VSOCK_EVENT_TRANSPORT_RESET event indicates that communication has been interrupted. This usually occurs if the guest has been physically migrated. The driver shuts down established connections and the guest_cid configuration field is fetched again. Existing listen sockets remain but their CID is updated to reflect the current guest_cid.
The guest_cid configuration field MUST be fetched to determine the current CID when a VIRTIO_VSOCK_EVENT_TRANSPORT_RESET event is received.
Existing connections MUST be shut down when a VIRTIO_VSOCK_EVENT_TRANSPORT_RESET event is received.
Listen connections MUST remain operational with the current CID when a VIRTIO_VSOCK_EVENT_TRANSPORT_RESET event is received.
The virtio file system device provides file system access. The device either directly manages a file system or it acts as a gateway to a remote file system. The details of how the device implementation accesses files are hidden by the device interface, allowing for a range of use cases.
Unlike block-level storage devices such as virtio block and SCSI, the virtio file system device provides file-level access to data. The device interface is based on the Linux Filesystem in Userspace (FUSE) protocol. This consists of requests for file system traversal and access the files and directories within it. The protocol details are defined by FUSE.
The device acts as the FUSE file system daemon and the driver acts as the FUSE client mounting the file system. The virtio file system device provides the mechanism for transporting FUSE requests, much like /dev/fuse in a traditional FUSE application.
This section relies on definitions from FUSE.
The notification queue only exists if VIRTIO_FS_F_NOTIFICATION is set.
The tag and num_request_queues fields are always available. The notify_buf_size field is only available when VIRTIO_FS_F_NOTIFICATION is set.
The driver MUST NOT write to device configuration fields.
The driver MAY use from one up to num_request_queues request virtqueues.
The device MUST set num_request_queues to 1 or greater.
The device MUST set notify_buf_size to be large enough to hold any of the FUSE notify messages that this device emits.
On initialization the driver first discovers the device’s virtqueues.
The driver populates the notification queue with buffers for receiving FUSE notify messages if VIRTIO_FS_F_NOTIFICATION is set.
The FUSE session is started by sending a FUSE_INIT request as defined by the FUSE protocol on one request virtqueue. All virtqueues provide access to the same FUSE session and therefore only one FUSE_INIT request is required regardless of the number of available virtqueues.
Device operation consists of operating the virtqueues to facilitate file system access.
The FUSE request types are as follows:
FUSE notify messages are received on the notification queue if VIRTIO_FS_F_NOTIFICATION is set.
The driver enqueues normal requests on an arbitrary request queue. High priority requests are not placed on request queues. The device processes requests in any order. The driver is responsible for ensuring that ordering constraints are met by making available a dependent request only after its prerequisite request has been used.
Requests have the following format with endianness chosen by the driver in the FUSE_INIT request used to initiate the session as detailed below:
Note that the words "in" and "out" follow the FUSE meaning and do not indicate the direction of data transfer under VIRTIO. "In" means input to a request and "out" means output from processing a request.
in is the common header for all types of FUSE requests.
datain consists of request-specific data, if any. This is identical to the data read from the /dev/fuse device by a FUSE daemon.
out is the completion header common to all types of FUSE requests.
dataout consists of request-specific data, if any. This is identical to the data written to the /dev/fuse device by a FUSE daemon.
For example, the full layout of a FUSE_READ request is as follows:
The FUSE protocol documented in FUSE specifies the set of request types and their contents.
The endianness of the FUSE protocol session is detectable by inspecting the uint32_t in.opcode field of the FUSE_INIT request sent by the driver to the device. This allows the device to determine whether the session is little-endian or big-endian. The next FUSE_INIT message terminates the current session and starts a new session with the possibility of changing endianness.
The hiprio queue follows the same request format as the request queues. This queue only contains FUSE_INTERRUPT, FUSE_FORGET, and FUSE_BATCH_FORGET requests.
Interrupt and forget requests have a higher priority than normal requests. The separate hiprio queue is used for these requests to ensure they can be delivered even when all request queues are full.
The device MAY process request queues concurrently with the hiprio queue.
The driver MUST not submit normal requests on the hiprio queue.
The driver MUST anticipate that request queues are processed concurrently with the hiprio queue.
The notification queue is populated with buffers by the driver and these buffers are used by the device to emit FUSE notify messages. Notification queue buffer layout is as follows:
outarg contains the FUSE notify message payload that depends on the type of notification being emitted.
If the driver provides notification queue buffers at a slower rate than the device emits FUSE notify messages then the virtqueue will eventually become empty. The behavior in response to an empty virtqueue depends on the FUSE notify message type. The following FUSE notify message types are supported:
The driver SHOULD replenish notification queue buffers sufficiently quickly so that there is always at least one available buffer.
FUSE_READ and FUSE_WRITE requests transfer file contents between the driver-provided buffer and the device. In cases where data transfer is undesirable, the device can map file contents into the DAX window shared memory region. The driver then accesses file contents directly in device-owned memory without a data transfer.
The DAX Window is an alternative mechanism for accessing file contents. FUSE_READ/FUSE_WRITE requests and DAX Window accesses are possible at the same time. Providing the DAX Window is optional for devices. Using the DAX Window is optional for drivers.
Shared memory region ID 0 is called the DAX window. Drivers map this shared memory region with writeback caching as if it were regular RAM. The contents of the DAX window are undefined unless a mapping exists for that range.
The driver maps a file range into the DAX window using the FUSE_SETUPMAPPING request. Alignment constraints for FUSE_SETUPMAPPING and FUSE_REMOVEMAPPING requests are communicated during FUSE_INIT negotiation.
When a FUSE_SETUPMAPPING request perfectly overlaps a previous mapping, the previous mapping is replaced. When a mapping partially overlaps a previous mapping, the previous mapping is split into one or two smaller mappings. When a mapping is partially unmapped it is also split into one or two smaller mappings.
Establishing new mappings or splitting existing mappings consumes resources. If the device runs out of resources the FUSE_SETUPMAPPING request fails until resources are available again following FUSE_REMOVEMAPPING.
After FUSE_SETUPMAPPING has completed successfully the file range is accessible from the DAX window at the offset provided by the driver in the request. A mapping is removed using the FUSE_REMOVEMAPPING request.
Data is only guaranteed to be persistent when a FUSE_FSYNC request is used by the device after having been made available by the driver following the write.
The device MUST support FUSE_READ and FUSE_WRITE requests regardless of whether the DAX Window is being used or not.
The device MUST allow mappings that completely or partially overlap existing mappings within the DAX window.
The device MUST reject mappings that would go beyond the end of the DAX window.
The driver MAY use both FUSE_READ/FUSE_WRITE requests and the DAX Window to access file contents.
The driver MUST NOT access DAX window areas that have not been mapped.
The device provides access to a file system containing files owned by one or more POSIX user ids and group ids. The device has no secure way of differentiating between users originating requests via the driver. Therefore the device accepts the POSIX user ids and group ids provided by the driver and security is enforced by the driver rather than the device. It is nevertheless possible for devices to implement POSIX user id and group id mapping or whitelisting to control the ownership and access available to the driver.
File systems containing special files including device nodes and setuid executable files pose a security concern. These properties are defined by the file type and mode, which are set by the driver when creating new files or by changes at a later time. These special files present a security risk when the file system is shared with another machine. A setuid executable or a device node placed by a malicious machine make it possible for unprivileged users on other machines to elevate their privileges through the shared file system. This issue can be solved on some operating systems using mount options that ignore special files. It is also possible for devices to implement restrictions on special files by refusing their creation.
When the device provides shared access to a file system between multiple machines, symlink race conditions, exhausting file system capacity, and overwriting or deleting files used by others are factors to consider. These issues have a long history in multi-user operating systems and also apply to virtio-fs. They are typically managed at the file system administration level by providing shared access only to mutually trusted users.
Multiple machines sharing access to a file system are susceptible to timing side-channel attacks. By measuring the latency of accesses to file contents or file system metadata it is possible to infer whether other machines also accessed the same information. Short latencies indicate that the information was cached due to a previous access. This can reveal sensitive information, such as whether certain code paths were taken. The DAX Window provides direct access to file contents and is therefore a likely target of such attacks. These attacks are also possible with traditional FUSE requests. The safest approach is to avoid sharing file systems between untrusted machines.
When a driver is migrated to a new device it is necessary to consider the FUSE session and its state. The continuity of FUSE inode numbers (also known as nodeids) and fh values is necessary so the driver can continue operation without disruption.
It is possible to maintain the FUSE session across live migration either by transferring the state or by redirecting requests from the new device to the old device where the state resides. The details of how to achieve this are implementation-dependent and are not visible at the device interface level.
Maintaining version and feature information negotiated by FUSE_INIT is necessary so that no FUSE protocol feature changes are visible to the driver across live migration. The FUSE_INIT information forms part of the FUSE session state that needs to be transferred during live migration.
virtio-rpmb is a virtio based RPMB (Replay Protected Memory Block) device. It is used as a tamper-resistant and anti-replay storage. The device is driven via requests including read, write, get write counter and program key, which are submitted via a request queue. This section relies on definitions from paragraph 6.6.22 of eMMC.
All fields of this configuration are always available and read-only for the driver.
The operation of a virtio RPMB device is driven by the requests placed on the virtqueue. The type of request can be program key (VIRTIO_RPMB_REQ_PROGRAM_KEY), get write counter (VIRTIO_RPMB_REQ_GET_WRITE_COUNTER), write (VIRTIO_RPMB_REQ_DATA_WRITE), and read (VIRTIO_RPMB_REQ_DATA_READ). A program key or write request can also combine with a result read (VIRTIO_RPMB_REQ_RESULT_READ) for a returned result.
The request information is delivered in RPMB frame. The frame is in size of 512B.
If block count has not been set to 1 then VIRTIO_RPMB_RES_GENERAL_FAILURE SHOULD be responded as result.
The req_resp value VIRTIO_RPMB_RESP_GET_COUNTER SHOULD be responded.
The RPMB frames MUST not be packed by the driver. The driver MUST configure, initialize and format virtqueue for the RPMB requests received from its caller then send it to the device.
The virtio-rpmb device could be backed in a number of ways. It SHOULD keep consistent behaviors with hardware as described in paragraph 6.6.22 of eMMC. Some elements are maintained by the device:
The virtio-iommu device manages Direct Memory Access (DMA) from one or more endpoints. It may act both as a proxy for physical IOMMUs managing devices assigned to the guest, and as virtual IOMMU managing emulated and paravirtualized devices.
The driver first discovers endpoints managed by the virtio-iommu device using platform specific mechanisms. It then sends requests to create virtual address spaces and virtual-to-physical mappings for these endpoints. In its simplest form, the virtio-iommu supports four request types:
Endpoint 0x8, for example a hardware PCI endpoint with BDF 00:01.0, can now read at addresses 0x1000-0x1fff. These accesses are translated into system-physical addresses by the IOMMU.
Any access to addresses 0x1000-0x1fff by endpoint 0x8 would now be rejected.
The driver SHOULD accept any of the VIRTIO_IOMMU_F_INPUT_RANGE, VIRTIO_IOMMU_F_DOMAIN_RANGE and VIRTIO_IOMMU_F_PROBE feature bits if offered by the device.
The device SHOULD offer feature bit VIRTIO_IOMMU_F_MAP_UNMAP.
The VIRTIO_IOMMU_F_BYPASS_CONFIG feature supersedes VIRTIO_IOMMU_F_BYPASS. New devices SHOULD NOT offer VIRTIO_IOMMU_F_BYPASS. Devices SHOULD NOT offer both VIRTIO_IOMMU_F_BYPASS and VIRTIO_IOMMU_F_BYPASS_CONFIG.
The page_size_mask field is always present. Availability of the others all depend on feature bits described in 5.13.3.
When the VIRTIO_IOMMU_F_BYPASS_CONFIG feature is negotiated, the driver MAY write to bypass. The driver MUST NOT write to any other device configuration field.
The driver MUST NOT write a value different than 0 or 1 to bypass. The driver SHOULD ignore bits 1-7 of bypass.
The device MUST set at least one bit in page_size_mask, describing the page granularity. The device MAY set more than one bit in page_size_mask.
If the device offers the VIRTIO_IOMMU_F_BYPASS_CONFIG feature, it MAY initialize the bypass field to 1. Field bypass SHOULD NOT change on device reset, but SHOULD be restored to its initial value on system reset.
The device MUST NOT present a value different than 0 or 1 in bypass.
When the device is reset, endpoints are not attached to any domain.
Future devices might support more modes of operation besides MAP/UNMAP. Drivers verify that devices set VIRTIO_IOMMU_F_MAP_UNMAP and fail gracefully if they don’t.
The driver MUST NOT negotiate VIRTIO_IOMMU_F_MAP_UNMAP if it is incapable of sending VIRTIO_IOMMU_T_MAP and VIRTIO_IOMMU_T_UNMAP requests.
If the VIRTIO_IOMMU_F_PROBE feature is negotiated, the driver SHOULD send a VIRTIO_IOMMU_T_PROBE request for each endpoint before attaching the endpoint to a domain.
Driver send requests on the request virtqueue, notifies the device and waits for the device to return the request with a status in the used ring. All requests are split in two parts: one device-readable, one device- writable.
Type may be one of:
A few general-purpose status codes are defined here.
When the device fails to parse a request, for instance if a request is too small for its type and the device cannot find the tail, then it is unable to set status. In that case, it returns the buffers without writing to them.
Range limits of some request fields are described in the device configuration:
The smallest page granularity supported by the IOMMU is one byte. It is legal for the driver to map one byte at a time if bit 0 of page_size_mask is set.
Other bits in page_size_mask are hints and describe larger page sizes that the IOMMU device handles efficiently. For example, when the device stores mappings using a page table tree, it may be able to describe large mappings using a few leaf entries in intermediate tables, rather than using lots of entries in the last level of the tree. Creating mappings aligned on large page sizes can improve performance since they require fewer page table and TLB entries.
If the feature is not offered, virtual mappings span over the whole 64-bit address space (start = 0, end = 0xffffffff ffffffff)
An endpoint is in bypass mode if:
or
or
All accesses from an endpoint in bypass mode are allowed and translated by the IOMMU using the identity function.
The driver SHOULD set field reserved of struct virtio_iommu_req_head to zero and MUST ignore field reserved of struct virtio_iommu_req_tail.
When a device uses a buffer without having written to it (i.e. used length is zero), the driver SHOULD interpret it as a request failure.
If the VIRTIO_IOMMU_F_INPUT_RANGE feature is negotiated, the driver MUST NOT send requests with virt_start less than input_range.start or virt_end greater than input_range.end.
If the VIRTIO_IOMMU_F_DOMAIN_RANGE feature is negotiated, the driver MUST NOT send requests with domain less than domain_range.start or greater than domain_range.end.
The device SHOULD set status to VIRTIO_IOMMU_S_OK if a request succeeds.
If a request type is not recognized, the device SHOULD NOT write the buffer and SHOULD set the used length to zero.
The device MUST ignore field reserved of struct virtio_iommu_req_head and SHOULD set field reserved of struct virtio_iommu_req_tail to zero.
The device SHOULD NOT let unattached endpoints that are not in bypass mode access the guest-physical address space.
Attach an endpoint to a domain. domain uniquely identifies a domain within the virtio-iommu device. If the domain doesn’t exist in the device, it is created. Semantics of the endpoint identifier are platform specific, but the following rules apply:
Multiple endpoints can be attached to the same domain. An endpoint can be attached to a single domain at a time. Endpoints attached to different domains are isolated from each other.
When the VIRTIO_IOMMU_F_BYPASS_CONFIG is negotiated, the driver can set the VIRTIO_IOMMU_ATTACH_F_BYPASS flag to create a bypass domain. Endpoints attached to this domain are in bypass mode.
The driver SHOULD ensure that endpoints that cannot be isolated from each other are attached to the same domain.
If the domain already exists and is a bypass domain, the driver SHOULD set the VIRTIO_IOMMU_ATTACH_F_BYPASS flag. If the domain exists and is not a bypass domain, the driver SHOULD NOT set the VIRTIO_IOMMU_ATTACH_F_BYPASS flag.
If the device does not recognize a flags bit, it MUST reject the request and set status to VIRTIO_IOMMU_S_INVAL.
If the endpoint identified by endpoint doesn’t exist, the device MUST reject the request and set status to VIRTIO_IOMMU_S_NOENT.
If another endpoint is already attached to the domain identified by domain, then the device MAY attach the endpoint identified by endpoint to the domain. If it cannot do so, the device MUST reject the request and set status to VIRTIO_IOMMU_S_UNSUPP.
If the domain already exists and the VIRTIO_IOMMU_ATTACH_F_BYPASS flag is not consistent with that domain, the device SHOULD reject the request and set status to VIRTIO_IOMMU_S_INVAL.
If the endpoint identified by endpoint is already attached to another domain, then the device SHOULD first detach it from that domain and attach it to the one identified by domain. In that case the device SHOULD behave as if the driver issued a DETACH request with this endpoint, followed by the ATTACH request. If the device cannot do so, it MUST reject the request and set status to VIRTIO_IOMMU_S_UNSUPP.
If properties of the endpoint (obtained with a PROBE request) are compatible with properties of other endpoints already attached to the requested domain, then the device SHOULD attach the endpoint. Otherwise the device SHOULD reject the request and set status to VIRTIO_IOMMU_S_UNSUPP.
A device that does not reject the request MUST attach the endpoint.
Detach an endpoint from a domain. When this request completes, the endpoint cannot access any mapping from that domain anymore. However the endpoint may then be in bypass mode and access the guest-physical address space.
After all endpoints have been successfully detached from a domain, it ceases to exist and its ID can be reused by the driver for another domain.
