The purpose of virtio and this specification is that virtual environments and guests should have a straightforward, efficient, standard and extensible mechanism for virtual devices, rather than boutique per-environment or per-OS mechanisms.
Technical Committee members should send comments on this specification to the Technical Committee’s email list. Others should send comments to the Technical Committee by using the “Send A Comment” button on the Technical Committee’s web page at https://www.oasis-open.org/committees/virtio/.
This specification is provided under the Non-Assertion Mode of the OASIS IPR Policy, the mode chosen when the Technical Committee was established. For information on whether any patents have been disclosed that may be essential to implementing this specification, and any offers of patent licensing terms, please refer to the Intellectual Property Rights section of the TC’s web page (https://github.com/oasis-tcs/virtio-admin/blob/master/IPR.md).
Note that any machine-readable content (Computer Language Definitions) declared Normative for this Work Product is provided in separate plain text files. In the event of a discrepancy between any such plain text file and display content in the Work Product’s prose narrative document(s), the content in the separate plain text file prevails.
[VIRTIO-v1.1]
Virtual I/O Device (VIRTIO) Version 1.1. Edited by Michael S. Tsirkin
and Cornelia Huck. 11 April 2019. OASIS Committee Specification 01.
https://docs.oasis-open.org/virtio/virtio/v1.1/cs01/virtio-v1.1-cs01.html. Latest
version: https://docs.oasis-open.org/virtio/virtio/v1.1/virtio-v1.1.html.
__________________________________________________________________
Copyright © OASIS Open 2018. All Rights Reserved.
All capitalized terms in the following text have the meanings assigned to them in the OASIS Intellectual Property Rights Policy (the "OASIS IPR Policy"). The full Policy may be found at the OASIS website.
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published, and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this section are included on all such copies and derivative works. However, this document itself may not be modified in any way, including by removing the copyright notice or references to OASIS, except as needed for the purpose of developing any document or deliverable produced by an OASIS Technical Committee (in which case the rules applicable to copyrights, as set forth in the OASIS IPR Policy, must be followed) or as required to translate it into languages other than English.
This specification is provided under the Non-Assertion Mode of the OASIS IPR Policy, the mode chosen when the Technical Committee was established. For information on whether any patents have been disclosed that may be essential to implementing this specification, and any offers of patent licensing terms, please refer to the Intellectual Property Rights section of the TC’s web page (https://github.com/oasis-tcs/virtio-admin/blob/master/IPR.md).
The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.
This document and the information contained herein is provided on an "AS IS" basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
OASIS requests that any OASIS Party or any other party that believes it has patent claims that would necessarily be infringed by implementations of this OASIS Committee Specification or OASIS Standard, to notify OASIS TC Administrator and provide an indication of its willingness to grant patent licenses to such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that produced this specification.
OASIS invites any party to contact the OASIS TC Administrator if it is aware of a claim of ownership of any patent claims that would necessarily be infringed by implementations of this specification by a patent holder that is not willing to provide a license to such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that produced this specification. OASIS may include such claims on its website, but disclaims any obligation to do so.
OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on OASIS’ procedures with respect to rights in any document or deliverable produced by an OASIS Technical Committee can be found on the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this OASIS Committee Specification or OASIS Standard, can be obtained from the OASIS TC Administrator. OASIS makes no representation that any information or list of intellectual property rights will at any time be complete, or that any claims in such list are, in fact, Essential Claims.
The name "OASIS" is a trademark of OASIS, the owner and developer of this
specification, and should be used only to refer to the organization and its official
outputs. OASIS welcomes reference to, and implementation and use of, specifications,
while reserving the right to enforce its marks against misleading uses. Please see
https://www.oasis-open.org/policies-guidelines/trademark for above guidance.
__________________________________________________________________
The purpose of virtio and this specification is that virtual environments and guests should have a straightforward, efficient, standard and extensible mechanism for virtual devices, rather than boutique per-environment or per-OS mechanisms.
[RFC2119] |
Bradner S., “Key words for use in RFCs to Indicate Requirement Levels”, BCP 14,
RFC 2119, March 1997. |
[S390 PoP] |
z/Architecture Principles of Operation, IBM Publication SA22-7832, |
[S390 Common I/O] |
ESA/390 Common I/O-Device and Self-Description, IBM Publication SA22-7204, |
[PCI] |
Conventional PCI Specifications, |
[PCIe] |
PCI Express Specifications |
[IEEE 802] |
IEEE Standard for Local and Metropolitan Area Networks: Overview and
Architecture, |
[SAM] |
SCSI Architectural Model, |
[SCSI MMC] |
SCSI Multimedia Commands, |
[FUSE] |
Linux FUSE interface, |
[Virtio PCI Draft] |
Virtio PCI Draft Specification |
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in [RFC2119].
Specification drafts preceding version 1.0 of this specification (e.g. see [Virtio PCI Draft]) defined a similar, but different interface between the driver and the device. Since these are widely deployed, this specification accommodates OPTIONAL features to simplify transition from these earlier draft interfaces.
Specifically devices and drivers MAY support:
Legacy devices and legacy drivers are not compliant with this specification.
To simplify transition from these earlier draft interfaces, a device MAY implement:
Similarly, a driver MAY implement:
Devices or drivers with no legacy compatibility are referred to as non-transitional devices and drivers, respectively.
For devices and drivers already implementing the legacy interface, some changes will have to be made to support this specification.
In this case, it might be beneficial for the reader to focus on sections tagged "Legacy Interface" in the section title. These highlight the changes made since the earlier drafts.
Many device and driver in-memory structure layouts are documented using the C struct syntax. All structures are assumed to be without additional padding. To stress this, cases where common C compilers are known to insert extra padding within structures are tagged using the GNU C __attribute__((packed)) syntax.
For the integer data types used in the structure definitions, the following conventions are used:
Some of the fields to be defined in this specification don’t start or don’t end on a byte boundary. Such fields are called bit-fields. A set of bit-fields is always a sub-division of an integer typed field.
Bit-fields within integer fields are always listed in order, from the least significant to the most significant bit. The bit-fields are considered unsigned integers of the specified width with the next in significance relationship of the bits preserved.
For example:
documents the value A stored in the low 15 bit of x and the value B stored in the high bit of x, the 16-bit integer x in turn stored using the big-endian byte order at the beginning of the structure S, and being followed immediately by an unsigned integer y stored in big-endian byte order at an offset of 2 bytes (16 bits) from the beginning of the structure.
Note that this notation somewhat resembles the C bitfield syntax but should not be naively converted to a bitfield notation for portable code: it matches the way bitfields are packed by C compilers on little-endian architectures but not the way bitfields are packed by C compilers on big-endian architectures.
Assuming that CPU_TO_BE16 converts a 16-bit integer from a native CPU to the big-endian byte order, the following is the equivalent portable C code to generate a value to be stored into x:
During device initialization by a driver, the driver follows the sequence of steps specified in 3.1.
The device status field provides a simple low-level indication of the completed steps of this sequence. It’s most useful to imagine it hooked up to traffic lights on the console indicating the status of each device. The following bits are defined (listed below in the order in which they would be typically set):
The driver MUST update device status, setting bits to indicate the completed steps of the driver initialization sequence specified in 3.1. The driver MUST NOT clear a device status bit. If the driver sets the FAILED bit, the driver MUST later reset the device before attempting to re-initialize.
The driver SHOULD NOT rely on completion of operations of a device if DEVICE_NEEDS_RESET is set. Note: For example, the driver can’t assume requests in flight will be completed if DEVICE_NEEDS_RESET is set, nor can it assume that they have not been completed. A good implementation will try to recover by issuing a reset.
The device MUST initialize device status to 0 upon reset.
The device MUST NOT consume buffers or send any used buffer notifications to the driver before DRIVER_OK.
The device SHOULD set DEVICE_NEEDS_RESET when it enters an error state that a reset is needed. If DRIVER_OK is set, after it sets DEVICE_NEEDS_RESET, the device MUST send a device configuration change notification to the driver.
Each virtio device offers all the features it understands. During device initialization, the driver reads this and tells the device the subset that it accepts. The only way to renegotiate is to reset the device.
This allows for forwards and backwards compatibility: if the device is enhanced with a new feature bit, older drivers will not write that feature bit back to the device. Similarly, if a driver is enhanced with a feature that the device doesn’t support, it see the new feature is not offered.
Feature bits are allocated as follows:
In particular, new fields in the device configuration space are indicated by offering a new feature bit.
The driver MUST NOT accept a feature which the device did not offer, and MUST NOT accept a feature which requires another feature which was not accepted.
The driver SHOULD go into backwards compatibility mode if the device does not offer a feature it understands, otherwise MUST set the FAILED device status bit and cease initialization.
The device MUST NOT offer a feature which requires another feature which was not offered. The device SHOULD accept any valid subset of features the driver accepts, otherwise it MUST fail to set the FEATURES_OK device status bit when the driver writes it.
If a device has successfully negotiated a set of features at least once (by accepting the FEATURES_OK device status bit during device initialization), then it SHOULD NOT fail re-negotiation of the same set of features after a device or system reset. Failure to do so would interfere with resuming from suspend and error recovery.
Transitional Drivers MUST detect Legacy Devices by detecting that the feature bit VIRTIO_F_VERSION_1 is not offered. Transitional devices MUST detect Legacy drivers by detecting that VIRTIO_F_VERSION_1 has not been acknowledged by the driver.
In this case device is used through the legacy interface.
Legacy interface support is OPTIONAL. Thus, both transitional and non-transitional devices and drivers are compliant with this specification.
