> There's that, and there's an "I care about security, but > do not want to burn up cycles on fake protections that > do not work" case. It would seem to make most sense for this use case simply *not* to expose virtio devices to guests as being behind an IOMMU at all. Sure, there are esoteric use cases where the guest actually nests and runs further guests inside itself and wants to pass through the virtio devices from the real hardware host. But presumably those configurations will have multiple virtio devices assigned by the host anyway, and further tweaking the configuration to put them behind an IOMMU shouldn't be hard. -- dwmw2 -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html