If the endpoint identified by endpoint doesn’t exist, then the device MUST reject the request and set status to VIRTIO_IOMMU_S_NOENT.
If the domain identified by domain doesn’t exist, or if the endpoint identified by endpoint isn’t attached to this domain, then the device MAY set the request status to VIRTIO_IOMMU_S_INVAL.
The device MUST ensure that after being detached from a domain, the endpoint cannot access any mapping from that domain.
Map a range of virtually-contiguous addresses to a range of physically-contiguous addresses of the same size. After the request succeeds, all endpoints attached to this domain can access memory in the range [virt_start;virt_end] (inclusive). For example, if an endpoint accesses address V A ∈ [virt_start;virt_end], the device (or the physical IOMMU) translates the address: PA = V A−virt_start + phys_start. If the access parameters are compatible with flags (for instance, the access is write and flags are VIRTIO_IOMMU_MAP_F_READ | VIRTIO_IOMMU_MAP_F_WRITE) then the IOMMU allows the access to reach PA.
The range defined by virt_start and virt_end should be within the limits specified by input_range. Given phys_end = phys_start + virt_end−virt_start, the range defined by phys_start and phys_end should be within the guest-physical address space. This includes upper and lower limits, as well as any carving of guest-physical addresses for use by the host. Guest physical boundaries are set by the host in a platform specific way.
Availability and allowed combinations of flags depend on the underlying IOMMU architectures. VIRTIO_IOMMU_MAP_F_READ and VIRTIO_IOMMU_MAP_F_WRITE are usually implemented, although READ is sometimes implied by WRITE. In addition combinations such as "WRITE and not READ" might not be supported.
The VIRTIO_IOMMU_MAP_F_MMIO flag is a memory type rather than a protection flag. It is only available when the VIRTIO_IOMMU_F_MMIO feature has been negotiated. Accesses to the mapping are not speculated, buffered, cached, split into multiple accesses or combined with other accesses. It may be used, for example, to map Message Signaled Interrupt doorbells when a VIRTIO_IOMMU_RESV_MEM_T_MSI region isn’t available. To trigger interrupts the endpoint performs a direct memory write to another peripheral, the IRQ chip.
This request is only available when VIRTIO_IOMMU_F_MAP_UNMAP has been negotiated.
The driver SHOULD NOT send MAP requests on a bypass domain.
virt_end MUST be strictly greater than virt_start.
The driver SHOULD set the VIRTIO_IOMMU_MAP_F_MMIO flag when the physical range corresponds to memory-mapped device registers. The physical range SHOULD have a single memory type: either normal memory or memory-mapped I/O.
If it intends to allow read accesses from endpoints attached to the domain, the driver MUST set the VIRTIO_IOMMU_MAP_F_READ flag.
If the VIRTIO_IOMMU_F_MMIO feature isn’t negotiated, the driver MUST NOT use the VIRTIO_IOMMU_MAP_F_MMIO flag.
If a mapping already exists in the requested range, the device SHOULD reject the request and set status to VIRTIO_IOMMU_S_INVAL.
If the device doesn’t recognize a flags bit, it MUST reject the request and set status to VIRTIO_IOMMU_S_INVAL.
If domain does not exist, the device SHOULD reject the request and set status to VIRTIO_IOMMU_S_NOENT.
If the domain is a bypass domain, the device SHOULD reject the request and set status to VIRTIO_IOMMU_S_INVAL.
The device MUST NOT allow writes to a range mapped without the VIRTIO_IOMMU_MAP_F_WRITE flag. However, if the underlying architecture does not support write-only mappings, the device MAY allow reads to a range mapped with VIRTIO_IOMMU_MAP_F_WRITE but not VIRTIO_IOMMU_MAP_F_READ.
Unmap a range of addresses mapped with VIRTIO_IOMMU_T_MAP. We define here a mapping as a virtual region created with a single MAP request. All mappings covered by the range [virt_start;virt_end] (inclusive) are removed.
The semantics of unmapping are specified in 5.13.6.6.1 and 5.13.6.6.2, and illustrated with the following requests, assuming each example sequence starts with a blank address space. We define two pseudocode functions map(virt_start, virt_end) -> mapping and unmap(virt_start, virt_end).
As illustrated by example (4), partially removing a mapping isn’t supported.
This request is only available when VIRTIO_IOMMU_F_MAP_UNMAP has been negotiated.
The range, defined by virt_start and virt_end, SHOULD cover one or more contiguous mappings created with MAP requests. The range MAY spill over unmapped virtual addresses.
The first address of a range MUST either be the first address of a mapping or be outside any mapping. The last address of a range MUST either be the last address of a mapping or be outside any mapping.
The driver SHOULD NOT send UNMAP requests on a bypass domain.
If domain does not exist, the device SHOULD set the request status to VIRTIO_IOMMU_S_NOENT.
If the domain is a bypass domain, the device SHOULD reject the request and set status to VIRTIO_IOMMU_S_INVAL.
If a mapping affected by the range is not covered in its entirety by the range (the UNMAP request would split the mapping), then the device SHOULD set the request status to VIRTIO_IOMMU_S_RANGE, and SHOULD NOT remove any mapping.
If part of the range or the full range is not covered by an existing mapping, then the device SHOULD remove all mappings affected by the range and set the request status to VIRTIO_IOMMU_S_OK.
If the VIRTIO_IOMMU_F_PROBE feature bit is present, the driver sends a VIRTIO_IOMMU_T_PROBE request for each endpoint that the virtio-iommu device manages. This probe is performed before attaching the endpoint to a domain.
The driver allocates a buffer for the PROBE request, large enough to accommodate probe_size bytes of properties. It writes endpoint and adds the buffer to the request queue. The device fills the properties field with a list of properties for this endpoint.
The driver parses the first property by reading type, then length. If the driver recognizes type, it reads and handles the rest of the property. The driver then reads the next property, that is located (length + 4) bytes after the beginning of the first one, and so on. The driver parses all properties until it reaches an empty property (type is 0) or the end of properties.
Available property types are described in section 5.13.6.8.
The driver SHOULD set field reserved of the PROBE request to zero.
If the driver doesn’t recognize the type of a property, it SHOULD ignore the property.
The driver SHOULD NOT deduce the property length from type.
The driver MUST ignore a property whose reserved field is not zero.
If the driver ignores a property, it SHOULD continue parsing the list.
If the endpoint identified by endpoint doesn’t exist, then the device SHOULD reject the request and set status to VIRTIO_IOMMU_S_NOENT.
If the device does not offer the VIRTIO_IOMMU_F_PROBE feature, and if the driver sends a VIRTIO_IOMMU_T_PROBE request, then the device SHOULD NOT write the buffer and SHOULD set the used length to zero.
The device SHOULD set field reserved of a property to zero.
The device MUST write the size of a property without the struct virtio_iommu_probe_property header, in bytes, into length.
When two properties follow each other, the device MUST put the second property exactly (length + 4) bytes after the beginning of the first one.
If the properties list is smaller than probe_size, the device SHOULD NOT write any property. It SHOULD reject the request and set status to VIRTIO_IOMMU_S_INVAL.
If the device doesn’t fill all probe_size bytes with properties, it SHOULD fill the remaining bytes of properties with zeroes.
Fields start and end describe the range of reserved virtual addresses. subtype may be one of:
In addition it provides information about MSI doorbells. If the endpoint doesn’t have a VIRTIO_IOMMU_RESV_MEM_T_MSI property, then the driver creates an MMIO mapping to the doorbell of the MSI controller.
The driver MUST ignore reserved.
The driver SHOULD treat any subtype it doesn’t recognize as if it was VIRTIO_IOMMU_RESV_MEM_T_RESERVED.
The device SHOULD NOT present more than one VIRTIO_IOMMU_RESV_MEM_T_MSI property per endpoint.
The device SHOULD NOT present multiple RESV_MEM properties that overlap each other for the same endpoint.
The device SHOULD reject a MAP request that overlaps a RESV_MEM region.
The device SHOULD NOT allow accesses from the endpoint to RESV_MEM regions to affect any other component than the endpoint and the driver.
The device can report translation faults and other significant asynchronous events on the event virtqueue. The driver initially populates the queue with device-writeable buffers. When the device needs to report an event, it fills a buffer and notifies the driver. The driver consumes the report and adds a new buffer to the virtqueue.
If no buffer is available, the device can either wait for one to be consumed, or drop the event.
When the fault is reported by a physical IOMMU, the fault reasons may not match exactly the reason of the original fault report. The device does its best to find the closest match.
If the device encounters an internal error that wasn’t caused by a specific endpoint, it is unlikely that the driver would be able to do anything else than print the fault and stop using the device, so reporting the fault on the event queue isn’t useful. In that case, we recommend using the DEVICE_NEEDS_RESET status bit.
The driver MUST ignore reserved1.
The driver MUST ignore undefined flags.
If the driver doesn’t recognize reason, it SHOULD treat the fault as if it was VIRTIO_IOMMU_FAULT_R_UNKNOWN.
The device SHOULD set undefined flags to zero.
The device SHOULD write a valid endpoint ID in endpoint.
The device MAY omit setting VIRTIO_IOMMU_FAULT_F_ADDRESS and writing address in any fault report, regardless of the reason.
If a buffer is too small to contain the fault report20, the device SHOULD NOT use multiple buffers to describe it. The device MAY fall back to using an older fault report format that fits in the buffer.
The virtio sound card is a virtual audio device supporting input and output PCM streams.
A device is managed by control requests and can send various notifications through dedicated queues. A driver can transmit PCM frames using message-based transport or shared memory.
A small part of the specification reuses existing layouts and values from the High Definition Audio specification (HDA). It allows to provide the same functionality and assist in two possible cases:
The control queue is used for sending control messages from the driver to the device.
The event queue is used for sending notifications from the device to the driver.
The tx queue is used to send PCM frames for output streams.
The rx queue is used to receive PCM frames from input streams.
A configuration space contains the following fields:
All control messages are placed into the control queue and all notifications are placed into the event queue. They use the following layout structure and definitions:
A generic control message consists of a request part and a response part.
A request part has, or consists of, a common header containing the following device-readable field:
A response part has, or consists of, a common header containing the following device-writable field:
The status field can take one of the following values:
The request part may be followed by an additional device-readable payload, and the response part may be followed by an additional device-writable payload.
An event notification contains the following device-writable fields:
For all entities involved in the exchange of audio data, the device uses one of the following data flow directions:
A special control message is used to request information about any kind of configuration item. The request part uses the following structure definition:
The request contains the following device-readable fields:
The response consists of the virtio_snd_hdr structure (contains the request status code), followed by the device-writable information structures of the item. Each information structure begins with the following common header:
The header contains the following field:
The High Definition Audio specification introduces the codec as part of the hardware that implements some of the functionality. The codec architecture and capabilities are described by tree structure of special nodes each of which is either a function module or a function group (see HDA for details).
The virtio sound specification assumes that a single codec is implemented in the device. Function module nodes are simulated by item information structures, and function group nodes are simulated by the hda_fn_nid field in each such structure.
A jack control request has, or consists of, a common header with the following layout structure:
The header consists of the following device-readable fields:
The request consists of the virtio_snd_query_info structure (see Item Information Request). The response consists of the virtio_snd_hdr structure, followed by the following jack information structures:
The structure contains the following device-writable fields:
The request uses the following structure and layout definitions:
The request contains the following device-readable fields:
Jack notifications consist of a virtio_snd_event structure, which has the following device-writable fields:
A PCM control request has, or consists of, a common header with the following layout structure:
The header consists of the following device-readable fields:
The driver negotiates the stream parameters (format, transport, etc) with the device.
Possible valid transitions: set parameters, prepare.
The device prepares the stream (allocates resources, etc).
Possible valid transitions: set parameters, prepare, start, release.
The device starts the stream (unmute, putting into running state, etc).
Possible valid transitions: stop.
The device stops the stream (mute, putting into non-running state, etc).
Possible valid transitions: start, release.
The device releases the stream (frees resources, etc).
Possible valid transitions: set parameters, prepare.
The request consists of the virtio_snd_query_info structure (see Item Information Request). The response consists of the virtio_snd_hdr structure, followed by the following stream information structures:
The structure contains the following device-writable fields:
Only interleaved samples are supported.
The request uses the following structure and layout definitions:
The request contains the following device-readable fields:
The device can announce support for different PCM events using feature bits in the stream information structure. To enable notifications, the driver must negotiate these features using the set stream parameters request (see 5.14.6.6.3).
PCM stream notifications consist of a virtio_snd_event structure, which has the following device-writable fields:
An I/O message consists of the header part, followed by the buffer, and then the status part.
The header part consists of the following device-readable field:
The status part consists of the following device-writable fields:
Since all buffers in the queue (with one exception) should be of the size period_bytes, the completion of such an I/O request can be considered an elapsed period notification.
A used descriptor specifies the length of the buffer that was written by the device. It should be noted that the length value contains the size of the virtio_snd_pcm_status structure plus the size of the recorded frames.
A device can provide one or more channel maps assigned to all streams with the same data flow direction in the same function group.
The request consists of the virtio_snd_query_info structure (see Item Information Request). The response consists of the virtio_snd_hdr structure, followed by the following channel map information structures:
The structure contains the following device-writable fields:
The virtio memory device provides and manages a memory region in guest physical address space. This memory region is partitioned into memory blocks of fixed size that can either be in the state plugged or unplugged. Once plugged, a memory block can be used like ordinary RAM. The driver selects memory blocks to (un)plug and requests the device to perform the (un)plug.
The device requests the driver to plug a certain amount of memory, by setting the requested_size in the device configuration, which can change at runtime. It is up to the device driver to fulfill this request by (un)plugging memory blocks. Once the plugged_size is greater or equal to the requested_size, requests to plug memory blocks will be rejected by the device.
The device-managed memory region is split into two parts, the usable region and the unusable region. All memory blocks in the unusable region are unplugged and requests to plug them will be rejected. The device will grow the usable region to fit the requested_size. Usually, the usable region is bigger than the requested_size of the device, to give the driver some flexibility when selecting memory blocks to plug.
On initial start, and after a system reset, all memory blocks are unplugged. In corner cases, memory blocks might still be plugged after a system reset, and the driver usually requests to unplug all memory while initializing, before starting to select memory blocks to plug.
The device-managed memory region is not exposed as RAM via other firmware / hw interfaces (e.g., e820 on x86). The driver is responsible for deciding how plugged memory blocks will be used. A common use case is to expose plugged memory blocks to the operating system as system RAM, available for the page allocator.
Some platforms provide memory properties for system RAM that are usually queried and modified using special CPU instructions. Memory properties might be implicitly queried or modified on memory access. Memory properties can include advanced memory protection, access and change indication, or memory usage indication relevant in virtualized environments. 21 The device provides the exact same properties with the exact same semantics for plugged device memory as available for comparable RAM in the same configuration.
All fields of this configuration are always available and read-only for the driver.
The driver MUST NOT write to device configuration fields.
The driver MUST ignore the value of padding.
The driver MUST ignore the value of node_id without VIRTIO_MEM_F_ACPI_PXM.
The device MAY change usable_region_size and requested_size.
The device MUST NOT change block_size, node_id, addr, and region_size, except during a system reset.
The device MUST change plugged_size to reflect the size of plugged memory blocks.
The device MUST set usable_region_size to requested_size or greater.
The device MUST set block_size to a power of two.
The device MUST set addr, region_size, usable_region_size, plugged_size, requested_size to multiples of block_size.
The device MUST set region_size to 0 or greater.
The device MUST NOT shrink usable_region_size, except when processing an UNPLUG ALL request, or during a system reset.
The device MUST send a configuration update notification when changing usable_region_size or requested_size, except when processing an UNPLUG ALL request.
The device SHOULD NOT send a configuration update notification when changing plugged_size.
The device MAY send a configuration update notification even if nothing changed.
On initialization, the driver first discovers the device’s virtqueues. It then reads the device configuration.
In case the driver detects that the device still has memory plugged (plugged_size in the device configuration is greater than 0), the driver will either try to re-initialize by issuing STATE requests, or try to unplug all memory before continuing. Special handling might be necessary in case some plugged memory might still be relevant (e.g., system dump, memory still in use after unloading the driver).
The driver SHOULD accept VIRTIO_MEM_F_UNPLUGGED_INACCESSIBLE if it is offered and the driver supports it.
The driver SHOULD issue UNPLUG ALL requests until successful if the device still has memory plugged and the plugged memory is not in use.
A device MAY fail to operate further if VIRTIO_MEM_F_UNPLUGGED_INACCESSIBLE is not accepted.
The device MUST NOT change the state of memory blocks during device reset.
The device MUST NOT modify memory or memory properties of plugged memory blocks during device reset.
The device notifies the driver about the amount of memory the device wants the driver to consume via the device. These resize requests from the device are communciated via the requested_size in the device configuration. The driver will react by requesting to (un)plug specific memory blocks, to make the plugged_size match the requested_size as close as possible.
The driver sends requests to the device on the guest-request virtqueue, notifies the device, and waits for the device to respond. Requests have a common header, defining the request type, followed by request-specific data. All requests are 24 bytes long and have the layout:
Possible request types are:
Responses have a common header, defining the response type, followed by request-specific data. All responses are 10 bytes long and have the layout:
Possible response types, in general, are:
The driver MUST NOT write memory or modify memory properties of unplugged memory blocks.
The driver MUST NOT read memory or query memory properties of unplugged memory blocks outside usable_region_size.
The driver MUST NOT read memory or query memory properties of unplugged memory blocks inside usable_region_size via DMA.