Requirements pertaining to transitional devices and drivers is contained in sections named ’Legacy Interface’ like this one.
When device is used through the legacy interface, transitional devices and transitional drivers MUST operate according to the requirements documented within these legacy interface sections. Specification text within these sections generally does not apply to non-transitional devices.
The notion of sending a notification (driver to device or device to driver) plays an important role in this specification. The modus operandi of the notifications is transport specific.
There are three types of notifications:
Configuration change notifications and used buffer notifications are sent by the device, the recipient is the driver. A configuration change notification indicates that the device configuration space has changed; a used buffer notification indicates that a buffer may have been made used on the virtqueue designated by the notification.
Available buffer notifications are sent by the driver, the recipient is the device. This type of notification indicates that a buffer may have been made available on the virtqueue designated by the notification.
The semantics, the transport-specific implementations, and other important aspects of the different notifications are specified in detail in the following chapters.
Most transports implement notifications sent by the device to the driver using interrupts. Therefore, in previous versions of this specification, these notifications were often called interrupts. Some names defined in this specification still retain this interrupt terminology. Occasionally, the term event is used to refer to a notification or a receipt of a notification.
Device configuration space is generally used for rarely-changing or initialization-time parameters. Where configuration fields are optional, their existence is indicated by feature bits: Future versions of this specification will likely extend the device configuration space by adding extra fields at the tail. Note: The device configuration space uses the little-endian format for multi-byte fields.
Each transport also provides a generation count for the device configuration space, which will change whenever there is a possibility that two accesses to the device configuration space can see different versions of that space.
Drivers MUST NOT assume reads from fields greater than 32 bits wide are atomic, nor are reads from multiple fields: drivers SHOULD read device configuration space fields like so:
For optional configuration space fields, the driver MUST check that the corresponding feature is offered before accessing that part of the configuration space. Note: See section 3.1 for details on feature negotiation.
Drivers MUST NOT limit structure size and device configuration space size. Instead, drivers SHOULD only check that device configuration space is large enough to contain the fields necessary for device operation. Note: For example, if the specification states that device configuration space ’includes a single 8-bit field’ drivers should understand this to mean that the device configuration space might also include an arbitrary amount of tail padding, and accept any device configuration space size equal to or greater than the specified 8-bit size.
The device MUST allow reading of any device-specific configuration field before FEATURES_OK is set by the driver. This includes fields which are conditional on feature bits, as long as those feature bits are offered by the device.
Note that for legacy interfaces, device configuration space is generally the guest’s native endian, rather than PCI’s little-endian. The correct endian-ness is documented for each device.
Legacy devices did not have a configuration generation field, thus are susceptible to race conditions if configuration is updated. This affects the block capacity (see 5.2.4) and network mac (see 5.1.4) fields; when using the legacy interface, drivers SHOULD read these fields multiple times until two reads generate a consistent result.
The mechanism for bulk data transport on virtio devices is pretentiously called a virtqueue. Each device can have zero or more virtqueues3.
Driver makes requests available to device by adding an available buffer to the queue, i.e., adding a buffer describing the request to a virtqueue, and optionally triggering a driver event, i.e., sending an available buffer notification to the device.
Device executes the requests and - when complete - adds a used buffer to the queue, i.e., lets the driver know by marking the buffer as used. Device can then trigger a device event, i.e., send a used buffer notification to the driver.
Device reports the number of bytes it has written to memory for each buffer it uses. This is referred to as “used length”.
Device is not generally required to use buffers in the same order in which they have been made available by the driver.
Some devices always use descriptors in the same order in which they have been made available. These devices can offer the VIRTIO_F_IN_ORDER feature. If negotiated, this knowledge might allow optimizations or simplify driver and/or device code.
Each virtqueue can consist of up to 3 parts:
Two formats are supported: Split Virtqueues (see 2.6 Split Virtqueues) and Packed Virtqueues (see 2.7 Packed Virtqueues).
Every driver and device supports either the Packed or the Split Virtqueue format, or both.
The split virtqueue format was the only format supported by the version 1.0 (and earlier) of this standard.
The split virtqueue format separates the virtqueue into several parts, where each part is write-able by either the driver or the device, but not both. Multiple parts and/or locations within a part need to be updated when making a buffer available and when marking it as used.
Each queue has a 16-bit queue size parameter, which sets the number of entries and implies the total size of the queue.
Each virtqueue consists of three parts:
where each part is physically-contiguous in guest memory, and has different alignment requirements.
The memory alignment and size requirements, in bytes, of each part of the virtqueue are summarized in the following table:
Virtqueue Part | Alignment | Size |
Descriptor Table | 16 | 16∗(Queue Size) |
Available Ring | 2 | 6 + 2∗(Queue Size) |
Used Ring | 4 | 6 + 8∗(Queue Size) |
The Alignment column gives the minimum alignment for each part of the virtqueue.
The Size column gives the total number of bytes for each part of the virtqueue.
Queue Size corresponds to the maximum number of buffers in the virtqueue4. Queue Size value is always a power of 2. The maximum Queue Size value is 32768. This value is specified in a bus-specific way.
When the driver wants to send a buffer to the device, it fills in a slot in the descriptor table (or chains several together), and writes the descriptor index into the available ring. It then notifies the device. When the device has finished a buffer, it writes the descriptor index into the used ring, and sends a used buffer notification.
The driver MUST ensure that the physical address of the first byte of each virtqueue part is a multiple of the specified alignment value in the above table.
For Legacy Interfaces, several additional restrictions are placed on the virtqueue layout:
Each virtqueue occupies two or more physically-contiguous pages (usually defined as 4096 bytes, but depending on the transport; henceforth referred to as Queue Align) and consists of three parts:
Descriptor Table | Available Ring (…padding…) | Used Ring |
The bus-specific Queue Size field controls the total number of bytes for the virtqueue. When using the legacy interface, the transitional driver MUST retrieve the Queue Size field from the device and MUST allocate the total number of bytes for the virtqueue according to the following formula (Queue Align given in qalign and Queue Size given in qsz):
This wastes some space with padding. When using the legacy interface, both transitional devices and drivers MUST use the following virtqueue layout structure to locate elements of the virtqueue:
Note that when using the legacy interface, transitional devices and drivers MUST use the native endian of the guest as the endian of fields and in the virtqueue. This is opposed to little-endian for non-legacy interface as specified by this standard. It is assumed that the host is already aware of the guest endian.
The framing of messages with descriptors is independent of the contents of the buffers. For example, a network transmit buffer consists of a 12 byte header followed by the network packet. This could be most simply placed in the descriptor table as a 12 byte output descriptor followed by a 1514 byte output descriptor, but it could also consist of a single 1526 byte output descriptor in the case where the header and packet are adjacent, or even three or more descriptors (possibly with loss of efficiency in that case).
Note that, some device implementations have large-but-reasonable restrictions on total descriptor size (such as based on IOV_MAX in the host OS). This has not been a problem in practice: little sympathy will be given to drivers which create unreasonably-sized descriptors such as by dividing a network packet into 1500 single-byte descriptors!
The device MUST NOT make assumptions about the particular arrangement of descriptors. The device MAY have a reasonable limit of descriptors it will allow in a chain.
The driver MUST place any device-writable descriptor elements after any device-readable descriptor elements.
The driver SHOULD NOT use an excessive number of descriptors to describe a buffer.
Regrettably, initial driver implementations used simple layouts, and devices came to rely on it, despite this specification wording. In addition, the specification for virtio_blk SCSI commands required intuiting field lengths from frame boundaries (see 5.2.6.3 Legacy Interface: Device Operation)
Thus when using the legacy interface, the VIRTIO_F_ANY_LAYOUT feature indicates to both the device and the driver that no assumptions were made about framing. Requirements for transitional drivers when this is not negotiated are included in each device section.
The descriptor table refers to the buffers the driver is using for the device. addr is a physical address, and the buffers can be chained via next. Each descriptor describes a buffer which is read-only for the device (“device-readable”) or write-only for the device (“device-writable”), but a chain of descriptors can contain both device-readable and device-writable buffers.
The actual contents of the memory offered to the device depends on the device type. Most common is to begin the data with a header (containing little-endian fields) for the device to read, and postfix it with a status tailer for the device to write.
The number of descriptors in the table is defined by the queue size for this virtqueue: this is the maximum possible descriptor chain length.
If VIRTIO_F_IN_ORDER has been negotiated, driver uses descriptors in ring order: starting from offset 0 in the table, and wrapping around at the end of the table. Note: The legacy [Virtio PCI Draft] referred to this structure as vring_desc, and the constants as VRING_DESC_F_NEXT, etc, but the layout and values were identical.
A device MUST NOT write to a device-readable buffer, and a device SHOULD NOT read a device-writable buffer (it MAY do so for debugging or diagnostic purposes).
Drivers MUST NOT add a descriptor chain longer than 232 bytes in total; this implies that loops in the descriptor chain are forbidden!
If VIRTIO_F_IN_ORDER has been negotiated, and when making a descriptor with VRING_DESC_F_NEXT set in flags at offset x in the table available to the device, driver MUST set next to 0 for the last descriptor in the table (where x = queue_size − 1) and to x + 1 for the rest of the descriptors.
Some devices benefit by concurrently dispatching a large number of large requests. The VIRTIO_F_INDIRECT_DESC feature allows this (see A virtio_queue.h). To increase ring capacity the driver can store a table of indirect descriptors anywhere in memory, and insert a descriptor in main virtqueue (with flags&VIRTQ_DESC_F_INDIRECT on) that refers to memory buffer containing this indirect descriptor table; addr and len refer to the indirect table address and length in bytes, respectively.
