On Tue, Mar 21, 2023 at 02:51:20PM +0000, Liu, Yi L wrote: > > But still, this check should be done at device creation time just like > > in group mode, not during each attach call. > > Seems like requiring a noiommu_capable flag in vfio_device. We > set this flag only when the vfio_group->type==VFIO_NO_IOMMU > or no real iommu_group (for the case in which vfio group code is > compiled out). Perhaps the below check should be added as well. > Then in the time of bind, just check the noiommu_capable flag > and capable(CAP_SYS_RAWIO). > > if (!IS_ENABLED(CONFIG_VFIO_NOIOMMU) || !vfio_noiommu) Yes, and also only for physical devices Jason