If VIRTIO_MEM_F_UNPLUGGED_INACCESSIBLE has not been negotiated, the driver SHOULD NOT read memory or query memory properties of unplugged memory blocks inside usable_region_size via the CPU.
If VIRTIO_MEM_F_UNPLUGGED_INACCESSIBLE has been negotiated, the driver MUST NOT read memory or query memory properties of unplugged memory blocks.
The driver MUST NOT request unplug of memory blocks while corresponding memory or memory properties are still in use.
The driver SHOULD initialize memory blocks after plugging them, the content is undefined.
The driver SHOULD react to resize requests from the device (requested_size in the device configuration changed) by (un)plugging memory blocks.
The driver SHOULD only plug memory blocks it can actually use.
The driver MAY not reach the requested size (requested_size in the device configuration), for example, because it cannot free up any plugged memory blocks to unplug them, or it would not be able to make use of unplugged memory blocks after plugging them (e.g., alignment).
The device MUST provide the exact same memory properties with the exact same semantics for device memory the platform provides in the same configuration for comparable RAM.
The device MAY modify memory of unplugged memory blocks or reset memory properties of such memory blocks to platform defaults at any time.
The device MUST NOT modify memory or memory properties of plugged memory blocks.
The device MUST allow the driver to read and write memory and to query and modify memory attributes of plugged memory blocks.
If VIRTIO_MEM_F_UNPLUGGED_INACCESSIBLE has not been negotiated, the device MUST allow the driver to read memory and to query memory properties of unplugged memory blocks inside usable_region_size via the CPU. 23
The device MAY change the state of memory blocks during system resets.
The device SHOULD unplug all memory blocks during system resets.
Request to plug consecutive memory blocks that are currently unplugged.
The request-specific data in a PLUG request has the format:
addr is the guest physical address of the first memory block. nb_blocks is the number of consecutive memory blocks
Responses don’t have request-specific data defined.
The device MUST ignore the padding in the request-specific data in a request.
The device MUST reject requests with VIRTIO_MEM_RESP_ERROR if addr is not aligned to the block_size in the device configuration, if nb_blocks is not greater than 0, or if any memory block outside of the usable device-managed memory region is covered by the request.
The device MUST reject requests with VIRTIO_MEM_RESP_ERROR if any memory block covered by the request is already plugged.
The device MAY reject requests with VIRTIO_MEM_RESP_BUSY if the request can currently not be processed.
The device MUST acknowledge requests with VIRTIO_MEM_RESP_ACK in case all memory blocks were successfully plugged. The device MUST reflect the change in the device configuration plugged_size.
Request to unplug consecutive memory blocks that are currently plugged.
The request-specific data in an UNPLUG request has the format:
addr is the guest physical address of the first memory block. nb_blocks is the number of consecutive memory blocks
Responses don’t have request-specific data defined.
The device MUST ignore the padding in the request-specific data in a request.
The device MUST reject requests with VIRTIO_MEM_RESP_ERROR if addr is not aligned to the block_size in the device configuration, if nb_blocks is not greater than 0, or if any memory block outside of the usable device-managed memory region is covered by the request.
The device MUST reject requests with VIRTIO_MEM_RESP_ERROR if any memory block covered by the request is already unplugged.
The device MAY reject requests with VIRTIO_MEM_RESP_BUSY if the request can currently not be processed.
The device MUST acknowledge requests with VIRTIO_MEM_RESP_ACK in case all memory blocks were successfully unplugged. The device MUST reflect the change in the device configuration plugged_size.
Request to unplug all memory blocks the device has currently plugged. If successful, the plugged_size in the device configuration will be 0 and usable_region_size might have changed.
Requests don’t have request-specific data defined, only the request type is relevant. Responses don’t have request-specific data defined, only the response type is relevant.
The device MUST ignore the padding in the request-specific data in a request.
The device MAY reject requests with VIRTIO_MEM_RESP_BUSY if the request can currently not be processed.
The device MUST acknowledge requests with VIRTIO_MEM_RESP_ACK in case all memory blocks were successfully unplugged.
The device MUST set plugged_size to 0 in case the request is acknowledged with VIRTIO_MEM_RESP_ACK.
The device MAY modify usable_region_size before responding with VIRTIO_MEM_RESP_ACK.
Request the state (plugged, unplugged, mixed) of consecutive memory blocks.
The request-specific data in a STATE request has the format:
addr is the guest physical address of the first memory block. nb_blocks is the number of consecutive memory blocks.
The request-specific data in a STATE response has the format:
Whereby type defines one of three different state types:
The driver MUST ignore the request-specific data in a response in case the response type is not VIRTIO_MEM_RESP_ACK.
The device MUST ignore the padding in the request-specific data in a request.
The device MUST reject requests with VIRTIO_MEM_RESP_ERROR if addr is not aligned to the block_size in the device configuration, if nb_blocks is not greater than 0, or if any memory block outside of the usable device-managed memory region is covered by the request.
The device MUST acknowledge requests with VIRTIO_MEM_RESP_ACK, supplying the state of the memory blocks.
The device MUST set the state type in the response to VIRTIO_MEM_STATE_PLUGGED if all requested memory blocks are plugged. The device MUST set the state type in the response to VIRTIO_MEM_STATE_UNPLUGGED if all requested memory blocks are unplugged. Otherwise, the device MUST set state type in the response to VIRTIO_MEM_STATE_MIXED.
virtio-i2c is a virtual I2C adapter device. It provides a way to flexibly organize and use the host I2C controlled devices from the guest. By attaching the host ACPI I2C controlled nodes to the virtual I2C adapter device, the guest can communicate with them without changing or adding extra drivers for these controlled I2C devices.
The driver queues requests to the virtqueue, and they are used by the device. The request is the representation of segments of an I2C transaction. Each request is of the form:
The addr of the request is the address of the I2C controlled device. For 7-bit address mode (A0 ... A6) and 10-bit address mode (A0 ... A9), the format of addr is defined as follows:
| Bits | 15 | 14 | 13 | 12 | 11 | 10 | 9 | 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
| 7-bit address | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | A6 | A5 | A4 | A3 | A2 | A1 | A0 | 0 |
| 10-bit address | A7 | A6 | A5 | A4 | A3 | A2 | A1 | A0 | 1 | 1 | 1 | 1 | 0 | A9 | A8 | 0 |
The padding is used to pad to full dword.
The flags of the request is defined as follows:
Other bits of flags are currently reserved as zero for future feature extensibility.
The buf is optional and will not be present for a zero-length request, like the SMBus "Quick" command. The buf contains one segment of an I2C transaction being read from or written to the device, based on the value of the VIRTIO_I2C_FLAGS_M_RD bit in the flags field.
The final status byte of the request is written by the device: either VIRTIO_I2C_MSG_OK for success or VIRTIO_I2C_MSG_ERR for error.
The virtio I2C protocol supports write-read requests, i.e. an I2C write segment followed by a read segment (usually, the write segment provides the number of an I2C controlled device register to be read), by grouping a list of requests together using the VIRTIO_I2C_FLAGS_FAIL_NEXT flag.
addr, flags, and “length of buf ” are determined by the driver, while status is determined by the processing of the device. A driver, for a write request, puts the data to be written to the device into the buf, while a device, for a read request, puts the data read from device into the buf according to the request from the driver.
A driver may send one request or multiple requests to the device at a time. The requests in the virtqueue are both queued and processed in order.
If a driver sends multiple requests at a time and a device fails to process some of them, then a device needs to set the status of the first failed request to be VIRTIO_I2C_MSG_ERR. For the remaining requests in the same group with the first failed one, a driver needs to treat them as VIRTIO_I2C_MSG_ERR, no matter what status of them, a device needs to fail them instead of attempting to execute them according to the VIRTIO_I2C_FLAGS_FAIL_NEXT bit.
A driver MUST accept the VIRTIO_I2C_F_ZERO_LENGTH_REQUEST feature and MUST abort negotiation with the device, if the device doesn’t offer this feature.
A driver MUST set addr and flags before sending the request.
A driver MUST set the reserved bits of flags to be zero.
A driver MUST NOT send the buf, for a zero-length request.
A driver MUST NOT use buf, for a read request, if the final status returned from the device is VIRTIO_I2C_MSG_ERR.
A driver MUST set the VIRTIO_I2C_FLAGS_M_RD flag for a read operation, where the buffer is write-only for the device.
A driver MUST NOT set the VIRTIO_I2C_FLAGS_M_RD flag for a write operation, where the buffer is read-only for the device.
A driver MUST queue the requests in order if multiple requests are going to be sent at a time.
If multiple requests are sent at a time and some of them returned from the device have the status being VIRTIO_I2C_MSG_ERR, a driver MUST treat the first failed request and the remaining requests in the same group with the first failed one as VIRTIO_I2C_MSG_ERR.
A device MUST offer the VIRTIO_I2C_F_ZERO_LENGTH_REQUEST feature and MUST reject any driver that doesn’t negotiate this feature.
A device SHOULD keep consistent behaviors with the hardware as described in I2C.
A device MUST NOT change the value of addr, and reserved bits of flags.
A device MUST not change the value of the buf for a write request.
A device MUST place one I2C segment of the “length of buf ”, for the read request, into the buf according the driver’s request.
A device MUST guarantee the requests in the virtqueue being processed in order if multiple requests are received at a time.
If multiple requests are received at a time and processing of some of the requests fails, a device MUST set the status of the first failed request to be VIRTIO_I2C_MSG_ERR and MAY set the status of the remaining requests in the same group with the first failed one to be VIRTIO_I2C_MSG_ERR.
An SCMI device implements the Arm System Control and Management Interface (SCMI). SCMI can be used for sensors, power state management, clock management and performance management among other things.
This section relies on definitions from the SCMI specification.
Virtio SCMI device and driver are mapped to SCMI platform and agent respectively. The device is visible to a particular SCMI agent. The device allows a guest to communicate as an SCMI agent using one or more SCMI protocols. The default SCMI protocols are defined in the SCMI specification. Virtio provides a transport medium for exchanging SCMI messages between the SCMI agent and platform. The virtio SCMI transport allows the queueing of multiple messages and responses.
SCMI FastChannels are not supported.
The cmdq is used by the driver to send commands to the device. The device replies with responses (not delayed responses) over the cmdq.
The eventq is used by the device to send notifications and delayed responses. The eventq only exists if VIRTIO_SCMI_F_P2A_CHANNELS was negotiated.
VIRTIO_SCMI_F_P2A_CHANNELS is used to determine the existence of the eventq. The eventq is required for SCMI notifications and delayed responses.
VIRTIO_SCMI_F_SHARED_MEMORY is used to determine whether the device provides any SCMI statistics shared memory region. SCMI statistics shared memory regions are defined by some SCMI protocols.
The SCMI protocols provide the PROTOCOL_MESSAGE_ATTRIBUTES commands to inquire about the particular SCMI notifications and delayed responses implemented by the device. The SCMI protocols provide additional commands to detect other features implemented by the device.
The device MUST offer VIRTIO_SCMI_F_P2A_CHANNELS if the device can implement at least one SCMI notification, or delayed response.
The device MUST offer VIRTIO_SCMI_F_SHARED_MEMORY if the device can implement at least one SCMI statistics shared memory region.
There is no configuration data for the device.
The general requirements on device initialization apply.
The SCMI transport used for the device puts each SCMI message into a dedicated virtio buffer. The driver uses the cmdq for transmitting SCMI commands and receiving the corresponding SCMI responses. The device uses the eventq for transmitting SCMI notifications and delayed responses. Each message includes an SCMI protocol header and payload, as defined by the SCMI specification.
Each buffer in the cmdq holds a single SCMI command once the buffer has been made available. When the buffer has been marked as used, it contains the SCMI response. An arbitrary number of such SCMI messages can be in transit at the same time. Conceptually, each SCMI message in the cmdq uses its own SCMI A2P (agent to platform) channel.
The SCMI response is in the same virtio buffer as the corresponding SCMI command. The response contains the return values which SCMI specifies for each command, whether synchronous or asynchronous. Delayed responses are distinct SCMI messages transmitted over the eventq.
Buffers in the cmdq contain both the request and the response. A request has the following layout:
The virtio_scmi_request fields are interpreted as follows:
A cmdq response has the following layout:
The virtio_scmi_response fields are interpreted as follows:
If VIRTIO_SCMI_F_P2A_CHANNELS was not negotiated, the device responds to SCMI commands as if no SCMI notifications or delayed responses were implemented.
The device MUST process all available commands eventually, even in the case of bursts of multiple command messages.
If the status field in the virtio_scmi_response ret_values has a value other than SUCCESS, the device MUST set the size of ret_values to the size of the status field.
If the driver requests an SCMI notification or a delayed response and there are currently NOT enough available buffers in the eventq, the device SHOULD still return SCMI status code SUCCESS.
If VIRTIO_SCMI_F_P2A_CHANNELS was not negotiated, the device MUST deny any request for an SCMI notification or a delayed response by returning SCMI status code NOT_SUPPORTED.
If VIRTIO_SCMI_F_P2A_CHANNELS was not negotiated, the device MUST NOT indicate in the PROTOCOL_MESSAGE_ATTRIBUTES return values that any SCMI notification, or delayed response, is implemented.
With every command message, the driver MUST provide enough device-writable memory to enable the device to return corresponding return values.
If VIRTIO_SCMI_F_P2A_CHANNELS was not negotiated, the driver MUST NOT request any SCMI notification, nor any delayed response.
The driver has to populate the eventq before the device can use it.
The driver MUST NOT put device-readable descriptors into the eventq.
The driver MUST NOT put into the eventq any buffer which is smaller than the largest SCMI P2A (platform to agent) message which the driver will request.
Each buffer in the eventq holds (once the buffer is marked as used) either a single SCMI notification, or a single SCMI delayed response. An arbitrary number of such SCMI messages can be in transit at the same time. Conceptually, each SCMI message transmitted over the eventq uses its own SCMI P2A (platform to agent) channel. Buffers in the eventq have the following layout:
The device MAY send the notification later if the events which cause the notification take place in quick succession.
If the device sends the notification later, the device MAY send the notification with updated data, unless the specific SCMI protocol disallows this.
If the device intends to send a notification and there are available buffers, but one of the buffers is too small to fit the notification, the device MAY omit the notification.
If the device intends to send a delayed response and there are no available buffers in the eventq, the device MUST send the corresponding delayed response once enough buffers become available.
If the status field in a delayed response payload has a value other than SUCCESS, the device MUST set the size of payload to the size of the status field.
Various SCMI protocols define statistics shared memory regions (for statistics and sensor values).
If the device implements a shared memory region, the device MUST assign the corresponding shmid as per the following table:
| SCMI statistics shared memory region | Virtio shmid |
| Reserved (invalid) | 0 |
| Power state statistics shared memory region | 1 |
| Performance domain statistics shared memory region | 2 |
| Sensor Values Shared Memory | 3 |
| Reserved for future use | 4 to 0x7F |
| Vendor-specific statistics shared memory regions | 0x80 to 0xFF |
| Reserved for future use | 0x100 and greater |
The Virtio GPIO device is a virtual General Purpose Input/Output device that supports a variable number of named I/O lines, which can be configured in input mode or in output mode with logical level low (0) or high (1).
The eventq virtqueue is available only if the VIRTIO_GPIO_F_IRQ feature has been negotiated.
GPIO device uses the following configuration structure layout:
The driver uses the requestq virtqueue to send messages to the device. The driver sends a pair of buffers, request (filled by driver) and response (to be filled by device later), to the device. The device in turn fills the response buffer and sends it back to the driver.
All the fields of this structure are set by the driver and read by the device.
All the fields of this structure are set by the device and read by the driver.
Following is the list of messages supported by the virtio gpio specification.
The driver sends this message to receive a stream of zero-terminated strings, where each string represents the name of a GPIO line, present in increasing order of the GPIO line numbers. The names of the GPIO lines are optional and may be present only for a subset of GPIO lines. If missing, then a zero-byte must be present for the GPIO line. If present, the name string must be zero-terminated and the name must be unique within a GPIO Device. The names of the GPIO lines are encoded in 7-bit ASCII.
These names of the GPIO lines should be most meaningful producer names for the system, such as name indicating the usage. For example "MMC-CD", "Red LED Vdd" and "ethernet reset" are reasonable line names as they describe what the line is used for, while "GPIO0" is not a good name to give to a GPIO line.
Here is an example of how the gpio names memory block may look like for a GPIO device with 10 GPIO lines, where line names are provided only for lines 0 ("MMC-CD"), 5 ("Red LED Vdd") and 7 ("ethernet reset").
The device sets the gpio_names_size to a non-zero value if this message is supported by the device, else it must be set to zero.
This message type uses different layout for the response structure, as the device needs to return the gpio_names array.
The driver must allocate the value[N] buffer in the struct virtio_gpio_response_N for N bytes, where N = gpio_names_size.
| Request | type | gpio | value |
| VIRTIO_GPIO_MSG_GET_LINE_NAMES | 0 | 0 | |
| Response | status | value[N] | Where N is |
| VIRTIO_GPIO_STATUS_* | gpio-names | gpio_names_size | |
The driver sends this message to request the device to return a line’s configured direction.
| Request | type | gpio | value |
| VIRTIO_GPIO_MSG_GET_DIRECTION | line number | 0 | |
| Response | status | value |
| VIRTIO_GPIO_STATUS_* | 0 = none, 1 = output, 2 = input | |
The driver sends this message to request the device to configure a line’s direction. The driver can either set the direction to VIRTIO_GPIO_DIRECTION_IN or VIRTIO_GPIO_DIRECTION_OUT, which also activates the line, or to VIRTIO_GPIO_DIRECTION_NONE, which deactivates the line.