The indirect table layout structure looks like this (len is the length of the descriptor that refers to this table, which is a variable, so this code won’t compile):
The first indirect descriptor is located at start of the indirect descriptor table (index 0), additional indirect descriptors are chained by next. An indirect descriptor without a valid next (with flags&VIRTQ_DESC_F_NEXT off) signals the end of the descriptor. A single indirect descriptor table can include both device-readable and device-writable descriptors.
If VIRTIO_F_IN_ORDER has been negotiated, indirect descriptors use sequential indices, in-order: index 0 followed by index 1 followed by index 2, etc.
A driver MUST NOT create a descriptor chain longer than the Queue Size of the device.
A driver MUST NOT set both VIRTQ_DESC_F_INDIRECT and VIRTQ_DESC_F_NEXT in flags.
If VIRTIO_F_IN_ORDER has been negotiated, indirect descriptors MUST appear sequentially, with next taking the value of 1 for the 1st descriptor, 2 for the 2nd one, etc.
The device MUST handle the case of zero or more normal chained descriptors followed by a single descriptor with flags&VIRTQ_DESC_F_INDIRECT. Note: While unusual (most implementations either create a chain solely using non-indirect descriptors, or use a single indirect element), such a layout is valid.
The available ring has the following layout structure:
The driver uses the available ring to offer buffers to the device: each ring entry refers to the head of a descriptor chain. It is only written by the driver and read by the device.
idx field indicates where the driver would put the next descriptor entry in the ring (modulo the queue size). This starts at 0, and increases. Note: The legacy [Virtio PCI Draft] referred to this structure as vring_avail, and the constant as VRING_AVAIL_F_NO_INTERRUPT, but the layout and value were identical.
A driver MUST NOT decrement the available idx on a virtqueue (ie. there is no way to “unexpose” buffers).
If the VIRTIO_F_EVENT_IDX feature bit is not negotiated, the flags field in the available ring offers a crude mechanism for the driver to inform the device that it doesn’t want notifications when buffers are used. Otherwise used_event is a more performant alternative where the driver specifies how far the device can progress before a notification is required.
Neither of these notification suppression methods are reliable, as they are not synchronized with the device, but they serve as useful optimizations.
If the VIRTIO_F_EVENT_IDX feature bit is not negotiated:
Otherwise, if the VIRTIO_F_EVENT_IDX feature bit is negotiated:
The driver MUST handle spurious notifications from the device.
If the VIRTIO_F_EVENT_IDX feature bit is not negotiated:
Otherwise, if the VIRTIO_F_EVENT_IDX feature bit is negotiated:
VIRTIO_F_EVENT_IDX would send a used buffer notification to the driver after the first buffer is used (and again after the 65536th buffer, etc).
The used ring has the following layout structure:
The used ring is where the device returns buffers once it is done with them: it is only written to by the device, and read by the driver.
Each entry in the ring is a pair: id indicates the head entry of the descriptor chain describing the buffer (this matches an entry placed in the available ring by the guest earlier), and len the total of bytes written into the buffer. Note: len is particularly useful for drivers using untrusted buffers: if a driver does not know exactly how much has been written by the device, the driver would have to zero the buffer in advance to ensure no data leakage occurs.
For example, a network driver may hand a received buffer directly to an unprivileged userspace application. If the network device has not overwritten the bytes which were in that buffer, this could leak the contents of freed memory from other processes to the application.
idx field indicates where the device would put the next descriptor entry in the ring (modulo the queue size). This starts at 0, and increases. Note: The legacy [Virtio PCI Draft] referred to these structures as vring_used and vring_used_elem, and the constant as VRING_USED_F_NO_NOTIFY, but the layout and value were identical.
Historically, many drivers ignored the len value, as a result, many devices set len incorrectly. Thus, when using the legacy interface, it is generally a good idea to ignore the len value in used ring entries if possible. Specific known issues are listed per device type.
The device MUST set len prior to updating the used idx.
The device MUST write at least len bytes to descriptor, beginning at the first device-writable buffer, prior to updating the used idx.
The device MAY write more than len bytes to descriptor. Note: There are potential error cases where a device might not know what parts of the buffers have been written. This is why len is permitted to be an underestimate: that’s preferable to the driver believing that uninitialized memory has been overwritten when it has not.
The driver MUST NOT make assumptions about data in device-writable buffers beyond the first len bytes, and SHOULD ignore this data.
Some devices always use descriptors in the same order in which they have been made available. These devices can offer the VIRTIO_F_IN_ORDER feature. If negotiated, this knowledge allows devices to notify the use of a batch of buffers to the driver by only writing out a single used ring entry with the id corresponding to the head entry of the descriptor chain describing the last buffer in the batch.
The device then skips forward in the ring according to the size of the batch. Accordingly, it increments the used idx by the size of the batch.
The driver needs to look up the used id and calculate the batch size to be able to advance to where the next used ring entry will be written by the device.
This will result in the used ring entry at an offset matching the first available ring entry in the batch, the used ring entry for the next batch at an offset matching the first available ring entry in the next batch, etc.
The skipped buffers (for which no used ring entry was written) are assumed to have been used (read or written) by the device completely.
The device can suppress available buffer notifications in a manner analogous to the way drivers can suppress used buffer notifications as detailed in section 2.6.7. The device manipulates flags or avail_event in the used ring the same way the driver manipulates flags or used_event in the available ring.
The driver MUST initialize flags in the used ring to 0 when allocating the used ring.
If the VIRTIO_F_EVENT_IDX feature bit is not negotiated:
Otherwise, if the VIRTIO_F_EVENT_IDX feature bit is negotiated:
If the VIRTIO_F_EVENT_IDX feature bit is not negotiated:
Otherwise, if the VIRTIO_F_EVENT_IDX feature bit is negotiated:
The device MUST handle spurious notifications from the driver.
The Linux Kernel Source code contains the definitions above and helper routines in a more usable form, in include/uapi/linux/virtio_ring.h. This was explicitly licensed by IBM and Red Hat under the (3-clause) BSD license so that it can be freely used by all other projects, and is reproduced (with slight variation) in A virtio_queue.h.
There are two parts to virtqueue operation: supplying new available buffers to the device, and processing used buffers from the device. Note: As an example, the simplest virtio network device has two virtqueues: the transmit virtqueue and the receive virtqueue. The driver adds outgoing (device-readable) packets to the transmit virtqueue, and then frees them after they are used. Similarly, incoming (device-writable) buffers are added to the receive virtqueue, and processed after they are used.
What follows is the requirements of each of these two parts when using the split virtqueue format in more detail.
The driver offers buffers to one of the device’s virtqueues as follows:
Note that the above code does not take precautions against the available ring buffer wrapping around: this is not possible since the ring buffer is the same size as the descriptor table, so step (1) will prevent such a condition.
In addition, the maximum queue size is 32768 (the highest power of 2 which fits in 16 bits), so the 16-bit idx value can always distinguish between a full and empty buffer.
What follows is the requirements of each stage in more detail.
A buffer consists of zero or more device-readable physically-contiguous elements followed by zero or more physically-contiguous device-writable elements (each has at least one element). This algorithm maps it into the descriptor table to form a descriptor chain:
for each buffer element, b:
In practice, d.next is usually used to chain free descriptors, and a separate count kept to check there are enough free descriptors before beginning the mappings.
The descriptor chain head is the first d in the algorithm above, ie. the index of the descriptor table entry referring to the first part of the buffer. A naive driver implementation MAY do the following (with the appropriate conversion to-and-from little-endian assumed):
However, in general the driver MAY add many descriptor chains before it updates idx (at which point they become visible to the device), so it is common to keep a counter of how many the driver has added:
idx always increments, and wraps naturally at 65536:
Once available idx is updated by the driver, this exposes the descriptor and its contents. The device MAY access the descriptor chains the driver created and the memory they refer to immediately.
The actual method of device notification is bus-specific, but generally it can be expensive. So the device MAY suppress such notifications if it doesn’t need them, as detailed in section 2.6.10.
The driver has to be careful to expose the new idx value before checking if notifications are suppressed.
Once the device has used buffers referred to by a descriptor (read from or written to them, or parts of both, depending on the nature of the virtqueue and the device), it sends a used buffer notification to the driver as detailed in section 2.6.7. Note:
For optimal performance, a driver MAY disable used buffer notifications while processing the used ring, but beware the problem of missing notifications between emptying the ring and reenabling notifications. This is usually handled by re-checking for more used buffers after notifications are re-enabled:
Packed virtqueues is an alternative compact virtqueue layout using read-write memory, that is memory that is both read and written by both host and guest.
Use of packed virtqueues is negotiated by the VIRTIO_F_RING_PACKED feature bit.
Packed virtqueues support up to 215 entries each.
With current transports, virtqueues are located in guest memory allocated by the driver. Each packed virtqueue consists of three parts:
Where the Descriptor Ring in turn consists of descriptors, and where each descriptor can contain the following parts:
A buffer consists of zero or more device-readable physically-contiguous elements followed by zero or more physically-contiguous device-writable elements (each buffer has at least one element).
When the driver wants to send such a buffer to the device, it writes at least one available descriptor describing elements of the buffer into the Descriptor Ring. The descriptor(s) are associated with a buffer by means of a Buffer ID stored within the descriptor.
The driver then notifies the device. When the device has finished processing the buffer, it writes a used device descriptor including the Buffer ID into the Descriptor Ring (overwriting a driver descriptor previously made available), and sends a used event notification.
