Home

VFIO

VFIO, or Virtual Function I/O, is a Linux kernel framework that provides secure, direct user-space access to devices through an IOMMU. It is used to enable PCI passthrough to virtual machines and, more generally, to host user-space drivers that require direct device access while maintaining memory protection and isolation.

The VFIO stack consists of a set of kernel components: the vfio-pci driver that binds PCI devices

In virtualization environments such as KVM/QEMU, a device bound to vfio-pci can be attached to a virtual

Limitations and considerations include the requirement for isolated IOMMU groups; devices in the same group typically

to
VFIO,
the
IOMMU
backend
(vfio_iommu_type1)
that
manages
IOMMU
remapping,
and
a
per-process
VFIO
container
that
owns
the
IOMMU-admitted
resources.
Devices
are
assigned
to
an
IOMMU
group;
only
devices
in
a
group
can
be
exposed
to
a
guest
or
user-space
driver,
and
groups
must
be
isolated
to
prevent
cross-device
access.
The
framework
also
supports
the
mediated
device
(MDEV)
framework,
which
allows
a
physical
device
to
present
multiple
virtual
functions
to
guests.
machine
as
a
PCI
device,
giving
the
guest
direct
DMA
access
to
the
hardware.
This
requires
hardware
support
for
IOMMU
(Intel
VT-d
or
AMD-Vi)
and
enabling
IOMMU
in
the
kernel/BIOS
as
part
of
the
host
configuration.
Management
can
be
performed
by
tools
like
libvirt
or
QEMU
command
line.
cannot
be
individually
passed
through
without
mediated
devices.
Not
all
devices
are
suitable
for
passthrough,
and
misconfiguration
can
compromise
host
isolation.
Performance
is
generally
near-native
but
depends
on
the
IOMMU,
device,
and
workload.