The driver should set the value of the GPIO line, using the VIRTIO_GPIO_MSG_SET_VALUE message, before setting the direction of the line to output to avoid any undesired behavior.
| Request | type | gpio | value |
| VIRTIO_GPIO_MSG_SET_DIRECTION | line number | 0 = none, 1 = output, 2 = input | |
| Response | status | value |
| VIRTIO_GPIO_STATUS_* | 0 | |
The driver sends this message to request the device to return current value sensed on a line.
| Request | type | gpio | value |
| VIRTIO_GPIO_MSG_GET_VALUE | line number | 0 | |
| Response | status | value |
| VIRTIO_GPIO_STATUS_* | 0 = low, 1 = high | |
The driver sends this message to request the device to set the value of a line. The line may already be configured for output or may get configured to output later, at which point this output value must be used by the device for the line.
| Request | type | gpio | value |
| VIRTIO_GPIO_MSG_SET_VALUE | line number | 0 = low, 1 = high | |
| Response | status | value |
| VIRTIO_GPIO_STATUS_* | 0 | |
This request is allowed only if the VIRTIO_GPIO_F_IRQ feature has been negotiated.
The interrupt configuration is divided into two steps, enabling or disabling of the interrupt at the device and masking or unmasking of the interrupt for delivery at the driver. This request only pertains to enabling or disabling of the interrupt at the device, the masking and unmasking of the interrupt is handled by a separate request that takes place over the eventq virtqueue.
The driver sends the VIRTIO_GPIO_MSG_SET_IRQ_TYPE message over the requestq virtqueue to enable or disable interrupt for a GPIO line at the device.
The driver sends this message with trigger type set to any valid value other than VIRTIO_GPIO_IRQ_TYPE_NONE, to enable the interrupt for a GPIO line, this doesn’t unmask the interrupt for delivery at the driver though. For edge trigger type, the device should latch the interrupt events from this point onward and notify it to the driver once the interrupt is unmasked. For level trigger type, the device should notify the driver once the interrupt signal on a line is sensed and the interrupt is unmasked for the line.
The driver sends this message with trigger type set to VIRTIO_GPIO_IRQ_TYPE_NONE, to disable the interrupt for a GPIO line. The device should discard any latched interrupt event associated with it. In order to change the trigger type of an already enabled interrupt, the driver should first disable the interrupt and then re-enable it with appropriate trigger type.
The interrupts are masked at initialization and the driver unmasks them by queuing a pair of buffers, of type virtio_gpio_irq_request and virtio_gpio_irq_response, over the eventq virtqueue for a GPIO line. A separate pair of buffers must be queued for each GPIO line, the driver wants to configure for interrupts. Once an already enabled interrupt is unmasked by the driver, the device can notify the driver of an active interrupt signal on the GPIO line. This is done by updating the struct virtio_gpio_irq_response buffer’s status with VIRTIO_GPIO_IRQ_STATUS_VALID and returning the updated buffers to the driver. The interrupt is masked automatically at this point until the buffers are available again at the device.
The interrupt for a GPIO line should not be unmasked before being enabled by the driver.
If the interrupt is disabled by the driver, by setting the trigger type to VIRTIO_GPIO_IRQ_TYPE_NONE, or the interrupt is unmasked without being enabled first, the device should return any unused pair of buffers for the GPIO line, over the eventq virtqueue, after setting the status field to VIRTIO_GPIO_IRQ_STATUS_INVALID. This also masks the interrupt.
| Request | type | gpio | value |
| VIRTIO_GPIO_MSG_SET_IRQ_TYPE | line number | one of VIRTIO_GPIO_IRQ_TYPE_* | |
| Response | status | value |
| VIRTIO_GPIO_STATUS_* | 0 | |
The eventq virtqueue is used by the driver to unmask the interrupts and used by the device to notify the driver of newly sensed interrupts. In order to unmask interrupt on a GPIO line, the driver queues a pair of buffers, struct virtio_gpio_irq_request (filled by driver) and struct virtio_gpio_irq_response (to be filled by device later), to the eventq virtqueue. A separate pair of buffers must be queued for each GPIO line, the driver wants to configure for interrupts. The device, on sensing an interrupt, returns the pair of buffers for the respective GPIO line, which also masks the interrupts. The driver can queue the buffers again to unmask the interrupt.
This structure is filled by the driver and read by the device.
This structure is filled by the device and read by the driver.
The virtio pmem device is a persistent memory (NVDIMM) device that provides a virtio based asynchronous flush mechanism. This avoids the need for a separate page cache in the guest and keeps the page cache only in the host. Under memory pressure, the host makes use of efficient memory reclaim decisions for page cache pages of all the guests. This helps to reduce the memory footprint and fits more guests in the host system.
The virtio pmem device provides access to byte-addressable persistent memory. The persistent memory is a directly accessible range of system memory. Data written to this memory is made persistent by separately sending a flush command. Writes that have been flushed are preserved across device reset and power failure.
The device indicates the guest physical address to the driver in one of two ways:
The driver determines the start address and size of the persistent memory region in preparation for reading or writing data.
The driver initializes req_vq in preparation for making flush requests.
If VIRTIO_PMEM_F_SHMEM_REGION has been negotiated, the device MUST indicate the guest physical address as a shared memory region. The device MUST use shared memory region ID 0. The device SHOULD set start and size to zero.
If VIRTIO_PMEM_F_SHMEM_REGION has not been negotiated, the device MUST indicate the guest physical address as a physical address. The device MUST set start to the absolute address and size to the size of the address range, in bytes.
If VIRTIO_PMEM_F_SHMEM_REGION has been negotiated, the driver MUST query shared memory ID 0 for the physical address ranges, and MUST NOT use start or stop.
If VIRTIO_PMEM_F_SHMEM_REGION has not been negotiated, the driver MUST read the physical address ranges from start and stop.
Requests have the following format:
type is the request command type.
Possible request types are:
The device MUST ensure that all writes completed before a flush request persist across device reset and power failure before completing the flush request.
ret is the value which the device returns after command completion.
The device MUST return "0" for success and "-1" for failure.
There could be potential security implications depending on how memory mapped backing device is used. By default device emulation is done with SHARED memory mapping. There is a contract between driver and device to access shared memory region for read or write operations.
If a malicious driver or device maps the same memory region, the attacker can make use of known side channel attacks to predict the current state of data. If both attacker and victim somehow execute same shared code after a flush or evict operation, with difference in execution timing attacker could infer another device’s data.
If a device’s backing region is shared between multiple devices, this may act as a metric for side channel attacks. As a counter measure every device should have its own (not shared with another driver) SHARED backing memory.
There maybe be chances of side channels attack with PRIVATE memory mapping similar to SHARED with read-only shared mappings. PRIVATE is not used for virtio pmem making this usecase irrelevant.
When using SHARED mappings with a workload that is a single application inside the driver where the risk in sharing data is very low or nonexisting, the device sharing the same backing region with a SHARED mapping can be used as a valid configuration.
Don’t allow device shared region eviction from driver filesystem trim or discard like commands with virtio pmem. This rules out any possibility of evict-reload cache side channel attacks if backing region is shared (SHARED) between mutliple devices. Though if we use per device backing file with shared mapping this countermeasure is not required.
If this feature bit is negotiated, the ordering in effect for any memory accesses by the driver that need to be ordered in a specific way with respect to accesses by the device is the one suitable for devices described by the platform. This implies that the driver needs to use memory barriers suitable for devices described by the platform; e.g. for the PCI transport in the case of hardware PCI devices.
If this feature bit is not negotiated, then the device and driver are assumed to be implemented in software, that is they can be assumed to run on identical CPUs in an SMP configuration. Thus a weaker form of memory barriers is sufficient to yield better performance.
This feature indicates the availability of such value. The definition of the data to be provided in driver notification and the delivery method is transport specific. For more details about driver notifications over PCI see 4.1.5.2.
A driver MUST accept VIRTIO_F_VERSION_1 if it is offered. A driver MAY fail to operate further if VIRTIO_F_VERSION_1 is not offered.
A driver SHOULD accept VIRTIO_F_ACCESS_PLATFORM if it is offered, and it MUST then either disable the IOMMU or configure the IOMMU to translate bus addresses passed to the device into physical addresses in memory. If VIRTIO_F_ACCESS_PLATFORM is not offered, then a driver MUST pass only physical addresses to the device.
A driver SHOULD accept VIRTIO_F_RING_PACKED if it is offered.
A driver SHOULD accept VIRTIO_F_ORDER_PLATFORM if it is offered. If VIRTIO_F_ORDER_PLATFORM has been negotiated, a driver MUST use the barriers suitable for hardware devices.
If VIRTIO_F_SR_IOV has been negotiated, a driver MAY enable virtual functions through the device’s PCI SR-IOV capability structure. A driver MUST NOT negotiate VIRTIO_F_SR_IOV if the device does not have a PCI SR-IOV capability structure or is not a PCI device. A driver MUST negotiate VIRTIO_F_SR_IOV and complete the feature negotiation (including checking the FEATURES_OK device status bit) before enabling virtual functions through the device’s PCI SR-IOV capability structure. After once successfully negotiating VIRTIO_F_SR_IOV, the driver MAY enable virtual functions through the device’s PCI SR-IOV capability structure even if the device or the system has been fully or partially reset, and even without re-negotiating VIRTIO_F_SR_IOV after the reset.
A driver SHOULD accept VIRTIO_F_NOTIF_CONFIG_DATA if it is offered.
A device MUST offer VIRTIO_F_VERSION_1. A device MAY fail to operate further if VIRTIO_F_VERSION_1 is not accepted.
A device SHOULD offer VIRTIO_F_ACCESS_PLATFORM if its access to memory is through bus addresses distinct from and translated by the platform to physical addresses used by the driver, and/or if it can only access certain memory addresses with said access specified and/or granted by the platform. A device MAY fail to operate further if VIRTIO_F_ACCESS_PLATFORM is not accepted.
If VIRTIO_F_IN_ORDER has been negotiated, a device MUST use buffers in the same order in which they have been available.
A device MAY fail to operate further if VIRTIO_F_ORDER_PLATFORM is offered but not accepted. A device MAY operate in a slower emulation mode if VIRTIO_F_ORDER_PLATFORM is offered but not accepted.
It is RECOMMENDED that an add-in card based PCI device offers both VIRTIO_F_ACCESS_PLATFORM and VIRTIO_F_ORDER_PLATFORM for maximum portability.
A device SHOULD offer VIRTIO_F_SR_IOV if it is a PCI device and presents a PCI SR-IOV capability structure, otherwise it MUST NOT offer VIRTIO_F_SR_IOV.
Transitional devices MAY offer the following:
Transitional devices MUST offer, and if offered by the device transitional drivers MUST accept the following:
Conformance targets:
A driver MUST conform to the following normative statements:
A PCI driver MUST conform to the following normative statements:
An MMIO driver MUST conform to the following normative statements:
A Channel I/O driver MUST conform to the following normative statements:
A network driver MUST conform to the following normative statements:
A block driver MUST conform to the following normative statements:
A console driver MUST conform to the following normative statements:
An entropy driver MUST conform to the following normative statements:
A traditional memory balloon driver MUST conform to the following normative statements:
An SCSI host driver MUST conform to the following normative statements:
An input driver MUST conform to the following normative statements:
A Crypto driver MUST conform to the following normative statements:
A socket driver MUST conform to the following normative statements:
A file system driver MUST conform to the following normative statements:
A RPMB driver MUST conform to the following normative statements:
An IOMMU driver MUST conform to the following normative statements:
A sound driver MUST conform to the following normative statements:
A memory driver MUST conform to the following normative statements:
An I2C Adapter driver MUST conform to the following normative statements:
An SCMI driver MUST conform to the following normative statements:
A General Purpose Input/Output (GPIO) driver MUST conform to the following normative statements:
A PMEM driver MUST conform to the following normative statements:
A device MUST conform to the following normative statements:
A PCI device MUST conform to the following normative statements:
An MMIO device MUST conform to the following normative statements:
A Channel I/O device MUST conform to the following normative statements:
A network device MUST conform to the following normative statements:
A block device MUST conform to the following normative statements:
A console device MUST conform to the following normative statements:
An entropy device MUST conform to the following normative statements:
A traditional memory balloon device MUST conform to the following normative statements:
An SCSI host device MUST conform to the following normative statements:
A GPU device MUST conform to the following normative statements:
An input device MUST conform to the following normative statements:
A Crypto device MUST conform to the following normative statements:
A socket device MUST conform to the following normative statements:
A file system device MUST conform to the following normative statements:
An RPMB device MUST conform to the following normative statements:
An IOMMU device MUST conform to the following normative statements:
A sound device MUST conform to the following normative statements:
A memory device MUST conform to the following normative statements:
An I2C Adapter device MUST conform to the following normative statements:
An SCMI device MUST conform to the following normative statements:
A General Purpose Input/Output (GPIO) device MUST conform to the following normative statements:
A PMEM device MUST conform to the following normative statements:
A conformant implementation MUST be either transitional or non-transitional, see 1.3.1.
An implementation MAY choose to implement OPTIONAL support for the legacy interface, including support for legacy drivers or devices, by conforming to all of the MUST or REQUIRED level requirements for the legacy interface for the transitional devices and drivers.
The requirements for the legacy interface for transitional implementations are located in sections named “Legacy Interface” listed below:
It is possible that a very simple device will operate entirely through its device configuration space, but most will need at least one virtqueue in which it will place requests. A device with both input and output (eg. console and network devices described here) need two queues: one which the driver fills with buffers to receive input, and one which the driver places buffers to transmit output.
Device configuration space should only be used for initialization-time parameters. It is a limited resource with no synchronization between field written by the driver, so for most uses it is better to use a virtqueue to update configuration information (the network device does this for filtering, otherwise the table in the config space could potentially be very large).
Remember that configuration fields over 32 bits wide might not be atomically writable by the driver. Therefore, no writeable field which triggers an action ought to be wider than 32 bits.
Device numbers can be reserved by the OASIS committee: email virtio-dev@lists.oasis-open.org to secure a unique one.
Meanwhile for experimental drivers, use 65535 and work backwards.
Using the optional MSI-X capability devices can speed up interrupt processing by removing the need to read ISR Status register by guest driver (which might be an expensive operation), reducing interrupt sharing between devices and queues within the device, and handling interrupts from multiple CPUs. However, some systems impose a limit (which might be as low as 256) on the total number of MSI-X vectors that can be allocated to all devices. Devices and/or drivers should take this into account, limiting the number of vectors used unless the device is expected to cause a high volume of interrupts. Devices can control the number of vectors used by limiting the MSI-X Table Size or not presenting MSI-X capability in PCI configuration space. Drivers can control this by mapping events to as small number of vectors as possible, or disabling MSI-X capability altogether.
Any change to device configuration space, or new virtqueues, or behavioural changes, should be indicated by negotiation of a new feature bit. This establishes clarity24 and avoids future expansion problems.
Clusters of functionality which are always implemented together can use a single bit, but if one feature makes sense without the others they should not be gratuitously grouped together to conserve feature bits.
Alexander Duyck, Intel
Alex Bennée, Linaro
Anton Yakovlev, OpenSynergy
Arseny Krasnov, Kaspersky Lab
Cornelia Huck, Red Hat
David Hildenbrand, Red Hat
David Stevens, Chromium
Dr. David Alan Gilbert, Red Hat
Enrico Granata, Google
Eugenio Pérez, Red Hat
Felipe Franciosi, Nutanix
Gaetan Harter, OpenSynergy
Gerd Hoffmann, Red Hat
Gurchetan Singh, Chromium
Halil Pasic, IBM
Hao Chen, Google
Huang Yang, Intel
Jan Kiszka, Siemens
Jean-Philippe Brucker, Linaro
Jiang Wang, Bytedance
Jie Deng, Intel
Joel Nider, Individual
Johannes Berg, Intel
Junji Wei, Bytedance
Keiichi Watanabe, Chromium
Marcel Holtmann, Individual
Max Gurtovoy, Nvidia
Michael S. Tsirkin, Red Hat
Nikos Dragazis, Arrikto
Pankaj Gupta, Red Hat
Paolo Bonzini, Red Hat
Parav Pandit, Nvidia
Peter Hilber, OpenSynergy
Petre Eftime, Amazon
Philipp Hahn, Univention
Rob Bradford, Intel
Stefan Fritsch, Individual
Stefan Hajnoczi, Red Hat
Stefano Garzarella, Red Hat
Taylor Stark, Microsoft
Tiwei Bie, Intel
Viresh Kumar, Linaro
Vitaly Mireyno, Marvell
Xuan Zhuo, Alibaba
Yadong Qi, Intel
Yoni Bettan, Red Hat
Yuri Benditovich, Red Hat / Daynix
The following non-members have provided valuable feedback on this specification and are gratefully acknowledged:
Christophe de Dinechin, Red Hat
Gil Savir, Intel
Ruchika Gupta, Linaro
Arnd Bergmann, Individual
Bing Zhu, Intel
Eduardo Habkost, Red Hat
Eric Auger, Red Hat
Jason Wang, Red Hat
Jens Freimann, Red Hat
Kevin Tian, Intel
Linus Walleij, Linaro
Matti Möll, OpenSynergy
Tomas Winkler, Intel
Yang Huang, Intel
The following individuals have participated in the creation of previous versions of this specification and are gratefully acknowledged:
Allen Chia, Oracle
Amit Shah, Red Hat
Amos Kong, Red Hat
Anthony Liguori, IBM
Bruce Rogers, SUSE
Bryan Venteicher, NetApp
Chandra Thyamagondlu, Xilinx
Chet Ensign, OASIS
Cornelia Huck, Red Hat
Cunming, Liang, Intel
Damjan, Marion, Cisco
Daniel Kiper, Oracle
Fang Chen, Huawei
Fang You, Huawei
Geoff Brown, M2Mi
Gerd Hoffmann, Red Hat
Gershon Janssen, Individual Member
Grant Likely, ARM
Haggai Eran, Mellanox
Halil Pasic, IBM
James Bottomley, Parallels IP Holdings GmbH
Jani Kokkonen, Huawei
Jan Kiszka, Siemens AG
Jens Freimann, Red Hat
Jian Zhou, Huawei
Karen Xie, Xilinx
Kumar Sanghvi, Xilinx
Lei Gong, Huawei
Lior Narkis, Mellanox
Luiz Capitulino, Red Hat
Marc-André Lureau, Red Hat
Mark Gray, Intel
Michael S. Tsirkin, Red Hat
Mihai Carabas, Oracle
Nishank Trivedi, NetApp
Paolo Bonzini, Red Hat
Paul Mundt, Huawei
Pawel Moll, ARM
Peng Long, Huawei
Piotr Uminski, Intel
Qian Xum, Intel
Richard Sohn, Alcatel-Lucent
Rusty Russell, IBM
Sasha Levin, Oracle
Sergey Tverdyshev, Thales e-Security
Stefan Hajnoczi, Red Hat
Sundar Mohan, Xilinx
Tom Lyon, Samya Systems, Inc.