The Descriptor Ring is used in a circular manner: the driver writes descriptors into the ring in order. After reaching the end of the ring, the next descriptor is placed at the head of the ring. Once the ring is full of driver descriptors, the driver stops sending new requests and waits for the device to start processing descriptors and to write out some used descriptors before making new driver descriptors available.
Similarly, the device reads descriptors from the ring in order and detects that a driver descriptor has been made available. As processing of descriptors is completed, used descriptors are written by the device back into the ring.
Note: after reading driver descriptors and starting their processing in order, the device might complete their processing out of order. Used device descriptors are written in the order in which their processing is complete.
The Device Event Suppression data structure is write-only by the device. It includes information for reducing the number of device events, i.e., sending fewer available buffer notifications to the device.
The Driver Event Suppression data structure is read-only by the device. It includes information for reducing the number of driver events, i.e., sending fewer used buffer notifications to the driver.
Each of the driver and the device are expected to maintain, internally, a single-bit ring wrap counter initialized to 1.
The counter maintained by the driver is called the Driver Ring Wrap Counter. The driver changes the value of this counter each time it makes available the last descriptor in the ring (after making the last descriptor available).
The counter maintained by the device is called the Device Ring Wrap Counter. The device changes the value of this counter each time it uses the last descriptor in the ring (after marking the last descriptor used).
It is easy to see that the Driver Ring Wrap Counter in the driver matches the Device Ring Wrap Counter in the device when both are processing the same descriptor, or when all available descriptors have been used.
To mark a descriptor as available and used, both the driver and the device use the following two flags:
To mark a descriptor as available, the driver sets the VIRTQ_DESC_F_AVAIL bit in Flags to match the internal Driver Ring Wrap Counter. It also sets the VIRTQ_DESC_F_USED bit to match the inverse value (i.e. to not match the internal Driver Ring Wrap Counter).
To mark a descriptor as used, the device sets the VIRTQ_DESC_F_USED bit in Flags to match the internal Device Ring Wrap Counter. It also sets the VIRTQ_DESC_F_AVAIL bit to match the same value.
Thus VIRTQ_DESC_F_AVAIL and VIRTQ_DESC_F_USED bits are different for an available descriptor and equal for a used descriptor.
Note that this observation is mostly useful for sanity-checking as these are necessary but not sufficient conditions - for example, all descriptors are zero-initialized. To detect used and available descriptors it is possible for drivers and devices to keep track of the last observed value of VIRTQ_DESC_F_USED/VIRTQ_DESC_F_AVAIL. Other techniques to detect VIRTQ_DESC_F_AVAIL/VIRTQ_DESC_F_USED bit changes might also be possible.
Writes of device and driver descriptors can generally be reordered, but each side (driver and device) are only required to poll (or test) a single location in memory: the next device descriptor after the one they processed previously, in circular order.
Sometimes the device needs to only write out a single used descriptor after processing a batch of multiple available descriptors. As described in more detail below, this can happen when using descriptor chaining or with in-order use of descriptors. In this case, the device writes out a used descriptor with the buffer id of the last descriptor in the group. After processing the used descriptor, both device and driver then skip forward in the ring the number of the remaining descriptors in the group until processing (reading for the driver and writing for the device) the next used descriptor.
In an available descriptor, the VIRTQ_DESC_F_WRITE bit within Flags is used to mark a descriptor as corresponding to a write-only or read-only element of a buffer.
In a used descriptor, this bit is used to specify whether any data has been written by the device into any parts of the buffer.
In an available descriptor, Element Address corresponds to the physical address of the buffer element. The length of the element assumed to be physically contiguous is stored in Element Length.
In a used descriptor, Element Address is unused. Element Length specifies the length of the buffer that has been initialized (written to) by the device.
Element Length is reserved for used descriptors without the VIRTQ_DESC_F_WRITE flag, and is ignored by drivers.
Some drivers need an ability to supply a list of multiple buffer elements (also known as a scatter/gather list) with a request. Two features support this: descriptor chaining and indirect descriptors.
If neither feature is in use by the driver, each buffer is physically-contiguous, either read-only or write-only and is described completely by a single descriptor.
While unusual (most implementations either create all lists solely using non-indirect descriptors, or always use a single indirect element), if both features have been negotiated, mixing indirect and non-indirect descriptors in a ring is valid, as long as each list only contains descriptors of a given type.
Scatter/gather lists only apply to available descriptors. A single used descriptor corresponds to the whole list.
The device limits the number of descriptors in a list through a transport-specific and/or device-specific value. If not limited, the maximum number of descriptors in a list is the virt queue size.
The packed ring format allows the driver to supply a scatter/gather list to the device by using multiple descriptors, and setting the VIRTQ_DESC_F_NEXT bit in Flags for all but the last available descriptor.
Buffer ID is included in the last descriptor in the list.
The driver always makes the first descriptor in the list available after the rest of the list has been written out into the ring. This guarantees that the device will never observe a partial scatter/gather list in the ring.
Note: all flags, including VIRTQ_DESC_F_AVAIL, VIRTQ_DESC_F_USED, VIRTQ_DESC_F_WRITE must be set/cleared correctly in all descriptors in the list, not just the first one.
The device only writes out a single used descriptor for the whole list. It then skips forward according to the number of descriptors in the list. The driver needs to keep track of the size of the list corresponding to each buffer ID, to be able to skip to where the next used descriptor is written by the device.
For example, if descriptors are used in the same order in which they are made available, this will result in the used descriptor overwriting the first available descriptor in the list, the used descriptor for the next list overwriting the first available descriptor in the next list, etc.
VIRTQ_DESC_F_NEXT is reserved in used descriptors, and should be ignored by drivers.
Some devices benefit by concurrently dispatching a large number of large requests. The VIRTIO_F_INDIRECT_DESC feature allows this. To increase ring capacity the driver can store a (read-only by the device) table of indirect descriptors anywhere in memory, and insert a descriptor in the main virtqueue (with Flags bit VIRTQ_DESC_F_INDIRECT on) that refers to a buffer element containing this indirect descriptor table; addr and len refer to the indirect table address and length in bytes, respectively.
The indirect table layout structure looks like this (len is the Buffer Length of the descriptor that refers to this table, which is a variable):
The first descriptor is located at the start of the indirect descriptor table, additional indirect descriptors come immediately afterwards. The VIRTQ_DESC_F_WRITE flags bit is the only valid flag for descriptors in the indirect table. Others are reserved and are ignored by the device. Buffer ID is also reserved and is ignored by the device.
In descriptors with VIRTQ_DESC_F_INDIRECT set VIRTQ_DESC_F_WRITE is reserved and is ignored by the device.
Some devices always use descriptors in the same order in which they have been made available. These devices can offer the VIRTIO_F_IN_ORDER feature. If negotiated, this knowledge allows devices to notify the use of a batch of buffers to the driver by only writing out a single used descriptor with the Buffer ID corresponding to the last descriptor in the batch.
The device then skips forward in the ring according to the size of the batch. The driver needs to look up the used Buffer ID and calculate the batch size to be able to advance to where the next used descriptor will be written by the device.
This will result in the used descriptor overwriting the first available descriptor in the batch, the used descriptor for the next batch overwriting the first available descriptor in the next batch, etc.
The skipped buffers (for which no used descriptor was written) are assumed to have been used (read or written) by the device completely.
Some devices combine multiple buffers as part of processing of a single request. These devices always mark the descriptor corresponding to the first buffer in the request used after the rest of the descriptors (corresponding to rest of the buffers) in the request - which follow the first descriptor in ring order - has been marked used and written out into the ring. This guarantees that the driver will never observe a partial request in the ring.
In many systems used and available buffer notifications involve significant overhead. To mitigate this overhead, each virtqueue includes two identical structures used for controlling notifications between the device and the driver.
The Driver Event Suppression structure is read-only by the device and controls the used buffer notifications sent by the device to the driver.
The Device Event Suppression structure is read-only by the driver and controls the available buffer notifications sent by the driver to the device.
Each of these Event Suppression structures includes the following fields:
After writing out some descriptors, both the device and the driver are expected to consult the relevant structure to find out whether a used respectively an available buffer notification should be sent.
Each part of the virtqueue is physically-contiguous in guest memory, and has different alignment requirements.
The memory alignment and size requirements, in bytes, of each part of the virtqueue are summarized in the following table:
Virtqueue Part | Alignment | Size |
Descriptor Ring | 16 | 16∗(Queue Size) |
Device Event Suppression | 4 | 4 |
Driver Event Suppression | 4 | 4 |
The Alignment column gives the minimum alignment for each part of the virtqueue.
The Size column gives the total number of bytes for each part of the virtqueue.
Queue Size corresponds to the maximum number of descriptors in the virtqueue5. The Queue Size value does not have to be a power of 2.
The driver MUST ensure that the physical address of the first byte of each virtqueue part is a multiple of the specified alignment value in the above table.
The device MUST start processing driver descriptors in the order in which they appear in the ring. The device MUST start writing device descriptors into the ring in the order in which they complete. The device MAY reorder descriptor writes once they are started.
The available descriptor refers to the buffers the driver is sending to the device. addr is a physical address, and the descriptor is identified with a buffer using the id field.
The descriptor ring is zero-initialized.
The following structure is used to reduce the number of notifications sent between driver and device.
A device MUST NOT write to a device-readable buffer, and a device SHOULD NOT read a device-writable buffer. A device MUST NOT use a descriptor unless it observes the VIRTQ_DESC_F_AVAIL bit in its flags being changed (e.g. as compared to the initial zero value). A device MUST NOT change a descriptor after changing it’s the VIRTQ_DESC_F_USED bit in its flags.
A driver MUST NOT change a descriptor unless it observes the VIRTQ_DESC_F_USED bit in its flags being changed. A driver MUST NOT change a descriptor after changing the VIRTQ_DESC_F_AVAIL bit in its flags. When notifying the device, driver MUST set next_off and next_wrap to match the next descriptor not yet made available to the device. A driver MAY send multiple available buffer notifications without making any new descriptors available to the device.
A driver MUST NOT create a descriptor list longer than allowed by the device.
A driver MUST NOT create a descriptor list longer than the Queue Size.
This implies that loops in the descriptor list are forbidden!
The driver MUST place any device-writable descriptor elements after any device-readable descriptor elements.
A driver MUST NOT depend on the device to use more descriptors to be able to write out all descriptors in a list. A driver MUST make sure there’s enough space in the ring for the whole list before making the first descriptor in the list available to the device.
A driver MUST NOT make the first descriptor in the list available before all subsequent descriptors comprising the list are made available.
The device MUST use descriptors in a list chained by the VIRTQ_DESC_F_NEXT flag in the same order that they were made available by the driver.
The device MAY limit the number of buffers it will allow in a list.
The driver MUST NOT set the DESC_F_INDIRECT flag unless the VIRTIO_F_INDIRECT_DESC feature was negotiated. The driver MUST NOT set any flags except DESC_F_WRITE within an indirect descriptor.
A driver MUST NOT create a descriptor chain longer than allowed by the device.
A driver MUST NOT write direct descriptors with DESC_F_INDIRECT set in a scatter-gather list linked by VIRTQ_DESC_F_NEXT. flags.
There are two parts to virtqueue operation: supplying new available buffers to the device, and processing used buffers from the device.
What follows is the requirements of each of these two parts when using the packed virtqueue format in more detail.
The driver offers buffers to one of the device’s virtqueues as follows:
What follows are the requirements of each stage in more detail.
For each buffer element, b:
This makes a single descriptor buffer available. However, in general the driver MAY make use of a batch of descriptors as part of a single request. In that case, it defers updating the descriptor flags for the first descriptor (and the previous memory barrier) until after the rest of the descriptors have been initialized.
Once the descriptor flags field is updated by the driver, this exposes the descriptor and its contents. The device MAY access the descriptor and any following descriptors the driver created and the memory they refer to immediately.
The actual method of device notification is bus-specific, but generally it can be expensive. So the device MAY suppress such notifications if it doesn’t need them, using the Event Suppression structure comprising the Device Area as detailed in section 2.7.14.
The driver has to be careful to expose the new flags value before checking if notifications are suppressed.
Below is a driver code example. It does not attempt to reduce the number of available buffer notifications, neither does it support the VIRTIO_F_RING_EVENT_IDX feature.
Once the device has used buffers referred to by a descriptor (read from or written to them, or parts of both, depending on the nature of the virtqueue and the device), it sends a used buffer notification to the driver as detailed in section 2.7.14. Note:
For optimal performance, a driver MAY disable used buffer notifications while processing the used buffers, but beware the problem of missing notifications between emptying the ring and reenabling used buffer notifications. This is usually handled by re-checking for more used buffers after notifications are re-enabled:
The driver is sometimes required to send an available buffer notification to the device.
When VIRTIO_F_NOTIFICATION_DATA has not been negotiated, this notification involves sending the virtqueue number to the device (method depending on the transport).
However, some devices benefit from the ability to find out the amount of available data in the queue without accessing the virtqueue in memory: for efficiency or as a debugging aid.
To help with these optimizations, when VIRTIO_F_NOTIFICATION_DATA has been negotiated, driver notifications to the device include the following information:
Note that the driver can send multiple notifications even without making any more buffers available. When VIRTIO_F_NOTIFICATION_DATA has been negotiated, these notifications would then have identical next_off and next_wrap values.
Shared memory regions are an additional facility available to devices that need a region of memory that’s continuously shared between the device and the driver, rather than passed between them in the way virtqueue elements are.
Example uses include shared caches and version pools for versioned data structures.
The memory region is allocated by the device and presented to the driver. Where the device is implemented in software on a host, this arrangement allows the memory region to be allocated by a library on the host, which the device may not have full control over.
A device may have multiple shared memory regions associated with it. Each region has a shmid to identify it, the meaning of which is device-specific.
Enumeration and location of shared memory regions is performed in a transport-specific way.
Memory consistency rules vary depending on the region and the device and they will be specified as required by each device.
References into shared memory regions are represented as offsets from the beginning of the region instead of absolute memory addresses. Offsets are used both for references between structures stored within shared memory and for requests placed in virtqueues that refer to shared memory. The shmid may be explicit or may be inferred from the context of the reference.
Shared memory regions MUST NOT expose shared memory regions which are used to control the operation of the device, nor to stream data.
The driver MUST follow this sequence to initialize a device:
If any of these steps go irrecoverably wrong, the driver SHOULD set the FAILED status bit to indicate that it has given up on the device (it can reset the device later to restart if desired). The driver MUST NOT continue initialization in that case.
The driver MUST NOT send any buffer available notifications to the device before setting DRIVER_OK.
Legacy devices did not support the FEATURES_OK status bit, and thus did not have a graceful way for the device to indicate unsupported feature combinations. They also did not provide a clear mechanism to end feature negotiation, which meant that devices finalized features on first-use, and no features could be introduced which radically changed the initial operation of the device.
Legacy driver implementations often used the device before setting the DRIVER_OK bit, and sometimes even before writing the feature bits to the device.
The result was the steps 5 and 6 were omitted, and steps 4, 7 and 8 were conflated.
Therefore, when using the legacy interface:
When operating the device, each field in the device configuration space can be changed by either the driver or the device.
Whenever such a configuration change is triggered by the device, driver is notified. This makes it possible for drivers to cache device configuration, avoiding expensive configuration reads unless notified.
For devices where the device-specific configuration information can be changed, a configuration change notification is sent when a device-specific configuration change occurs.
In addition, this notification is triggered by the device setting DEVICE_NEEDS_RESET (see 2.1.2).
Once the driver has set the DRIVER_OK status bit, all the configured virtqueue of the device are considered live. None of the virtqueues of a device are live once the device has been reset.
A driver MUST NOT alter virtqueue entries for exposed buffers, i.e., buffers which have been made available to the device (and not been used by the device) of a live virtqueue.
Thus a driver MUST ensure a virtqueue isn’t live (by device reset) before removing exposed buffers.
Virtio devices are commonly implemented as PCI devices.
A Virtio device can be implemented as any kind of PCI device: a Conventional PCI device or a PCI Express device. To assure designs meet the latest level requirements, see the PCI-SIG home page at http://www.pcisig.com for any approved changes.
A Virtio device using Virtio Over PCI Bus MUST expose to guest an interface that meets the specification requirements of the appropriate PCI specification: [PCI] and [PCIe] respectively.
Any PCI device with PCI Vendor ID 0x1AF4, and PCI Device ID 0x1000 through 0x107F inclusive is a virtio device. The actual value within this range indicates which virtio device is supported by the device. The PCI Device ID is calculated by adding 0x1040 to the Virtio Device ID, as indicated in section 5. Additionally, devices MAY utilize a Transitional PCI Device ID range, 0x1000 to 0x103F depending on the device type.
Devices MUST have the PCI Vendor ID 0x1AF4. Devices MUST either have the PCI Device ID calculated by adding 0x1040 to the Virtio Device ID, as indicated in section 5 or have the Transitional PCI Device ID depending on the device type, as follows:
Transitional PCI Device ID | Virtio Device |
0x1000 | network card |
0x1001 | block device |
0x1002 | memory ballooning (traditional) |
0x1003 | console |
0x1004 | SCSI host |
0x1005 | entropy source |
0x1009 | 9P transport |
For example, the network card device with the Virtio Device ID 1 has the PCI Device ID 0x1041 or the Transitional PCI Device ID 0x1000.
The PCI Subsystem Vendor ID and the PCI Subsystem Device ID MAY reflect the PCI Vendor and Device ID of the environment (for informational purposes by the driver).
Non-transitional devices SHOULD have a PCI Device ID in the range 0x1040 to 0x107f. Non-transitional devices SHOULD have a PCI Revision ID of 1 or higher. Non-transitional devices SHOULD have a PCI Subsystem Device ID of 0x40 or higher.
This is to reduce the chance of a legacy driver attempting to drive the device.
Drivers MUST match devices with the PCI Vendor ID 0x1AF4 and the PCI Device ID in the range 0x1040 to 0x107f, calculated by adding 0x1040 to the Virtio Device ID, as indicated in section 5. Drivers for device types listed in section 4.1.2 MUST match devices with the PCI Vendor ID 0x1AF4 and the Transitional PCI Device ID indicated in section 4.1.2.
Drivers MUST match any PCI Revision ID value. Drivers MAY match any PCI Subsystem Vendor ID and any PCI Subsystem Device ID value.
Transitional devices MUST have a PCI Revision ID of 0. Transitional devices MUST have the PCI Subsystem Device ID matching the Virtio Device ID, as indicated in section 5. Transitional devices MUST have the Transitional PCI Device ID in the range 0x1000 to 0x103f.
This is to match legacy drivers.
The device is configured via I/O and/or memory regions (though see 4.1.4.8 for access via the PCI configuration space), as specified by Virtio Structure PCI Capabilities.