Victor Kaplansky, Red Hat
Vijay Balakrishna, Oracle
Wei Wang, Intel
Xin Zeng, Intel
The following non-members have provided valuable feedback on previous versions of this specification and are gratefully acknowledged:
Aaron Conole, Red Hat
Adam Tao, Huawei
Alexander Duyck, Intel
Andreas Pape, ADITG/ESB
Andrew Thornton, Google
Arun Subbarao, LynuxWorks
Baptiste Reynal, Virtual Open Systems
Bharat Bhushan, NXP Semiconductors
Brian Foley, ARM
Chandra Thyamagondlu, Xilinx
Changpeng Liu, Intel
Christian Pinto, Virtual Open Systems
Christoffer Dall, ARM
Christoph Hellwig, Individual
Christian Borntraeger, IBM
Daniel Marcovitch, Mellanox
David Alan Gilbert, Red Hat
David Hildenbrand, Red Hat
David Riddoch, Solarflare
Denis V. Lunev, OpenVZ
Dmitry Fleytman, Red Hat
Don Wallwork, Broadcom
Emily Drea, ARM
Eric Auger, Red Hat
Fam Zheng, Red Hat
Francesco Fusco, Red Hat
Frank Yang, Google
Gil Savir, Intel
Gonglei (Arei), Huawei
Greg Kurz, IBM
Hannes Reiencke, SUSE
Ian Campbell, Docker
Ilya Lesokhin, Mellanox
Jacques Durand, Fujutsu
Jakub Jermar, Kernkonzept
Jan Scheurich, Ericsson
Jason Baron, Akamai
Jason Wang, Red Hat
Jean-Philippe Brucker, ARM
Jianfeng Tan, intel
Jonathan Helman, Oracle
Karandeep Chahal, DDN
Kevin Lo, MSI
Kevin Tian, Intel
Kully Dhanoa, Intel
Laura Novich, Red Hat
Ladi Prosek, Red Hat
Lars Ganrot, Napatech
Longpeng (Mike), Huawei
Mario Torrecillas Rodriguez, ARM
Mark Rustad, Intel
Maxime Coquelin, Red Hat
Namhyung Kim, LG
Ola Liljedahl, ARM
Pankaj Gupta, Red Hat
Patrick Durusau, OASIS
Pierre Pfister, Cisco
Pranavkumar Sawargaonkar, Linaro
Rauchfuss Holm, Huawei
Rob Miller, Broadcom
Roman Kiryanov, Google
Robin Cover, OASIS
Roger S Chien, Intel
Sameeh Jubran, Red Hat / Daynix
Si-Wei Liu, Oracle
Sridhar Samudrala, Intel
Stefan Fritsch, Individual
Stefano Garzarella, Red Hat
Steven Luong, Cisco
Thomas Huth, Red Hat
Tiwei Bie, Intel
Tomáš Golembiovský, Red Hat
Venu Busireddy, Oracle
Victor Kaplansky, Red Hat
Vijayabhaskar Balakrishna, Oracle
Vlad Yasevich, Red Hat
Yan Vugenfirer, Red Hat / Daynix
Wei Xu, Red Hat
Will Deacon, ARM
Willem de Bruijn, Google
Yuanhan Liu, Intel
Yuri Benditovich, Red Hat / Daynix
Zhi Yong Wu, IBM
Zhoujian, Huawei
| Revision | Date | Editor |
Changes Made |
| d519c224ba69 | 20 Jun 2019 | Stefan Hajnoczi |
content: reserve virtio device ID for file system devices Reserve device ID 26 for virtio-fs devices. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/31 Signed-off-by: Stefan Hajnoczi
Signed-off-by: Michael S.
Tsirkin See 5. |
| 9454b568c29b | 20 Jun 2019 | Pankaj Gupta |
content: reserve device ID for virtio-pmem devices We need a device ID for virtio-pmem devices. As 25 is requested by audio device and 26 is requested by virtio-fs, so requesting next available(27). Also, updated the previously requested github issue[1] for voting. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/38 Reviewed-by: Cornelia Huck
Signed-off-by: Pankaj Gupta
Reviewed-by: Stefan Hajnoczi
Signed-off-by: Michael S.
Tsirkin See 5. |
| efd4028b7aec | 25 Jul 2019 | Dr. David Alan Gilbert |
shared memory: Define shared memory regions Define the requirements and idea behind shared memory regions. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/40 Signed-off-by: Dr. David Alan
Gilbert
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Cornelia Huck
Signed-off-by: Michael S.
Tsirkin See 2.10. |
| 39dfc8afc0b9 | 25 Jul 2019 | Dr. David Alan Gilbert |
pci: Define id field For the virtio-fs device we require multiple large shared memory regions. Differentiate these by an ’id’ field in the base capability. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/40 Signed-off-by: Dr. David Alan
Gilbert
Reviewed-by: Cornelia Huck
Signed-off-by: Michael S.
Tsirkin See 4.1.4. |
| 8100dcfcd622 | 25 Jul 2019 | Dr. David Alan Gilbert |
pci: Define virtio_pci_cap64 Define ’virtio_pci_cap64’ to allow capabilities to describe memory regions larger than, or with an offset larger than 4GiB. This will be used by the shared memory region capability. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/40 Signed-off-by: Dr. David Alan
Gilbert
Reviewed-by: Cornelia Huck
Signed-off-by: Michael S.
Tsirkin See 4.1.4. |
| 855ad7af2bd6 | 25 Jul 2019 | Dr. David Alan Gilbert |
shared memory: Define PCI capability Define the PCI capability used for enumerating shared memory regions. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/40 Signed-off-by: Dr. David Alan
Gilbert
Signed-off-by: Michael S.
Tsirkin Reviewed-by: Cornelia Huck
See 4.1.4.7. |
| 2dd2d468f69b | 25 Jul 2019 | Dr. David Alan Gilbert |
shared memory: Define mmio registers Define an MMIO interface to discover and map shared memory regions. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/40 Signed-off-by: Dr. David Alan
Gilbert
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Cornelia Huck
Signed-off-by: Michael S.
Tsirkin See 4.2.2. |
| 4237d22cd5b1 | 08 Sep 2019 | Nikos Dragazis |
content: fix typo Signed-off-by: Nikos Dragazis
Signed-off-by: Michael S.
Tsirkin Reviewed-by: Cornelia Huck
See 4.1.4. |
| 1571d741f300 | 08 Sep 2019 | Dr. David Alan Gilbert |
shared memory: Typo fix Fix double hex in SHM*High defs. Signed-off-by: Dr. David Alan
Gilbert
Signed-off-by: Michael S.
Tsirkin Reviewed-by: Cornelia Huck
Reviewed-by: Stefan Hajnoczi
See 4.2.2. |
| 7a25d74962d3 | 08 Sep 2019 | Tiwei Bie |
content: fix typo in feature bit name Signed-off-by: Tiwei Bie
Signed-off-by: Michael S.
Tsirkin Fixes: https://github.com/oasis-tcs/virtio-spec/issues/46 Reviewed-by: Stefan Hajnoczi
See 5.1.6.5.3. |
| 6aecd69eb90b | 08 Sep 2019 | Tiwei Bie |
content: explicitly document the VLAN filtering as best-effort Similar to the MAC address based filtering, the VLAN filtering is also best-effort in implementations, but it’s not quite clear in the spec. So document this behaviour explicitly to reflect the way implementations behave. Signed-off-by: Tiwei Bie
Acked-by: Michael S. Tsirkin
Reviewed-by: Cornelia Huck
Signed-off-by: Michael S.
Tsirkin Fixes: https://github.com/oasis-tcs/virtio-spec/issues/47 See 5.1.6.5.3. |
| 29540779e4fd | 25 Sep 2019 | Stefan Hajnoczi |
content: add virtio file system device The virtio file system device transports Linux FUSE requests between a FUSE daemon running on the host and the FUSE driver inside the guest. The actual FUSE request definitions are not duplicated in the virtio specification, similar to how virtio-scsi does not document SCSI command details. FUSE request definitions are available here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/fuse.h This patch documents the core virtio file system device, which is functional but lacks the DAX feature introduced in the next patch. Signed-off-by: Stefan Hajnoczi
Reviewed-by: Cornelia Huck
Signed-off-by: Michael S.
Tsirkin Fixes: https://github.com/oasis-tcs/virtio-spec/issues/49 See 5.11. |
| ef5a7f405b95 | 25 Sep 2019 | Stefan Hajnoczi |
virtio-fs: add DAX window Describe how shared memory region ID 0 is the DAX window and how FUSE_SETUPMAPPING maps file ranges into the window. Signed-off-by: Stefan Hajnoczi
Signed-off-by: Michael S.
Tsirkin Reviewed-by: Cornelia Huck
|
| 1e30753d53d2 | 12 Oct 2019 | Jan Kiszka |
Fix ^= in example code Trying to escaping ^ here only leaves the backslash in the output. Signed-off-by: Jan Kiszka
Signed-off-by: Michael S.
Tsirkin |
| f9bed5bcb25e | 12 Oct 2019 | Jan Kiszka |
Lift "Driver Notifications" to section level Currently, it slips under the Packed Virtqueues section while it is not specific to this format. At this chance, capitalize "Notifications". Signed-off-by: Jan Kiszka
Signed-off-by: Michael S.
Tsirkin See 2.9. |
| 8f2c4e03eae8 | 27 Oct 2019 | Eugenio Pérez |
block: Add multiqueue The spec miss that field. Add the field, some description around. I’ve followed the network device’s multiqueue mentions, and copied / adapted when needed. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/50 Reviewed-by: Stefan Hajnoczi
Signed-off-by: Eugenio Pérez
Signed-off-by: Michael S.
Tsirkin |
| f1f2f85c1482 | 27 Oct 2019 | Jan Kiszka |
Console Device: Add a missing word Signed-off-by: Jan Kiszka
See 5.3.6. |
| da17c7fc4e12 | 27 Oct 2019 | Paolo Bonzini |
virtio_pci_common_cfg: fix field name The field is named config_msix_vector in the rest of the document, use the same name in the struct. Signed-off-by: Michael S.
Tsirkin Fixes: https://github.com/oasis-tcs/virtio-spec/issues/41 Reviewed-by: Stefan Hajnoczi
See 4.1.4.3. |
| f459b9e0ea60 | 27 Oct 2019 | Eugenio Pérez |
virtio-blk: typo: Capitalization in Device Initialization item Signed-off-by: Eugenio Pérez
Signed-off-by: Michael S.
Tsirkin Fixes: https://github.com/oasis-tcs/virtio-spec/issues/51 Reviewed-by: Stefan Hajnoczi
See 5.2.5. |
| 30d8e1ad22f7 | 27 Oct 2019 | Philipp Hahn |
Balloon: Fix Memory Statistics structure size 5.5.6.3 Memory Statistics: 6 -> 10 byte > Within the buffer, statistics are an array of 6-byte entries. ^ > Each statistic consists of a 16 bit tag and a 64 bit value. ... > struct virtio_balloon_stat . ... > le16 tag; > le64 val; > } __attribute__((packed)); If my calculation is right that is a (16 + 64) = 80 bits which is a 10-byte sized entry - not 6-byte. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/45 Signed-off-by: Michael S.
Tsirkin See 5.5.6.3. |
| acfe7bd5bcbe | 27 Oct 2019 | Michael S. Tsirkin |
README.md: document the minor cleanups standing rule Signed-off-by: Michael S.
Tsirkin
|
| a610121f250b | 24 Nov 2019 | Jan Kiszka |
virtio-mmio: Rename remaining QueueAvail/Used references These have been changed in ae98c6bc21bc. Convert the rest. Signed-off-by: Jan Kiszka
Signed-off-by: Michael S.
Tsirkin Reviewed-by: Stefan Hajnoczi
Fixes: https://github.com/oasis-tcs/virtio-spec/issues/52 See 4.2.2. |
| 4be5d38ad692 | 24 Nov 2019 | Stefan Fritsch |
Fix typo It’s balloon, not ballon. Reviewed-by: Stefan Hajnoczi
Signed-off-by: Stefan Fritsch
Signed-off-by: Michael S.
Tsirkin See 5.5.2. |
| 3109be870170 | 24 Nov 2019 | Paolo Bonzini |
Reserve id for virtio-audio device Project ACRN has a virtio-audio device. Unfortunately, the id they are using is already reserved in the virtio specification, but it is nevertheless useful to have one. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/42 Signed-off-by: Paolo Bonzini
Signed-off-by: Michael S.
Tsirkin See 5. |
| 4f1981a1ff46 | 24 Nov 2019 | Vitaly Mireyno |
virtio-net: Add support for correct hdr_len field. Includes device implementation note for using hdr_len Signed-off-by: Vitaly Mireyno
Signed-off-by: Michael S.
Tsirkin |
| 2c77526beb13 | 24 Nov 2019 | Cornelia Huck |
virtio-net: add missing articles for new hdr_len feature And tweak a sentence slightly. Reviewed-by: Stefan Hajnoczi
Signed-off-by: Cornelia Huck
Reviewed-by: Stefan Hajnoczi
See 5.1.6.2. |
| 8c6acac22a99 | 27 Nov 2019 | Huang Yang |
Add virtio rpmb device specification Add virtio RPMB (Replay Protected Memory Block) device documentation to spec. Signed-off-by: Yang Huang
Reviewed-by: Bing Zhu
Reviewed-by: Tomas Winkler
Fixes: https://github.com/oasis-tcs/virtio-spec/issues/53 Signed-off-by: Michael S.
Tsirkin See 5.12. |
| e8ba780bd7ab | 27 Nov 2019 | Huang Yang |
Reserve device id 28 for virtio RPMB device Signed-off-by: Huang Yang
Signed-off-by: Michael S.
Tsirkin Reviewed-by: Stefan Hajnoczi
Fixes: https://github.com/oasis-tcs/virtio-spec/issues/58 See 5. |
| 356aeeb40d7a | 20 Jan 2020 | Michael S. Tsirkin |
content: add vendor specific cfg type Vendors might want to add their own capability in the PCI capability list. However, Virtio already uses the vendor specific capability ID (0x09) for its own purposes. Provide a structure for vendor specific extensions. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/62 Signed-off-by: Michael S.
Tsirkin |
| 50049af040d4 | 20 Jan 2020 | Michael S. Tsirkin |
virtio_pci_cap64: bar/BAR cleanups When we mean PCI register we should say BAR. When we mean a virtio config register we should say \field{cap.bar}. Finally, offset_hi/length_hi are not within the cap structure. Tweak wording slightly: "A,B,C" are fields, there’s no need to say that. Reported-by: Christophe de
Dinechin
Signed-off-by: Michael S.
Tsirkin Reviewed-by: Cornelia Huck
|
| b6e992c7af88 | 20 Jan 2020 | Yuri Benditovich |
virtio-net: define support for receive-side scaling Fixes: https://github.com/oasis-tcs/virtio-spec/issues/48 Added support for RSS receive steering mode. Signed-off-by: Yuri Benditovich
Signed-off-by: Michael S.
Tsirkin |
| 8361dd6eb0f4 | 20 Jan 2020 | Michael S. Tsirkin |
virtio-net: receive-side scaling Typo/grammar fixes as suggested by Cornelia (and a couple noticed by myself). Signed-off-by: Michael S.
Tsirkin |
| 1efcda892193 | 20 Jan 2020 | Michael S. Tsirkin |
virtio-net: missing "." for feature descriptions At end of each sentence, for consistency. Signed-off-by: Michael S.
Tsirkin See 5.1.3. |
| 652237ea2839 | 20 Jan 2020 | Jean-Philippe Brucker |
Add virtio-iommu device specification The IOMMU device allows a guest to manage DMA mappings for physical, emulated and paravirtualized endpoints. Add device description for the virtio-iommu device and driver. Introduce PROBE, ATTACH, DETACH, MAP and UNMAP requests, as well as translation error reporting. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/37 Signed-off-by:
Jean-Philippe Brucker
Signed-off-by: Michael S.
Tsirkin See 5.13. |
| 6914d2df75ec | 28 Jan 2020 | Keiichi Watanabe |
content: Reserve device ID for video encoder and decoder device Reserve device ID 30 for video encoder device and 31 for video decoder device. Signed-off-by: Keiichi
Watanabe
Signed-off-by: Michael S.
Tsirkin Acked-by: Gerd Hoffmann
See 5. |
| d7e91b5469fb | 28 Jan 2020 | Michael S. Tsirkin |
virtio-rng: fix device/driver confusion The point of rng is to give data to driver so of course all buffers are driver readable. What shouldn’t be there is device readable buffers - this matches our terminology elsewhere too (read/write-ability is from POV of device). Fixes: https://github.com/oasis-tcs/virtio-spec/issues/55 Signed-off-by: Michael S.
Tsirkin Reviewed-by: Pankaj Gupta
See 5.4.6. |
| da60923ce164 | 28 Jan 2020 | Michael S. Tsirkin |
content: document speed, duplex Document as used by Linux. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/59 Signed-off-by: Michael S.
Tsirkin Reviewed-by: Cornelia Huck
|
| 61124330bf1c | 27 Feb 2020 | Gerd Hoffmann |
virtio-gpu: add 3d command overview Add 3d commands to the command enumeration. Add a section with a very short overview. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/65 Signed-off-by: Gerd Hoffmann
Signed-off-by: Michael S.
Tsirkin |
| 0c0dd715152c | 27 Feb 2020 | Gerd Hoffmann |
virtio-gpu: some edid clarifications Add some notes about fetching the EDID information. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/64 Signed-off-by: Gerd Hoffmann
Signed-off-by: Michael S.
Tsirkin |
| f42cc75d0725 | 01 Mar 2020 | Michael S. Tsirkin |
virtio-net/rss: maximal -> maximum Maximal can mean "local as opposed to a global maximum". Rest of the spec says maximum everywhere. Let’s be consistent. Cc: Yuri Benditovich
Signed-off-by: Michael S.
Tsirkin See 5.1.4. |
| 089bc5911dea | 04 May 2020 | Jean-Philippe Brucker |
virtio-iommu: Remove invalid requirement about padding This reference to ’padding’ is a leftover from a previous draft of the virtio-iommu device. The field doesn’t exist anymore, remove the requirement. Signed-off-by: Jean-Philippe
Brucker
Signed-off-by: Michael S.
Tsirkin See 5.13.4. |
| e73c8cdf3e82 | 01 Sep 2020 | Anton Yakovlev |
virtio-snd: add virtio sound device specification This patch proposes virtio specification for a new virtio sound device, that may be useful in case when having audio is required but a device passthrough or emulation is not an option. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/54 Signed-off-by: Anton Yakovlev
Signed-off-by: Michael S.
Tsirkin See 5.1.4. |
| 3f27648d9c66 | 01 Sep 2020 | Jan Kiszka |
split-ring: Demand that a device must not change descriptor entries So far the spec only indirectly says that a descriptor table entry is not modified by a device when processing it. Make this explicit by adding it as normative requirement. Existing drivers already depend on this. See also https://lists.oasis-open.org/archives/virtio-dev/201910/msg00057.html. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/56 Signed-off-by: Jan Kiszka
Signed-off-by: Michael S.
Tsirkin See 2.7.5. |
| 3353ed1c255a | 01 Sep 2020 | Yuri Benditovich |
virtio-net: Define per-packet hash reporting feature Define respective feature bit for virtio-net. Extend packet layout to populate hash value and type. Move the definition of IP/TCP/UDP header fields to calculate the hash out of RSS section to common network device section. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/66 Signed-off-by: Yuri Benditovich
Signed-off-by: Michael S.
Tsirkin |
| 51cad55ea64d | 01 Sep 2020 | Johannes Berg |
reserve device ID for hwsim wireless simulation The Linux mac80211-hwsim module currently allows simulation of multiple wireless radios on a shared medium, and has an existing API for this to work through a userspace implementation of the medium simulation (e.g. implemented by wmediumd). In order to simplify working with virtual machines and to enable (time-compressed) simulation use cases, allocate a virtio device ID to allow carrying this protocol over virtio in addition to the current netlink sockets. Since device ID 28 was previously requested, use 29. Signed-off-by: Johannes Berg
Signed-off-by: Michael S.
Tsirkin Fixes: https://github.com/oasis-tcs/virtio-spec/issues/68 See 5. |
| 832099d5df8c | 01 Sep 2020 | Vitaly Mireyno |
virtio-net: Fix VIRTIO_NET_F_GUEST_HDRLEN feature definition. Fix driver and device requirements with regards to the VIRTIO_NET_F_GUEST_HDRLEN feature - ’hdr_len’ must be accurate only for TSO/UFO packets. Signed-off-by: Vitaly Mireyno
Signed-off-by: Michael S.
Tsirkin Fixes: https://github.com/oasis-tcs/virtio-spec/issues/72 See 5.1.6.2. |
| 5d9444d699e5 | 01 Sep 2020 | Peter Hilber |
Reserve device ID 32 for SCMI device Signed-off-by: Peter Hilber
Signed-off-by: Michael S.
Tsirkin Fixes: https://github.com/oasis-tcs/virtio-spec/issues/74 Reviewed-by: Stefan Hajnoczi
See 5. |
| 68f66ff7a3d9 | 01 Sep 2020 | David Stevens |
content: define what an exported object is Define a mechanism for sharing objects between different virtio devices. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/76 Signed-off-by: David Stevens
Signed-off-by: Michael S.
Tsirkin See 2.11. |
| 162578b7e26c | 01 Sep 2020 | David Stevens |
virtio-gpu: add the ability to export resources Fixes: https://github.com/oasis-tcs/virtio-spec/issues/76 Signed-off-by: David Stevens
Signed-off-by: Michael S.
Tsirkin |
| 12d74846a6ee | 01 Sep 2020 | Petre Eftime |
content: Reserve virtio-nsm device ID The NitroSecureModule is a device with a very stripped down Trusted Platform Module functionality, which is used in the context of a Nitro Enclave (see https://lkml.org/lkml/2020/4/21/1020) to provide boot time measurement and attestation. Since this device provides some critical cryptographic operations, there are a series of operations which are required to have guarantees of atomicity, ordering and consistency: operations fully succeed or fully fail, including when some external events might interfere in the process: live migration, crashes, etc; any failure in the critical section requires termination of the enclave it is attached to, so the device needs to be as resilient as possible, simplicity is strongly desired. To account for that, the device and driver are made to have very few error cases in the critical path and the operations themselves can be rolled back and retried if events happen outside the critical area, while processing a request. The driver itself can be made very simple and thus is easily portable. Since the requests can be handled directly in the virtio queue, serving most requests requires no additional buffering or memory allocations on the host side. Signed-off-by: Petre Eftime
Signed-off-by: Michael S.
Tsirkin Reviewed-by: Stefan Hajnoczi
Fixes: https://github.com/oasis-tcs/virtio-spec/issues/81 See 5. |
| 7a46ee550d70 | 01 Sep 2020 | David Hildenbrand |
conformance: make driver conformance list easier to read and maintain Let’s define it just like the device conformance list. Reviewed-by: Cornelia Huck
Signed-off-by: David
Hildenbrand
Signed-off-by: Michael S.
Tsirkin See 7.1. |
| 9abf00ff4654 | 01 Sep 2020 | David Hildenbrand |
conformance: Reference RPMB Driver Conformance We forgot to reference the driver conformance. Reviewed-by: Cornelia Huck
Cc: Yang Huang
Signed-off-by: David
Hildenbrand
Signed-off-by: Michael S.
Tsirkin Reviewed-by: Alex Bennée
See 7.1. |
| af6b93bfd9a0 | 01 Sep 2020 | David Hildenbrand |
Add virtio-mem device specification The virtio memory device provides and manages a memory region in guest physical address space. This memory region is partitioned into memory blocks of fixed size that can either be in the state plugged or unplugged. Specify the device configuration, initialization, and operation. Introduce PLUG, UNPLUG, UNPLUG ALL and STATE requests. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/82 Cc: teawater
Signed-off-by: David
Hildenbrand
Signed-off-by: Michael S.
Tsirkin See 5.15. |
| 28ea45d8d79f | 11 Nov 2020 | Jie Deng |
content: Reserve device ID 34 for I2C adapter Request the ID 34 for I2C adapter. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/85 Signed-off-by: Jie Deng
Signed-off-by: Cornelia Huck
See 5. |
| d44895cdadc0 | 11 Nov 2020 | Rob Bradford |
content: Reserve virtio-watchog device ID Reserve an ID for a watchdog device which may be used to ensure that the guest is responsive. This is equivalent of a hardware watchdog device and will trigger the reboot of the guest if the the host does not periodic ping from the the guest. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/87 Signed-off-by: Rob Bradford
Signed-off-by: Cornelia Huck
See 5. |
| 38448268eba0 | 11 Nov 2020 | Alexander Duyck |
content: Document balloon feature free page hints Free page hints allow the balloon driver to provide information on what pages are not currently in use so that we can avoid the cost of copying them in migration scenarios. Add a feature description for free page hints describing basic functioning and requirements. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/84 Acked-by: Cornelia Huck
Reviewed-by: David
Hildenbrand
Signed-off-by: Alexander Duyck
Signed-off-by: Cornelia Huck
|
| 4749f03e72f8 | 11 Nov 2020 | Alexander Duyck |
content: Document balloon feature page poison Page poison provides a way for the guest to notify the host that it is initializing or poisoning freed pages with some specific poison value. As a result of this we can infer a couple traits about the guest: 1. Free pages will contain a specific pattern within the guest. 2. Modifying free pages from this value may cause an error in the guest. 3. Pages will be immediately written to by the driver when deflated. There are currently no existing features that make use of this data. In the upcoming feature free page reporting we will need to make use of this to identify if we can evict pages from the guest without causing data corruption. Add documentation for the page poison feature describing the basic functionality and requirements. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/84 Reviewed-by: Cornelia Huck
Reviewed-by: David
Hildenbrand
Signed-off-by: Alexander Duyck
Signed-off-by: Cornelia Huck
|
| d917d4a8d552 | 11 Nov 2020 | Alexander Duyck |
content: Document balloon feature free page reporting Free page reporting is a feature that allows the guest to proactively report unused pages to the host. By making use of this feature is is possible to reduce the overall memory footprint of the guest in cases where some significant portion of the memory is idle. Add documentation for the free page reporting feature describing the functionality and requirements. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/84 Reviewed-by: Cornelia Huck
Reviewed-by: David
Hildenbrand
Signed-off-by: Alexander Duyck
Signed-off-by: Cornelia Huck
|
| 9164d35e4b2a | 13 Nov 2020 | Alexander Duyck |
content: Minor change to clarify free_page_hint_cmd_id The original wording was a bit unclear and could have been misinterpreted as indicating that VIRTIO_BALLOON_FREE_PAGE_HINT was read-only instead of the field free_page_hint_cmd_id. To clarify that break it up into two sentences making it clear that the field is only available if the feature is negotiated, and that the field is read-only. Reviewed-by: Cornelia Huck
Signed-off-by: Alexander Duyck
Acked-by: Michael S. Tsirkin
[CH: included under the minor cleanup rule] Signed-off-by: Cornelia Huck
See 5.5.4. |
| b342d29aaf9f | 19 Nov 2020 | Stefan Hajnoczi |
virtio-blk: document VIRTIO_BLK_T_GET_ID The VIRTIO_BLK_T_GET_ID request type was implemented in Linux and QEMU in 2010. It does not have a feature bit but devices respond with VIRTIO_BLK_S_UNSUPP if a request type is unimplemented. This patch documents the VIRTIO_BLK_T_GET_ID request type as currently implemented in Linux and QEMU. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/63 Suggested-by: Jan Kiszka
Signed-off-by: Stefan Hajnoczi
Signed-off-by: Cornelia Huck
See 5.2.6. |
| 89e7eb5b9a76 | 19 Nov 2020 | Gurchetan Singh |
virtio-gpu: add resource create blob Blob resources are size-based containers for host, guest, or host+guest allocations. These resources are designed with mulit-process 3D support in mind, but also usable in virtio-gpu 2d with guest memory. Many hypercalls are reused, since a image view into the blob resource is possible. Blob resources are both forward and backward looking. v2: Add TRANSFER_BLOB, SET_SCANOUT_BLOB, SCANOUT_FLUSH v3: Remove SCANOUT_FLUSH and add notes v4: Remove TRANSFER_BLOB for now. v5: clarify interactions with ATTACH_BACKING / DETACH_BACKING. This is to preserve the possibility of guest swap-in and guest swap-out, while acknowledging this feature may never be implemented and may not be applicable for all future planned values of ‘blob_mem‘ or context types. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/86 Signed-off-by: Gurchetan Singh
Acked-by: Chia-I Wu
Signed-off-by: Cornelia Huck
|
| 87fa6b5d8155 | 19 Nov 2020 | Gurchetan Singh |
virtio-gpu: add support for mapping/unmapping blob resources This defines a virtgpu shared memory region, with the possibilty of more in the future. This is required to implement VK/GL coherent memory semantics, among other things. v6: disallow mapping an already mapped blob resource as a simplification Fixes: https://github.com/oasis-tcs/virtio-spec/issues/86 Signed-off-by: Gurchetan Singh
Acked-by: Gerd Hoffmann
Signed-off-by: Cornelia Huck
|
| 2ff0d5c68af2 | 03 Dec 2020 | Vitaly Mireyno |
virtio-net: Add support for the flexible driver notification structure. When the driver is required to send an available buffer notification to the device, it sends the virtqueue number to be notified. With this new feature, the device can optionally provide a per-virtqueue value for the driver to use in driver notifications, instead of the virtqueue number. Some devices may benefit from this flexibility by providing, for example, an internal virtqueue identifier, or an internal offset related to the virtqueue number. Changes from v8: * Incorporated comments for v8: - moved the feature from a network device to a global section - few minor changes Fixes: https://github.com/oasis-tcs/virtio-spec/issues/89 Signed-off-by: Vitaly Mireyno
[CH: wrapped overlong lines in commit message] Signed-off-by: Cornelia Huck
|
| bccdda7fb41a | 15 Dec 2020 | Michael S. Tsirkin |
typo: VIRTIO_NET_F_MAC_ADDR -> VIRTIO_NET_F_MAC VIRTIO_NET_F_MAC_ADDR isn’t defined. It’s clear from context that what is meant is VIRTIO_NET_F_MAC which controls whether mac in config space is valid. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/90 Reviewed-by: Cornelia Huck
Signed-off-by: Michael S.
Tsirkin Signed-off-by: Cornelia Huck
See 5.1.6.5.2. |
| 87de7136382e | 15 Dec 2020 | David Hildenbrand |
virtio-mem: minor clarification regarding read-access to unplugged blocks Let’s clarify that we don’t expect all DMA to work with unplugged blocks. We really only give guarantees when reading from unplugged memory blocks via the CPU, e.g., as done by Linux when creating a system dump via kdump: the new kernel will copy the content of the old (crashed) kernel via the CPU to user space, from where it will find its final destination inside the dump file. Note that dumping via makedumpfile under Linux will avoid reading unplugged blocks completely. This is a preparation for device passthrough to VMs, whereby such dedicated devices might not be able to read from unplugged memory blocks. Let’s document that this scenario is possible, and why this handling is in place at all. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/91 Cc: teawater
Cc: Marek Kedzierski
Cc: Michael S. Tsirkin
Cc: Cornelia Huck
Acked-by: Cornelia Huck
Signed-off-by: David
Hildenbrand
Signed-off-by: Cornelia Huck
See 5.15.6. |
| f725281ebba7 | 25 Jan 2021 | Jie Deng |
virtio-i2c: add the device specification virtio-i2c is a virtual I2C adapter device. It provides a way to flexibly communicate with the host I2C slave devices from the guest. This patch adds the specification for this device. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/88 Signed-off-by: Jie Deng
Signed-off-by: Cornelia Huck
See 5.15.6. |
| 6ee5e4b54c8e | 26 Jan 2021 | Felipe Franciosi |
content: Fix driver/device wording on ISR bits Section "ISR status capability" incorrectly worded that the bits part of the register allows the device to distinguish between interrupt types. It is the driver that needs access to that distinction, not the device. Signed-off-by: Felipe Franciosi
Reviewed-by: Stefan Hajnoczi
Signed-off-by: Cornelia Huck
See 4.1.4.5. |
| a17c29e2201b | 26 Jan 2021 | Alex Bennée |
virtio-gpu.tex: fix some UTF-8 damage While building I got a warning about: ! Package utf8x Error: MalformedUTF-8sequence. Fixes: 87fa6b5 ("virtio-gpu: add support for mapping/unmapping blob resources") Signed-off-by: Alex Bennée
Reviewed-by: Stefan Hajnoczi
Signed-off-by: Cornelia Huck
See 5.7.6.9. |
| a306bf467850 | 09 Feb 2021 | Cornelia Huck |
clarify device reset Properly specify that the method for the driver to request a device reset is transport specific, and some action the device has to take. Reviewed-by: Jason Wang
Reviewed-by: Halil Pasic
Fixes: https://github.com/oasis-tcs/virtio-spec/issues/93 Signed-off-by: Cornelia Huck
|
| f5fd3fca7e40 | 10 Feb 2021 | Peter Hilber |
content: reserve device ID 36 for CAN device The CAN device sends and receives CAN (Controller Area Network) messages. CAN is a communication protocol used in embedded systems. Signed-off-by: Peter Hilber
Reviewed-by: Matti Möll
Fixes: https://github.com/oasis-tcs/virtio-spec/issues/95 Signed-off-by: Cornelia Huck
See 5. |
| 30e6526f4d8e | 25 Feb 2021 | Cornelia Huck |
virtio-ccw: relax device requirement for revision-specific command rejection The device is currently required to reject any command that is not contained in the negotiated revision. Some implementations did not actively check for the revision when processing a command; retroactively changing these implementations can break existing drivers. Relaxing the rejection requirement to SHOULD makes these existing device implementations compliant, and will not have any effect on drivers that did not send any commands for wrong revisions. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/96 Reviewed-by: Halil Pasic
Signed-off-by: Cornelia Huck
See 4.3.2.1. |
| 5e9a37b9a559 | 30 Mar 2021 | Enrico Granata |
Add lifetime metrics to virtio-blk In many embedded systems, virtio-blk implementations are backed by eMMC or UFS storage devices, which are subject to predictable and measurable wear over time due to repeated write cycles. For such systems, it can be important to be able to track accurately the amount of wear imposed on the storage over time and surface it to applications. In a native deployments this is generally handled by the physical block device driver but no such provision is made in virtio-blk to expose these metrics for devices where it makes sense to do so. This patch adds support to virtio-blk for lifetime and wear metrics to be exposed to the guest when a deployment of virtio-blk is done over compatible eMMC or UFS storage. Signed-off-by: Enrico Granata
Fixes: https://github.org/oasis-tcs/virtio-spec/issues/97 Signed-off-by: Cornelia Huck
|
| 80b54cfd10a3 | 30 Mar 2021 | Peter Hilber |
Add virtio SCMI device specification This patch proposes a new virtio device for the Arm SCMI protocol. The device provides a simple transport for the Arm SCMI protocol[1]. The *S*ystem *C*ontrol and *M*anagement *I*nterface protocol allows speaking to system controllers that allow orchestrating things like power management, system state management and sensor access. The SCMI protocol is used on SoCs where multiple cores and co-processors need access to these resources. The virtio transport allows making use of this protocol in virtualized systems. [1] https://developer.arm.com/docs/den0056/c Fixes: https://github.com/oasis-tcs/virtio-spec/issues/100 Signed-off-by: Peter Hilber
Signed-off-by: Cornelia Huck
See 5.2.6. |
| f144e1847b95 | 06 Apr 2021 | Cornelia Huck |
title: list myself as Chair Reflect my position in the document as well. Signed-off-by: Cornelia Huck
|
| 2d827b06874d | 14 Apr 2021 | Michael S. Tsirkin |
introduction: document #define syntax We use the C #define syntax to refer to numeric values. Let’s document that. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/101 Signed-off-by: Michael S.