Fields of different sizes are present in the device configuration regions. All 64-bit, 32-bit and 16-bit fields are little-endian. 64-bit fields are to be treated as two 32-bit fields, with low 32 bit part followed by the high 32 bit part.
For device configuration access, the driver MUST use 8-bit wide accesses for 8-bit wide fields, 16-bit wide and aligned accesses for 16-bit wide fields and 32-bit wide and aligned accesses for 32-bit and 64-bit wide fields. For 64-bit fields, the driver MAY access each of the high and low 32-bit parts of the field independently.
For 64-bit device configuration fields, the device MUST allow driver independent access to high and low 32-bit parts of the field.
The virtio device configuration layout includes several structures:
Each structure can be mapped by a Base Address register (BAR) belonging to the function, or accessed via the special VIRTIO_PCI_CAP_PCI_CFG field in the PCI configuration space.
The location of each structure is specified using a vendor-specific PCI capability located on the capability list in PCI configuration space of the device. This virtio structure capability uses little-endian format; all fields are read-only for the driver unless stated otherwise:
This structure can be followed by extra data, depending on cfg_type, as documented below.
The fields are interpreted as follows:
Any other value is reserved for future use.
Each structure is detailed individually below.
The device MAY offer more than one structure of any type - this makes it possible for the device to expose multiple interfaces to drivers. The order of the capabilities in the capability list specifies the order of preference suggested by the device. A device may specify that this ordering mechanism be overridden by the use of the id field. Note: For example, on some hypervisors, notifications using IO accesses are faster than memory accesses. In this case, the device would expose two capabilities with cfg_type set to VIRTIO_PCI_CAP_NOTIFY_CFG: the first one addressing an I/O BAR, the second one addressing a memory BAR. In this example, the driver would use the I/O BAR if I/O resources are available, and fall back on memory BAR when I/O resources are unavailable.
Any other value is reserved for future use.
length MAY include padding, or fields unused by the driver, or future extensions. Note: For example, a future device might present a large structure size of several MBytes. As current devices never utilize structures larger than 4KBytes in size, driver MAY limit the mapped structure size to e.g. 4KBytes (thus ignoring parts of structure after the first 4KBytes) to allow forward compatibility with such devices without loss of functionality and without wasting resources.
A variant of this type, struct virtio_pci_cap64, is defined for those capaibilites that require offsets or lengths larger than 4GiB:
Given that the cap.length and cap.offset fields are only 32 bit, the additional offset_hi and length_hi fields provide the most significant 32 bits of a total 64 bit offset and length within the bar specified by cap.bar.
The driver MUST ignore any vendor-specific capability structure which has a reserved cfg_type value.
The driver SHOULD use the first instance of each virtio structure type they can support.
The driver MUST accept a cap_len value which is larger than specified here.
The driver MUST ignore any vendor-specific capability structure which has a reserved bar value.
The drivers SHOULD only map part of configuration structure large enough for device operation. The drivers MUST handle an unexpectedly large length, but MAY check that length is large enough for device operation.
The driver MUST NOT write into any field of the capability structure, with the exception of those with cap_type VIRTIO_PCI_CAP_PCI_CFG as detailed in 4.1.4.8.2.
The device MUST include any extra data (from the beginning of the cap_vndr field through end of the extra data fields if any) in cap_len. The device MAY append extra data or padding to any structure beyond that.
If the device presents multiple structures of the same type, it SHOULD order them from optimal (first) to least-optimal (last).
The common configuration structure is found at the bar and offset within the VIRTIO_PCI_CAP_COMMON_CFG capability; its layout is below.
The device MUST present at least one common configuration capability.
The device MUST present the feature bits it is offering in device_feature, starting at bit device_feature_select ∗ 32 for any device_feature_select written by the driver. Note: This means that it will present 0 for any device_feature_select other than 0 or 1, since no feature defined here exceeds 63.
The device MUST present any valid feature bits the driver has written in driver_feature, starting at bit driver_feature_select ∗ 32 for any driver_feature_select written by the driver. Valid feature bits are those which are subset of the corresponding device_feature bits. The device MAY present invalid bits written by the driver. Note: This means that a device can ignore writes for feature bits it never offers, and simply present 0 on reads. Or it can just mirror what the driver wrote (but it will still have to check them when the driver sets FEATURES_OK). Note: A driver shouldn’t write invalid bits anyway, as per 3.1.1, but this attempts to handle it.
The device MUST present a changed config_generation after the driver has read a device-specific configuration value which has changed since any part of the device-specific configuration was last read. Note: As config_generation is an 8-bit value, simply incrementing it on every configuration change could violate this requirement due to wrap. Better would be to set an internal flag when it has changed, and if that flag is set when the driver reads from the device-specific configuration, increment config_generation and clear the flag.
The device MUST reset when 0 is written to device_status, and present a 0 in device_status once that is done.
The device MUST present a 0 in queue_enable on reset.
The device MUST present a 0 in queue_size if the virtqueue corresponding to the current queue_select is unavailable.
If VIRTIO_F_RING_PACKED has not been negotiated, the device MUST present either a value of 0 or a power of 2 in queue_size.
If VIRTIO_F_RING_PACKED has been negotiated, the driver MUST NOT write the value 0 to queue_size. If VIRTIO_F_RING_PACKED has not been negotiated, the driver MUST NOT write a value which is not a power of 2 to queue_size.
The driver MUST configure the other virtqueue fields before enabling the virtqueue with queue_enable.
After writing 0 to device_status, the driver MUST wait for a read of device_status to return 0 before reinitializing the device.
The driver MUST NOT write a 0 to queue_enable.
The notification location is found using the VIRTIO_PCI_CAP_NOTIFY_CFG capability. This capability is immediately followed by an additional field, like so:
notify_off_multiplier is combined with the queue_notify_off to derive the Queue Notify address within a BAR for a virtqueue:
The cap.offset and notify_off_multiplier are taken from the notification capability structure above, and the queue_notify_off is taken from the common configuration structure. Note: For example, if notifier_off_multiplier is 0, the device uses the same Queue Notify address for all queues.
For devices not offering VIRTIO_F_NOTIFICATION_DATA:
The cap.offset MUST be 2-byte aligned.
The device MUST either present notify_off_multiplier as an even power of 2, or present notify_off_multiplier as 0.
The value cap.length presented by the device MUST be at least 2 and MUST be large enough to support queue notification offsets for all supported queues in all possible configurations.
For all queues, the value cap.length presented by the device MUST satisfy:
For devices offering VIRTIO_F_NOTIFICATION_DATA:
The device MUST either present notify_off_multiplier as a number that is a power of 2 that is also a multiple 4, or present notify_off_multiplier as 0.
The cap.offset MUST be 4-byte aligned.
The value cap.length presented by the device MUST be at least 4 and MUST be large enough to support queue notification offsets for all supported queues in all possible configurations.
For all queues, the value cap.length presented by the device MUST satisfy:
The VIRTIO_PCI_CAP_ISR_CFG capability refers to at least a single byte, which contains the 8-bit ISR status field to be used for INT#x interrupt handling.
The offset for the ISR status has no alignment requirements.
The ISR bits allow the device to distinguish between device-specific configuration change interrupts and normal virtqueue interrupts:
Bits | 0 | 1 | 2 to 31 |
Purpose | Queue Interrupt | Device Configuration Interrupt | Reserved |
To avoid an extra access, simply reading this register resets it to 0 and causes the device to de-assert the interrupt.
In this way, driver read of ISR status causes the device to de-assert an interrupt.
See sections 4.1.5.3 and 4.1.5.4 for how this is used.
The device MUST set the Device Configuration Interrupt bit in ISR status before sending a device configuration change notification to the driver.
If MSI-X capability is disabled, the device MUST set the Queue Interrupt bit in ISR status before sending a virtqueue notification to the driver.
If MSI-X capability is disabled, the device MUST set the Interrupt Status bit in the PCI Status register in the PCI Configuration Header of the device to the logical OR of all bits in ISR status of the device. The device then asserts/deasserts INT#x interrupts unless masked according to standard PCI rules [PCI].
The device MUST reset ISR status to 0 on driver read.
The device MUST present at least one VIRTIO_PCI_CAP_DEVICE_CFG capability for any device type which has a device-specific configuration.
Shared memory regions 2.8 are enumerated on the PCI transport as a sequence of VIRTIO_PCI_CAP_SHARED_MEMORY_CFG capabilities, one per region.
The capability is defined by a struct virtio_pci_cap64 and utilises the cap.id to allow multiple shared memory regions per device. The identifier in cap.id does not denote a certain order of preference; it is only used to uniquely identify a region.
The cap.id MUST be unique for any one device instance.
The VIRTIO_PCI_CAP_PCI_CFG capability creates an alternative (and likely suboptimal) access method to the common configuration, notification, ISR and device-specific configuration regions.
The capability is immediately followed by an additional field like so:
The fields cap.bar, cap.length, cap.offset and pci_cfg_data are read-write (RW) for the driver.
To access a device region, the driver writes into the capability structure (ie. within the PCI configuration space) as follows:
At that point, pci_cfg_data will provide a window of size cap.length into the given cap.bar at offset cap.offset.
Upon detecting driver write access to pci_cfg_data, the device MUST execute a write access at offset cap.offset at BAR selected by cap.bar using the first cap.length bytes from pci_cfg_data.
Upon detecting driver read access to pci_cfg_data, the device MUST execute a read access of length cap.length at offset cap.offset at BAR selected by cap.bar and store the first cap.length bytes in pci_cfg_data.