Tsirkin Signed-off-by: Cornelia Huck
See 1.5. |
| b19f28ed5076 | 14 Apr 2021 | Hao Chen |
Reserve device id for parameter server Use device ID 38 Fixes: https://github.com/oasis-tcs/virtio-spec/issues/102 Signed-off-by: Hao Chen
Signed-off-by: Cornelia Huck
See 5. |
| 22179bb0875c | 14 Apr 2021 | Hao Chen |
Reserve device id for audio policy device Use device ID 39 Fixes: https://github.com/oasis-tcs/virtio-spec/issues/103 Signed-off-by: Hao Chen
Signed-off-by: Cornelia Huck
See 5. |
| 0711d7f18fa7 | 14 Apr 2021 | Cornelia Huck |
editorial: fix missing escape of ’#’ Signed-off-by: Cornelia Huck
See 1.5. |
| 3590a075a5fd | 03 May 2021 | Marcel Holtmann |
Reserve device id for Bluetooth device Use device ID 40 Fixes: https://github.com/oasis-tcs/virtio-spec/issues/108 Signed-off-by: Marcel Holtmann
Signed-off-by: Cornelia Huck
See 5. |
| 5749014a3d50 | 17 May 2021 | Yuri Benditovich |
virtio-net: fix mistake: segmentation -> fragmentation The VIRTIO_NET_F_HOST_UFO feature fragments the packet. Only first fragment has a UDP header. Signed-off-by: Yuri Benditovich
Signed-off-by: Cornelia Huck
See 5.1.6.2. |
| d1471fdf932b | 17 May 2021 | Yuri Benditovich |
virtio-net: define USO feature Fixes: https://github.com/oasis-tcs/virtio-spec/issues/104 Unlike UFO (fragmenting the packet) the USO splits large UDP packet to several segments when each of these smaller packets has UDP header. In Linux see SKB_GSO_UDP_L4. Signed-off-by: Yuri Benditovich
Signed-off-by: Cornelia Huck
|
| c6f7149d08a1 | 10 Jun 2021 | Joel Nider |
Make global flag names consistent The global flags VIRTIO_F_EVENT_IDX and VIRTIO_F_INDIRECT_DESC have inconsistent naming throughout the document. This change removes the _RING designation from the flag names to make the usage consistent. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/36 Signed-off-by: Joel Nider
Signed-off-by: Cornelia Huck
|
| a57fb86cdb03 | 10 Jun 2021 | Jiang Wang |
virtio-net: fix a display for num_buffers One of num_buffers does not display correctly in the html. The _b becomes a subscript b. This will prevent it from being searched by using keyword num_buffers. Fix it by adding a field keyword. Signed-off-by: Jiang Wang
Message-Id: <20210601172139.3725854-1-jiang.wang@bytedance.com> Signed-off-by: Cornelia Huck
See 5.1.6.4. |
| eddd5558447d | 17 Jun 2021 | Viresh Kumar |
Reserve device id for GPIO device Use device ID 41 Fixes: https://github.com/oasis-tcs/virtio-spec/issues/109 Signed-off-by: Viresh Kumar
Signed-off-by: Cornelia Huck
See 5. |
| 63236f177602 | 08 Jul 2021 | Stefan Hajnoczi |
virtio-fs: add file system device to Conformance chapter The file system device is not listed in the Conformance chapter. Fix this. Signed-off-by: Stefan Hajnoczi
Signed-off-by: Cornelia Huck
See 7.1. |
| 3881c6b6fca9 | 08 Jul 2021 | Stefan Hajnoczi |
virtio-fs: add notification queue The FUSE protocol allows the file server (device) to initiate communication with the client (driver) using FUSE notify messages. Normally only the client can initiate communication. This feature is used to report asynchronous events that are not related to an in-flight request. This patch adds a notification queue that works like an rx queue in other VIRTIO device types. The device can emit FUSE notify messages by using a buffer from this queue. This mechanism was designed
by Vivek Goyal
Fixes: https://github.com/oasis-tcs/virtio-spec/issues/111 Signed-off-by: Stefan Hajnoczi
Signed-off-by: Cornelia Huck
|
| eb6ef453af9b | 26 Jul 2021 | Cornelia Huck |
Reserved feature bits: fix missing verb Reviewed-by: David
Hildenbrand
Signed-off-by: Cornelia Huck
See 6. |
| 74822ee60ea9 | 27 Jul 2021 | Gaetan Harter |
content: fix a typo Signed-off-by: Gaetan Harter
Reviewed-by: Stefan Hajnoczi
Signed-off-by: Cornelia Huck
See 5.1.6.5. |
| 23d3f7a3a7c9 | 27 Jul 2021 | Gaetan Harter |
virtio-gpu: fix a typo Signed-off-by: Gaetan Harter
Reviewed-by: Stefan Hajnoczi
Signed-off-by: Cornelia Huck
See 5.7.2. |
| 247709f69260 | 29 Jul 2021 | Gaetan Harter |
virtio-crypto: fix missing conjunction and verb The condition sentences were incomplete: "guarantee THAT the size IS within the max_len". Signed-off-by: Gaetan Harter
Signed-off-by: Cornelia Huck
See 5.9.5. |
| 1dc3ff82ab18 | 10 Aug 2021 | Max Gurtovoy |
virtio-blk: fix virtqueues accounting Virtqueue index is zero based, thus virtqueue (N-1) refers to requestqN. Signed-off-by: Max Gurtovoy
Signed-off-by: Cornelia Huck
See 5.2.2. |
| b73b74aaca01 | 16 Aug 2021 | Alex Bennée |
virtio-rpmb: fix the description for multi-block reads Previously the text said we fail if block count is set to 1 despite language elsewhere in the text referring to: "For RPMB read request, one virtio buffer including request command and the subsequent [block_count] virtio buffers for response data are placed in the queue." and the existence of both max_wr_cnt and max_rd_cnt configuration variables certainly implying devices should be able to handle multi-block reads just like writes. Fix the description as well as format the steps as an enumerated list to match the style of the previous section describing write handling. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/113 Reported-by: Ruchika Gupta
Signed-off-by: Alex Bennée
Signed-off-by: Cornelia Huck
See 5.12.6.1. |
| 9547f52400c6 | 18 Aug 2021 | Viresh Kumar |
virtio-gpio: Add the device specification virtio-gpio is a virtual GPIO controller. It provides a way to flexibly communicate with the host GPIO controllers from the guest. Note that the current implementation doesn’t provide atomic APIs for GPIO configurations. i.e. the driver (guest) would need to implement sleep-able versions of the APIs as the guest will respond asynchronously over the virtqueue. This patch adds the specification for it. Based on the initial work posted
by: "Enrico Weigelt, metux IT
consult" Fixes: https://github.com/oasis-tcs/virtio-spec/issues/110 Reviewed-by: Arnd Bergmann
Reviewed-by: Linus Walleij
Signed-off-by: Viresh Kumar
Signed-off-by: Cornelia Huck
See 5.18. |
| 4b65fb2f74fa | 17 Sep 2021 | Viresh Kumar |
virtio-gpio: Specify character encoding for gpio names Specify 7-bit ASCII character encoding for GPIO names strings. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/115 Suggested-by: Stefan Hajnoczi
Signed-off-by: Viresh Kumar
Signed-off-by: Cornelia Huck
See 5.18.6.1. |
| c8338338edaf | 17 Sep 2021 | Michael S. Tsirkin |
virtio-net: fix speed, duplex Speed values have an extra "f" - they are 32 bit, not 36 bit. Duplex is implemented in Linux and QEMU as 0x01 for full duplex and 0x00 for half duplex. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/75 Signed-off-by: Michael S.
Tsirkin Signed-off-by: Cornelia Huck
See 5.1.4. |
| a4bb00171010 | 24 Sep 2021 | Gurchetan Singh |
virtio-gpu: clarify spec regarding capability sets Capability sets will be used as a proxy for the context type, so add more detail regarding their use. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/117 Reviewed-by: Gerd Hoffmann
Signed-off-by: Gurchetan Singh
Signed-off-by: Cornelia Huck
|
| aad2b6f3620e | 24 Sep 2021 | Gurchetan Singh |
virtio-gpu: add context init support This brings explicit context initialization and different types to virtio-gpu. In the past, VIRTIO_GPU_F_VIRGL meant the virglrenderer support. With VIRTIO_GPU_F_VIRGL + VIRTIO_GPU_F_CONTEXT_INIT, this means generic 3D virtualization defined by the context type. It’s entirely possible the virglrenderer project isn’t available on the host in this scenario. The VIRTIO_GPU_F_VIRGL naming convention is kept since it’s easier to redefine the meaning rather than changing header files. The context type is associated an particular capset id. Virgl has two capsets due a prior bug, but for other cases the 1:1 mapping between context type and capset id is valid. In addition, fencing needs to be fixed to accomodate multiple context types. In the past, there was one global timeline associated witht the OpenGL rendering. Now, there are multiple timelines which can be associated with GL, VK or even display contexts. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/117 Reviewed-by: Gerd Hoffmann
Signed-off-by: Gurchetan Singh
Signed-off-by: Cornelia Huck
|
| e0e8f9ac37c5 | 04 Oct 2021 | Junji Wei |
Reserve device id for RDMA device Use device ID 42 Fixes: https://github.com/oasis-tcs/virtio-spec/issues/116 Signed-off-by: Junji Wei
Signed-off-by: Cornelia Huck
See 5. |
| f5a8d38acbd0 | 04 Oct 2021 | Max Gurtovoy |
Fix copy/paste bug in PCI transport paragraph Refer to "Shared memory capability" and not to "Device-specific configuration". Signed-off-by: Max Gurtovoy
Signed-off-by: Cornelia Huck
See 4.1.4.7. |
| bcf4bddb256e | 07 Oct 2021 | Jean-Philippe Brucker |
content: Remove duplicate paragraph It looks like commit 356aeeb40d7a ("content: add vendor specific cfg type") had a merge issue. It includes the device normative paragraph for Shared memory capability, which was already added right above it by commit 855ad7af2bd6 ("shared memory: Define PCI capability"). The two paragraphs differ, and the first paragraph is correct. It refers to struct virtio_pci_cap64 which embeds struct virtio_pci_cap: struct virtio_pci_cap64 . struct virtio_pci_cap . ... le32 offset; le32 length; } cap; u32 offset_hi; u32 length_hi; . Merge the two paragraph while keeping the best of both. Drop the spaces after \field to stay consistent with the rest of the document. Acked-by: Michael S. Tsirkin
Reviewed-by: Stefan Hajnoczi
Signed-off-by: Jean-Philippe
Brucker
Signed-off-by: Cornelia Huck
See 4.1.4.7. |
| 591eb4c2f76e | 07 Oct 2021 | Cornelia Huck |
PCI: fix level for vendor data capability The normative statements for the vendor data capability need to be at paragraph level insted of subsection level. Signed-off-by: Cornelia Huck
See 4.1.4.8. |
| 2f4a36d5e36d | 14 Oct 2021 | Enrico Granata |
Provide detailed specification of virtio-blk lifetime metrics In the course of review, some concerns were surfaced about the original virtio-blk lifetime proposal, as it depends on the eMMC spec which is not open Add a more detailed description of the meaning of the fields added by that proposal to the virtio-blk specification, as to make it feasible to understand and implement the new lifetime metrics feature without needing to refer to JEDEC’s specification This patch does not change the meaning of those fields nor add any new fields, but it is intended to provide an open and more clear description of the meaning associated with those fields. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/106 Reviewed-by: Stefan Hajnoczi
Signed-off-by: Enrico Granata
Signed-off-by: Cornelia Huck
See 5.2.6. |
| fc387ffae917 | 15 Oct 2021 | Pankaj Gupta |
virtio-pmem: PMEM device spec Posting virtio specification for virtio pmem device. Virtio pmem is a paravirtualized device which allows the guest to bypass page cache. Virtio pmem kernel driver is merged in Upstream Kernel 5.3. Also, Qemu device is merged in Qemu 4.1. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/78 Reviewed-by: Stefan Hajnoczi
Signed-off-by: Pankaj Gupta
[CH: editorial update to fix conformance section] Signed-off-by: Cornelia Huck
See 5.19. |
| b5115a8fc8ed | 15 Oct 2021 | David Hildenbrand |
virtio-mem: simplify statements that express unexpected behavior on memory access Some statements express that the device MAY allow access to memory inside unplugged memory blocks, although it’s really just unexpected behavior and conforming drivers MUST NOT perform such access. Clarify that, and move the special CPU vs. DMA handling for some unplugged memory blocks to the driver section instead. While at it, start rephrasing our statements to clarify and prepare for further changes. Signed-off-by: David
Hildenbrand
Reviewed-by: Cornelia Huck
Signed-off-by: Cornelia Huck
See 5.15.6. |
| 708ef827b092 | 15 Oct 2021 | David Hildenbrand |
virtio-mem: rephrase remaining memory access statements Let’s rephrase the remaining statements regarding memory access to unify and prepare for further changes. Signed-off-by: David
Hildenbrand
Reviewed-by: Cornelia Huck
Signed-off-by: Cornelia Huck
See 5.15.6. |
| f579906e7364 | 15 Oct 2021 | David Hildenbrand |
virtio-mem: document basic memory access to plugged memory blocks Let’s cleanly document that the driver just has to allow for access to plugged memory blocks. Signed-off-by: David
Hildenbrand
Reviewed-by: Cornelia Huck
Signed-off-by: Cornelia Huck
See 5.15.6. |
| 5b6a9d2a1d43 | 15 Oct 2021 | David Hildenbrand |
virtio-mem: introduce VIRTIO_MEM_F_UNPLUGGED_INACCESSIBLE Until now, we allowed a driver to read unplugged memory within the usable device-managed region: this simplified bring-up of virtio-mem in Linux quite a bit, especially when it came to physical memory dumping. When the device is using a memory backend that supports a shared zeropage, such as virtio-mem in QEMU under Linux on anonymous memory, the old behavior could be realized easily. However, when using other memory backends (such as hugetlbfs or shmem) or architectures, such as s390x, where a shared zeropage either does not exist or cannot be used, letting the driver read unplugged memory can result in undesired memory consumption in the hypervisor. The device wants to make sure that the guest is aware and will not read unplugged memory, not even in corner cases. In the meantime, the Linux implementation matured such that it will no longer access unplugged memory, for example, during kdump, when reading /proc/kcore, or via (now removed) /dev/kmem. Similar to VIRTIO_F_ACCESS_PLATFORM, this change will be disruptive and require driver adaptions – even if it’s just accepting the new feature. Devices are expected to only set the bit when really required, to keep existing setups working. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/118 Signed-off-by: David
Hildenbrand
Reviewed-by: Cornelia Huck
Signed-off-by: Cornelia Huck
|
| 26947c3e7b05 | 15 Oct 2021 | David Hildenbrand |
virtio-mem: describe interaction with memory properties Let’s describe how we expect the interaction with memory properties that might be available on a specific platform for ordinary system RAM. This is primarily a preparation for s390x support, which provides storage keys and may provide storage attributes, depending on the system configuration. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/118 Signed-off-by: David
Hildenbrand
Reviewed-by: Cornelia Huck
Signed-off-by: Cornelia Huck
|
| ca1463daea5d | 03 Nov 2021 | Viresh Kumar |
virtio: i2c: No need to have separate read-write buffers The virtio I2C protocol allows to contain multiple read-write requests in a single I2C transaction using the VIRTIO_I2C_FLAGS_FAIL_NEXT flag, where each request contains a header, buffer and status. There is no need to pass both read and write buffers in a single request, as we have a better way of combining requests into a single I2C transaction. Moreover, this also limits the transactions to two buffers, one for read operation and one for write. By using VIRTIO_I2C_FLAGS_FAIL_NEXT, we don’t have any such limits. Remove support for multiple buffers within a single request. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/112 Reviewed-by: Arnd Bergmann
Reviewed-by: Jie Deng
Signed-off-by: Viresh Kumar
Signed-off-by: Michael S.
Tsirkin |
| 69d399bd3f19 | 03 Nov 2021 | Viresh Kumar |
virtio: i2c: Allow zero-length transactions The I2C protocol allows zero-length requests with no data, like the SMBus Quick command, where the command is inferred based on the read/write flag itself. In order to allow such a request, allocate another bit, VIRTIO_I2C_FLAGS_M_RD(1), in the flags to pass the request type, as read or write. This was earlier done using the read/write permission to the buffer itself. Add a new feature flag for zero length requests and make it mandatory for it to be implemented, so we don’t need to drag the old implementation around. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/112 Reviewed-by: Arnd Bergmann
Reviewed-by: Jie Deng
Signed-off-by: Viresh Kumar
Signed-off-by: Michael S.
Tsirkin |
| ca3252712d98 | 03 Nov 2021 | Viresh Kumar |
virtio-gpio: Add support for interrupts This patch adds support for interrupts to the virtio-gpio specification. This uses the feature bit 0 for the same. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/114 Cc: Marc Zyngier
Cc: Thomas Gleixner
Reviewed-by: Linus Walleij
Signed-off-by: Viresh Kumar
Signed-off-by: Michael S.
Tsirkin Reviewed-by: Arnd Bergmann
|
| 48340e86b087 | 29 Nov 2021 | Halil Pasic |
split-ring: clarify the field len in the used ring The current description is misleading: "the descriptor chain which was used" generally includes both the descriptors that map the device read only, and descriptors that map the device write only portions of the buffer described by the descriptor chain. The argument that "used" means "written to" does not stand because one has to "use" the descriptor chain even when the whole buffer is device read only. One can argue, that the most straightforward way to interpret the phrase "total length of that descriptor chain" (without context) like the length of the list is usually defined: i.e. like the number of descriptors that constitute the chain. This is clearly not what we want here. Another intuitive way to interpret "total length of that descriptor chain" is size of the buffer mapped by the descriptor chain. This is not what we want either. In fact such wrongful interpretations have caused bugs in the wild. On the other hand, the text below the listing that gets modified here clearly describes the semantics of \field{len}. So let us replace the ambiguous explanation in the listing, with a hopefully non-ambiguous one. Reviewed-by: Stefan Hajnoczi
Signed-off-by: Halil Pasic
[CH: fixed up commit message typo and tabs-vs-spaces] Signed-off-by: Cornelia Huck
See 2.7.8. |
| 795391311bb1 | 30 Nov 2021 | Taylor Stark |
virtio-pmem: Support describing pmem as shared memory region Update the virtio-pmem spec to add support for describing the pmem region as a shared memory window. This is required to support virtio-pmem in Hyper-V, since Hyper-V only allows PCI devices to operate on memory ranges defined via BARs. When using the virtio PCI transport, shared memory regions are described via PCI BARs. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/121 Reviewed-by: Pankaj Gupta
Signed-off-by: Taylor Stark
Signed-off-by: Cornelia Huck
|
| ec3997b8a402 | 30 Nov 2021 | Cornelia Huck |
pmem: correct wording s/guest absolute/physical/ Signed-off-by: Cornelia Huck
See 5.19.5. |
| d6645979da9b | 07 Dec 2021 | Cornelia Huck |
ccw: clarify device reset Unlike other transports, a reset triggered by the driver is actually complete once the command has been completed. Make this behaviour and the requirements more explicit. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/123 Reviewed-by: Jason Wang
Reviewed-by: Stefan Hajnoczi
Signed-off-by: Cornelia Huck
See 4.3.3.3. |
| 41644c17c971 | 09 Dec 2021 | Jean-Philippe Brucker |
virtio-iommu: Rework the bypass feature The VIRTIO_IOMMU_F_BYPASS feature is awkward to use and incomplete. Although it is implemented by QEMU, it is not supported by any driver as far as I know. Replace it with a new VIRTIO_IOMMU_F_BYPASS_CONFIG feature. Two features are missing from virtio-iommu: * The ability for an hypervisor to start the device in bypass mode. The wording for VIRTIO_IOMMU_F_BYPASS is not clear enough to allow it at the moment, because it only specifies the behavior after feature negotiation. * The ability for a guest to set individual endpoints in bypass mode when bypass is globally disabled. An OS should have the ability to allow only endpoints it trusts to bypass the IOMMU, while keeping DMA disabled for endpoints it isn’t even aware of. At the moment this can only be emulated by creating identity mappings. The VIRTIO_IOMMU_F_BYPASS_CONFIG feature adds a ’bypass’ config field that allows to enable and disable bypass globally. It also adds a new flag for the ATTACH request. * The hypervisor can start the VM with bypass enabled or, if it knows that the software stack supports it, disabled. The ’bypass’ config fields is initialized to 0 or 1. It is sticky and isn’t affected by device reset. * Generally the firmware won’t have an IOMMU driver and will need to be started in bypass mode, so the bootloader and kernel can be loaded from storage endpoint. For more security, the firmware could implement a minimal virtio-iommu driver that reuses existing virtio support and only touches the config space. It could enable PCI bus mastering in bridges only for the endpoints that need it, enable global IOMMU bypass by flipping a bit, then tear everything down before handing control over to the OS. This prevents vulnerability windows where a malicious endpoint reprograms the IOMMU while the OS is configuring it [1]. The isolation provided by vIOMMUs has mainly been used for securely assigning endpoints to untrusted applications so far, while kernel DMA bypasses the IOMMU. But we can expect boot security to become as important in virtualization as it presently is on bare-metal systems, where some devices are untrusted and must never be able to access memory that wasn’t assigned to them. * The OS can enable and disable bypass globally. It can then enable bypass for individual endpoints by attaching them to bypass domains, using the new VIRTIO_IOMMU_ATTACH_F_BYPASS flag. It can disable bypass by attaching them to normal domains. [1] IOMMU protection against I/O attacks: a vulnerability and a proof of concept Morgan, B., Alata, É., Nicomette, V. et al. https://link.springer.com/article/10.1186/s13173-017-0066-7 Fixes: https://github.com/oasis-tcs/virtio-spec/issues/119 Reviewed-by: Eric Auger
Reviewed-by: Kevin Tian
Signed-off-by: Jean-Philippe
Brucker
Signed-off-by: Cornelia Huck
|
| ed9152310708 | 21 Dec 2021 | Yadong Qi |
virtio-blk: add secure erase feature to specification There are user requests to use the Linux BLKSECDISCARD ioctl on virtio-blk device. A secure discard is the same as a regular discard except that all copies of the discarded blocks that were possibly created by garbage collection must also be erased. This requires support from the device. And "secure erase" is more commonly used in industry to name this feature. Hence in this proposal, extend virtio-blk protocol to support secure erase command. Introduced new feature flag and command type: VIRTIO_BLK_F_SECURE_ERASE VIRTIO_BLK_T_SECURE_ERASE This feature is a passthrough feature on backend because it is hard to emulate a secure erase. So virtio-blk will report this feature to guest OS if backend device support such kind of feature. And when guest OS issues a secure erase command, backend driver will passthrough the command to host device blocks. Introduced new fields in virtio_blk_config for secure erase commands: struct virtio_blk_config . ... max_secure_erase_sectors; max_secure_erase_seg; secure_erase_sector_alignment; }; Fixes: https://github.com/oasis-tcs/virtio-spec/issues/125 Reviewed-by: Stefan Hajnoczi
Signed-off-by: Yadong Qi
Signed-off-by: Cornelia Huck
|
| 3b5378d70a42 | 21 Dec 2021 | Xuan Zhuo |
virtio: introduce virtqueue reset as basic facility This patch allows the driver to reset a queue individually. This is very common on general network equipment. By disabling a queue, you can quickly reclaim the buffer currently on the queue. If necessary, we can reinitialize the queue separately. For example, when virtio-net implements support for AF_XDP, we need to disable a queue to release all the original buffers when AF_XDP setup. And quickly release all the AF_XDP buffers that have been placed in the queue when AF_XDP exits. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/124 Reviewed-by: Jason Wang
Signed-off-by: Xuan Zhuo
Signed-off-by: Cornelia Huck
|
| 12998e738621 | 21 Dec 2021 | Xuan Zhuo |
virtio: pci support virtqueue reset PCI support virtqueue reset. virtio_pci_common_cfg add "queue_reset" to support virtqueue reset. The driver uses this to selectively reset the queue. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/124 Reviewed-by: Jason Wang
Signed-off-by: Xuan Zhuo
Signed-off-by: Cornelia Huck
See 4.1.4.3. |
| a4ce81a83780 | 21 Dec 2021 | Xuan Zhuo |
virtio: mmio support virtqueue reset mmio support virtqueue reset. MMIO Device Register Layout "QueueReady" to support virtqueue reset. The driver uses this to selectively reset the queue. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/124 Reviewed-by: Jason Wang
Signed-off-by: Xuan Zhuo
Signed-off-by: Cornelia Huck
See 4.2.2. |
| f65613a48826 | 11 Jan 2022 | Max Gurtovoy |
Fix reserved Feature bits numbering This should have been updated during VIRTIO_F_NOTIFICATION_DATA, VIRTIO_F_NOTIF_CONFIG_DATA and VIRTIO_F_RING_RESET standartization. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/128 Reviewed-by: Stefan Hajnoczi
Signed-off-by: Max Gurtovoy
Signed-off-by: Cornelia Huck
See 2.2. |
| 5e1c3fa81e29 | 21 Jan 2022 | Arseny Krasnov |
virtio-vsock: use C style defines for constants This: 1) Replaces enums with C style "defines", because use of enums is not documented, while "defines" are widely used in spec. 2) Adds defines for some constants. Reviewed-by: Stefan Hajnoczi
Signed-off-by: Arseny Krasnov
Reviewed-by: Stefano
Garzarella
Signed-off-by: Stefano
Garzarella
Signed-off-by: Cornelia Huck
See 5.10.6. |
| 1a90fc6e4228 | 21 Jan 2022 | Stefano Garzarella |
virtio-vsock: add VIRTIO_VSOCK_F_STREAM feature bit Initially vsock devices only supported stream sockets, but now we are adding support for new types (i.e. SEQPACKET, DGRAM). Since some devices may not want to support stream sockets, we add a feature bit for this type. For backward compatibility, if no feature bit is set, only stream socket type is supported. Reviewed-by: Stefan Hajnoczi
Signed-off-by: Stefano
Garzarella
Signed-off-by: Cornelia Huck
See 5.10.3. |
| d6d9c734b42e | 21 Jan 2022 | Arseny Krasnov |
virtio-vsock: SOCK_SEQPACKET description This adds description of SOCK_SEQPACKET socket type support for virtio-vsock. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/132 Signed-off-by: Arseny Krasnov
[reworked "Message and record boundaries" paragraph] Signed-off-by: Stefano
Garzarella
Signed-off-by: Cornelia Huck
|
| 88895f56e642 | 24 Jan 2022 | Cornelia Huck |
Reserve more feature bits for device type usage Feature bits 41 and above are noted as being reserved for future extensions. However, the net device has been using bits in that space for some time now, as it already used up the device type specific range up to 23. To avoid problems in the future, let’s designate bits 50 to 127 to device type specific usage (which accommodates current usage by the net driver, and gives breathing room for future type specific bits), and declare bits 41 to 49 and bits 128 and above to be reserved for future extensions (which gives us some time before bit numbers move beyond 63, which would need some changes in existing device and driver implementations.) Reported-by: Max Gurtovoy
Fixes: https://github.com/oasis-tcs/virtio-spec/issues/131 Reviewed-by: Max Gurtovoy
Signed-off-by: Cornelia Huck
See 2.2. |
| 6708e0fc2f7d | 07 Apr 2022 | Michael S. Tsirkin |
virtio-gpio: offered -> negotiated virtqueues are only discovered after FEATURES_OK. As such it makes no sense to talk about virtqueues being affected by features which are offered but not negotiated, and doing so will confuse the reader. Signed-off-by: Michael
S. Tsirkin See 5.18.2. |
| a214ffb64f45 | 11 Apr 2022 | Cornelia Huck |
introduction: add more section labels In order to be able to refer to changes in sections. Signed-off-by: Cornelia Huck
|
| 79f705b96040 | 11 Apr 2022 | Cornelia Huck |
conformance: hook up GPU device normative statements These statements already exist, but were not linked in the conformance section. Signed-off-by: Cornelia Huck
See 7.1. |
| 26f15550226b | 19 Apr 2022 | Michael S. Tsirkin |
packed-ring: fix some typos The VIRTQ_DESC_F_INDIRECT flag is misnamed in a couple of places. Signed-off-by: Michael S.
Tsirkin Signed-off-by: Cornelia Huck
See 2.8.19. |
| b13f67fca90e | 20 Apr 2022 | Michael S. Tsirkin |
packed-ring.tex: link conformance statements Link conformance statements into conformance chapter. Signed-off-by: Michael S.
Tsirkin Signed-off-by: Cornelia Huck
See 7.1. |
| 3a7f07897958 | 20 Apr 2022 | Michael S. Tsirkin |
content.tex: drop space after \field Always use \field{foo} not \field {foo}, the latter confuses latexdiff. Signed-off-by: Michael S.
Tsirkin Signed-off-by: Cornelia Huck
See 4.1.4. |
| c5fd7eda1203 | 29 Apr 2022 | Parav Pandit |
virtio: Improve queue_reset polarity to match to default reset state Currently when driver initiates a queue reset, device is expected to communicate reset status to the driver by changing the value of the queue_reset register twice. First to return value other than 1 when reset is ongoing, later to return 1 when queue reset is completed. However initially during the device reset time the queue reset value is zero. queue_reset changes the value of the register to a different value on reset completion. Yet another time queue_reset value is expected to change when queue_select is reprogrammed. Instead, it is better and efficient to maintain the same VQ state on the device when queue reset is completed. new proposed flow: q_enable, q_reset A) 0, 0 -> default, device init time B) 1, 0 -> driver has enabled vq C) 1, 1 -> driver started q reset D) 1, 1 -> q_reset stays 1 until device is busy resetting vq (device communicates that its working on resetting VQ, consistent with #C) E) 0, 0 -> q_reset by device is completed, q got disabled (consistent with device init time #A) Hence, this patch proposes a simple change to have reset register polarity to be same as that of initial reset value. Fixes: https://github.com/oasis-tcs/virtio-spec/issues/139 Fixes: 12998e738621 ("virtio: pci support virtqueue reset") Fixes: a4ce81a83780 ("virtio: mmio support virtqueue reset") Fixes: 3b5378d70a42 ("virtio: introduce virtqueue reset as basic facility") Reviewed-by: Jason Wang
Reviewed-by: Xuan Zhuo
Signed-off-by: Parav Pandit
Signed-off-by: Michael S.
Tsirkin |
1This lack of page-sharing implies that the implementation of the device (e.g. the hypervisor or host) needs full access to the guest memory. Communication with untrusted parties (i.e. inter-guest communication) requires copying.
2The Linux implementation further separates the virtio transport code from the specific virtio drivers: these drivers are shared between different transports.
3For example, the simplest network device has one virtqueue for transmit and one for receive.
4For example, if Queue Size is 4 then at most 4 buffers can be queued at any given time.
5For example, if Queue Size is 4 then at most 4 buffers can be queued at any given time.
6For example, the simplest network device has two virtqueues.
7The 4096 is based on the x86 page size, but it’s also large enough to ensure that the separate parts of the virtqueue are on separate cache lines.
8Due to various bugs in implementations, this field is not useful as a guarantee of the transport header size.
9This case is not handled by some older hardware, so is called out specifically in the protocol.
10Since there are no guarantees, it can use a hash filter or silently switch to allmulti or promiscuous mode if it is given too many addresses.
11Consistent with 5.2.6.2, a writethrough cache can be defined broadly as a cache that commits writes to persistent device backend storage before reporting their completion. For example, a battery-backed writeback cache actually counts as writethrough according to this definition.
12Note that in this case, according to 5.2.5.2, the device will not have offered VIRTIO_BLK_F_CONFIG_WCE either.
13Because this is high importance and low bandwidth, the current Linux implementation polls for the buffer to become used, rather than waiting for a used buffer notification, simplifying the implementation significantly. However, for generic serial ports with the O_NONBLOCK flag set, the polling limitation is relaxed and the consumed buffers are freed upon the next write or poll call or when a port is closed or hot-unplugged.
14This is historical, and independent of the guest page size.
15In this case, deflation advice is merely a courtesy.
16For example, INQUIRY or REPORT LUNS.
17For example, I_T RESET.
18There is no separate residual size for pi_bytesout and pi_bytesin. It can be computed from the residual field, the size of the data integrity information per sector, and the sizes of pi_out, pi_in, dataout and datain.
19Future extensions may add different modes of operations. At the moment, only VIRTIO_IOMMU_F_MAP_UNMAP is supported.
20This would happen for example if the device implements a more recent version of this specification, whose fault report contains additional fields.
21For example, s390x provides storage keys for each 4 KiB page and may, depending on the configuration, provide storage attributes for each 4 KiB page.
22On platforms with memory properties that might get modified implicitly on memory access, this feature is expected to be offered by the device.
23To allow for simplified dumping of memory. The CPU is expected to copy such memory to another location before starting DMA.
24Even if it does mean documenting design or implementation mistakes!