The driver MUST NOT read or write pci_cfg_data unless cap.bar, cap.length and cap.offset address cap.length bytes within a BAR range specified by some other Virtio Structure PCI Capability of type other than VIRTIO_PCI_CAP_PCI_CFG.
Transitional devices MUST present part of configuration registers in a legacy configuration structure in BAR0 in the first I/O region of the PCI device, as documented below. When using the legacy interface, transitional drivers MUST use the legacy configuration structure in BAR0 in the first I/O region of the PCI device, as documented below.
When using the legacy interface the driver MAY access the device-specific configuration region using any width accesses, and a transitional device MUST present driver with the same results as when accessed using the “natural” access method (i.e. 32-bit accesses for 32-bit fields, etc).
Note that this is possible because while the virtio common configuration structure is PCI (i.e. little) endian, when using the legacy interface the device-specific configuration region is encoded in the native endian of the guest (where such distinction is applicable).
When used through the legacy interface, the virtio common configuration structure looks as follows:
Bits | 32 | 32 | 32 | 16 | 16 | 16 | 8 | 8 |
Read / Write | R | R+W | R+W | R | R+W | R+W | R+W | R |
Purpose | Device Features bits 0:31 | Driver Features bits 0:31 | Queue Address | queue_size | queue_select | Queue Notify | Device Status | ISR Status |
If MSI-X is enabled for the device, two additional fields immediately follow this header:
Bits | 16 | 16 |
Read/Write | R+W | R+W |
Purpose (MSI-X) | config_msix_vector | queue_msix_vector |
Note: When MSI-X capability is enabled, device-specific configuration starts at byte offset 24 in virtio common configuration structure structure. When MSI-X capability is not enabled, device-specific configuration starts at byte offset 20 in virtio header. ie. once you enable MSI-X on the device, the other fields move. If you turn it off again, they move back!
Any device-specific configuration space immediately follows these general headers:
Bits | Device Specific |
… |
Read / Write | Device Specific | |
Purpose | Device Specific | |
When accessing the device-specific configuration space using the legacy interface, transitional drivers MUST access the device-specific configuration space at an offset immediately following the general headers.
When using the legacy interface, transitional devices MUST present the device-specific configuration space if any at an offset immediately following the general headers.
Note that only Feature Bits 0 to 31 are accessible through the Legacy Interface. When used through the Legacy Interface, Transitional Devices MUST assume that Feature Bits 32 to 63 are not acknowledged by Driver.
As legacy devices had no config_generation field, see 2.4.4 Legacy Interface: Device Configuration Space for workarounds.
All known legacy drivers check either the PCI Revision or the Device and Vendor IDs, and thus won’t attempt to drive a non-transitional device.
A buggy legacy driver might mistakenly attempt to drive a non-transitional device. If support for such drivers is required (as opposed to fixing the bug), the following would be the recommended way to detect and handle them. Note: Such buggy drivers are not currently known to be used in production.
This documents PCI-specific steps executed during Device Initialization.
Legacy devices did not have the Virtio PCI Capability in their capability list.
Therefore:
Transitional devices MUST expose the Legacy Interface in I/O space in BAR0.
Transitional drivers MUST look for the Virtio PCI Capabilities on the capability list. If these are not present, driver MUST assume a legacy device, and use it through the legacy interface.
Non-transitional drivers MUST look for the Virtio PCI Capabilities on the capability list. If these are not present, driver MUST assume a legacy device, and fail gracefully.
Writing a valid MSI-X Table entry number, 0 to 0x7FF, to config_msix_vector/queue_msix_vector maps interrupts triggered by the configuration change/selected queue events respectively to the corresponding MSI-X vector. To disable interrupts for an event type, the driver unmaps this event by writing a special NO_VECTOR value:
Note that mapping an event to vector might require device to allocate internal device resources, and thus could fail.
Device MUST support mapping any event type to any valid vector 0 to MSI-X Table Size. Device MUST support unmapping any event type.
The device MUST return vector mapped to a given event, (NO_VECTOR if unmapped) on read of config_msix_vector/queue_msix_vector. The device MUST have all queue and configuration change events are unmapped upon reset.
Devices SHOULD NOT cause mapping an event to vector to fail unless it is impossible for the device to satisfy the mapping request. Devices MUST report mapping failures by returning the NO_VECTOR value when the relevant config_msix_vector/queue_msix_vector field is read.
Driver MAY intepret the Table Size as a hint from the device for the suggested number of MSI-X vectors to use.
Driver MUST NOT attempt to map an event to a vector outside the MSI-X Table supported by the device, as reported by Table Size in the MSI-X Capability.
After mapping an event to vector, the driver MUST verify success by reading the Vector field value: on success, the previously written value is returned, and on failure, NO_VECTOR is returned. If a mapping failure is detected, the driver MAY retry mapping with fewer vectors, disable MSI-X or report device failure.
The driver typically does this as follows, for each virtqueue a device has:
When VIRTIO_F_NOTIFICATION_DATA has not been negotiated, the driver sends an available buffer notification to the device by writing the 16-bit virtqueue index of this virtqueue to the Queue Notify address.
When VIRTIO_F_NOTIFICATION_DATA has been negotiated, the driver sends an available buffer notification to the device by writing the following 32-bit value to the Queue Notify address:
See 2.7.23 Driver notifications for the definition of the components.
See 4.1.4.4 for how to calculate the Queue Notify address.
If a used buffer notification is necessary for a virtqueue, the device would typically act as follows:
Some virtio PCI devices can change the device configuration state, as reflected in the device-specific configuration region of the device. In this case:
A single interrupt MAY indicate both that one or more virtqueue has been used and that the configuration space has changed.
The driver interrupt handler would typically:
Virtual environments without PCI support (a common situation in embedded devices models) might use simple memory mapped device (“virtio-mmio”) instead of the PCI device.
The memory mapped virtio device behaviour is based on the PCI device specification. Therefore most operations including device initialization, queues configuration and buffer transfers are nearly identical. Existing differences are described in the following sections.
Unlike PCI, MMIO provides no generic device discovery mechanism. For each device, the guest OS will need to know the location of the registers and interrupt(s) used. The suggested binding for systems using flattened device trees is shown in this example:
MMIO virtio devices provide a set of memory mapped control registers followed by a device-specific configuration space, described in the table 4.1.
All register values are organized as Little Endian.
| |
Name |
Function |
|
|
MagicValue |
Magic value |
Version |
Device version number
|
DeviceID |
Virtio Subsystem Device ID |
VendorID |
Virtio Subsystem Vendor ID |
DeviceFeatures |
Flags representing features the device supports |
DeviceFeaturesSel
|
Device (host) features word selection. |
DriverFeatures |
Flags representing device features understood
and activated by the driver |
DriverFeaturesSel
|
Activated (guest) features word selection |
QueueSel |
Virtual queue index |
QueueNumMax
|
Maximum virtual queue size |
QueueNum |
Virtual queue size |
QueueReady |
Virtual queue ready bit |
QueueNotify |
Queue notifier When VIRTIO_F_NOTIFICATION_DATA has not been negotiated, the value written is the queue index. When VIRTIO_F_NOTIFICATION_DATA has been negotiated, the Notification data value has the following format: See 2.7.23 Driver notifications for the definition of the components. |
InterruptStatus
|
Interrupt status
|
InterruptACK |
Interrupt acknowledge |
Status |
Device status |
QueueDescLow
|
Virtual queue’s Descriptor Area 64 bit long
physical address |
QueueDriverLow
|
Virtual queue’s Driver Area 64 bit long physical
address |
QueueDeviceLow
|
Virtual queue’s Device Area 64 bit long physical
address |
SHMSel |
Shared memory id |
|
|
SHMLenLow |
Shared memory region 64 bit long length |
SHMBaseLow |
Shared memory region 64 bit long physical
address |
ConfigGeneration
|
Configuration atomicity value |
Config |
Configuration space |
|
|
|
|
|
|
|
|
|
The device MUST return 0x74726976 in MagicValue.
The device MUST return value 0x2 in Version.
The device MUST present each event by setting the corresponding bit in InterruptStatus from the moment it takes place, until the driver acknowledges the interrupt by writing a corresponding bit mask to the InterruptACK register. Bits which do not represent events which took place MUST be zero.
Upon reset, the device MUST clear all bits in InterruptStatus and ready bits in the QueueReady register for all queues in the device.
The device MUST change value returned in ConfigGeneration if there is any risk of a driver seeing an inconsistent configuration state.
The device MUST NOT access virtual queue contents when QueueReady is zero (0x0).
The driver MUST NOT access memory locations not described in the table 4.1 (or, in case of the configuration space, described in the device specification), MUST NOT write to the read-only registers (direction R) and MUST NOT read from the write-only registers (direction W).
The driver MUST only use 32 bit wide and aligned reads and writes to access the control registers described in table 4.1. For the device-specific configuration space, the driver MUST use 8 bit wide accesses for 8 bit wide fields, 16 bit wide and aligned accesses for 16 bit wide fields and 32 bit wide and aligned accesses for 32 and 64 bit wide fields.
The driver MUST ignore a device with MagicValue which is not 0x74726976, although it MAY report an error.
The driver MUST ignore a device with Version which is not 0x2, although it MAY report an error.
The driver MUST ignore a device with DeviceID 0x0, but MUST NOT report any error.
Before reading from DeviceFeatures, the driver MUST write a value to DeviceFeaturesSel.
Before writing to the DriverFeatures register, the driver MUST write a value to the DriverFeaturesSel register.
The driver MUST write a value to QueueNum which is less than or equal to the value presented by the device in QueueNumMax.
When QueueReady is not zero, the driver MUST NOT access QueueNum, QueueDescLow, QueueDescHigh, QueueAvailLow, QueueAvailHigh, QueueUsedLow, QueueUsedHigh.
To stop using the queue the driver MUST write zero (0x0) to this QueueReady and MUST read the value back to ensure synchronization.
The driver MUST ignore undefined bits in InterruptStatus.
The driver MUST write a value with a bit mask describing events it handled into InterruptACK when it finishes handling an interrupt and MUST NOT set any of the undefined bits in the value.
Drivers not expecting shared memory MUST NOT use the shared memory registers.
Further initialization MUST follow the procedure described in 3.1 Device Initialization.
The driver will typically initialize the virtual queue in the following way:
When VIRTIO_F_NOTIFICATION_DATA has not been negotiated, the driver sends an available buffer notification to the device by writing the 16-bit virtqueue index of the queue to be notified to QueueNotify.
When VIRTIO_F_NOTIFICATION_DATA has been negotiated, the driver sends an available buffer notification to the device by writing the following 32-bit value to QueueNotify:
See 2.7.23 Driver notifications for the definition of the components.
The memory mapped virtio device is using a single, dedicated interrupt signal, which is asserted when at least one of the bits described in the description of InterruptStatus is set. This is how the device sends a used buffer notification or a configuration change notification to the device.
The legacy MMIO transport used page-based addressing, resulting in a slightly different control register layout, the device initialization and the virtual queue configuration procedure.
Table 4.2 presents control registers layout, omitting descriptions of registers which did not change their function nor behaviour:
| |
Name |
Function |
|
|
MagicValue |
Magic value |
Version |
Device version number |
DeviceID |
Virtio Subsystem Device ID |
VendorID |
Virtio Subsystem Vendor ID |
HostFeatures |
Flags representing features the device supports |
HostFeaturesSel
|
Device (host) features word selection. |
GuestFeatures |
Flags representing device features understood
and activated by the driver |
GuestFeaturesSel
|
Activated (guest) features word selection |
GuestPageSize |
Guest page size |
QueueSel |
Virtual queue index |
QueueNumMax
|
Maximum virtual queue size |
QueueNum |
Virtual queue size |
QueueAlign |
Used Ring alignment in the virtual queue |
QueuePFN |
Guest physical page number of the virtual queue
|
QueueNotify |
Queue notifier |
InterruptStatus
|
Interrupt status |
InterruptACK |
Interrupt acknowledge |
Status |
Device status |
Config |
Configuration space |
|
|
|
|
|
|
|
|
|
The virtual queue page size is defined by writing to GuestPageSize, as written by the guest. The driver does this before the virtual queues are configured.
The virtual queue layout follows p. 2.6.2 Legacy Interfaces: A Note on Virtqueue Layout, with the alignment defined in QueueAlign.
The virtual queue is configured as follows:
Notification mechanisms did not change.
S/390 based virtual machines support neither PCI nor MMIO, so a different transport is needed there.
virtio-ccw uses the standard channel I/O based mechanism used for the majority of devices on S/390. A virtual channel device with a special control unit type acts as proxy to the virtio device (similar to the way virtio-pci uses a PCI device) and configuration and operation of the virtio device is accomplished (mostly) via channel commands. This means virtio devices are discoverable via standard operating system algorithms, and adding virtio support is mainly a question of supporting a new control unit type.
As the S/390 is a big endian machine, the data structures transmitted via channel commands are big-endian: this is made clear by use of the types be16, be32 and be64.
As a proxy device, virtio-ccw uses a channel-attached I/O control unit with a special control unit type (0x3832) and a control unit model corresponding to the attached virtio device’s subsystem device ID, accessed via a virtual I/O subchannel and a virtual channel path of type 0x32. This proxy device is discoverable via normal channel subsystem device discovery (usually a STORE SUBCHANNEL loop) and answers to the basic channel commands:
For a virtio-ccw proxy device, SENSE ID will return the following information:
Bytes | Description | Contents |
0 | reserved | 0xff |
1-2 | control unit type | 0x3832 |
3 | control unit model | |
4-5 | device type | zeroes (unset) |
6 | device model | zeroes (unset) |
7-255 | extended SenseId data | zeroes (unset) |
A virtio-ccw proxy device facilitates:
In addition to the basic channel commands, virtio-ccw defines a set of channel commands related to configuration and operation of virtio:
Available buffer notifications are realized as a hypercall. No additional setup by the driver is needed. The operation of available buffer notifications is described in section 4.3.3.2.
Used buffer notifications are realized either as so-called classic or adapter I/O interrupts depending on a transport level negotiation. The initialization is described in sections 4.3.2.6.1 and 4.3.2.6.3 respectively. The operation of each flavor is described in sections 4.3.3.1.1 and 4.3.3.1.2 respectively.
Configuration change notifications are done using so-called classic I/O interrupts. The initialization is described in section 4.3.2.6.2 and the operation in section 4.3.3.1.1.
The virtio-ccw device acts like a normal channel device, as specified in [S390 PoP] and [S390 Common I/O]. In particular:
A driver for virtio-ccw devices MUST check for a control unit type of 0x3832 and MUST ignore the device type and model.
A driver SHOULD attempt to provide the correct length in a channel command even if it suppresses length checks for that command.
virtio-ccw uses several channel commands to set up a device.
CCW_CMD_SET_VIRTIO_REV is issued by the driver to set the revision of the virtio-ccw transport it intends to drive the device with. It uses the following communication structure:
revision contains the desired revision id, length the length of the data portion and data revision-dependent additional desired options.
The following values are supported:
revision | length | data | remarks |
0 | 0 | | legacy interface; transitional devices only |
1 | 0 | | Virtio 1 |
2 | 0 | | CCW_CMD_READ_STATUS support |
3-n | reserved for later revisions | ||
Note that a change in the virtio standard does not necessarily correspond to a change in the virtio-ccw revision.
A device MUST answer with command reject to any virtio-ccw specific channel command that is not contained in the revision selected by the driver.
A device MUST answer with command reject to any attempt to select a different revision after a revision has been successfully selected by the driver.
A device MUST treat the revision as unset from the time the associated subchannel has been enabled until a revision has been successfully set by the driver. This implies that revisions are not persistent across disabling and enabling of the associated subchannel.
A driver MUST NOT issue any other virtio-ccw specific channel commands prior to setting the revision.
After a revision has been successfully selected by the driver, it MUST NOT attempt to select a different revision.
A legacy driver will not issue the CCW_CMD_SET_VIRTIO_REV prior to issuing other virtio-ccw specific channel commands. A non-transitional device therefore MUST answer any such attempts with a command reject. A transitional device MUST assume in this case that the driver is a legacy driver and continue as if the driver selected revision 0. This implies that the device MUST reject any command not valid for revision 0, including a subsequent CCW_CMD_SET_VIRTIO_REV.
CCW_CMD_READ_VQ_CONF is issued by the driver to obtain information about a queue. It uses the following structure for communicating:
The requested number of buffers for queue index is returned in max_num.
Afterwards, CCW_CMD_SET_VQ is issued by the driver to inform the device about the location used for its queue. The transmitted structure is
desc, driver and device contain the guest addresses for the descriptor area, available area and used area for queue index, respectively. The actual virtqueue size (number of allocated buffers) is transmitted in num.
queue contains the guest address for queue index, num the number of buffers and align the alignment. The queue layout follows 2.6.2 Legacy Interfaces: A Note on Virtqueue Layout.
The driver changes the status of a device via the CCW_CMD_WRITE_STATUS command, which transmits an 8 bit status value.
As described in 2.2.2, a device sometimes fails to set the device status field: For example, it might fail to accept the FEATURES_OK status bit during device initialization.
With revision 2, CCW_CMD_READ_STATUS is defined: It reads an 8 bit status value from the device and acts as a reverse operation to CCW_CMD_WRITE_STATUS.
If at least revision 2 has been negotiated, the driver SHOULD use the CCW_CMD_READ_STATUS command to retrieve the device status field after a configuration change has been detected.
If not at least revision 2 has been negotiated, the driver MUST NOT attempt to issue the CCW_CMD_READ_STATUS command.
If at least revision 2 has been negotiated, the device MUST return the current device status field if the CCW_CMD_READ_STATUS command is issued.
Feature bits are arranged in an array of 32 bit values, making for a total of 8192 feature bits. Feature bits are in little-endian byte order.
The CCW commands dealing with features use the following communication block:
features are the 32 bits of features currently accessed, while index describes which of the feature bit values is to be accessed. No padding is added at the end of the structure, it is exactly 5 bytes in length.
The guest obtains the device’s device feature set via the CCW_CMD_READ_FEAT command. The device stores the features at index to features.
For communicating its supported features to the device, the driver uses the CCW_CMD_WRITE_FEAT command, denoting a features/index combination.
The device’s configuration space is located in host memory.
To obtain information from the configuration space, the driver uses CCW_CMD_READ_CONF, specifying the guest memory for the device to write to.
For changing configuration information, the driver uses CCW_CMD_WRITE_CONF, specifying the guest memory for the device to read from.
In both cases, the complete configuration space is transmitted. This allows the driver to compare the new configuration space with the old version, and keep a generation count internally whenever it changes.
In order to set up the indicator bits for host->guest notification, the driver uses different channel commands depending on whether it wishes to use traditional I/O interrupts tied to a subchannel or adapter I/O interrupts for virtqueue notifications. For any given device, the two mechanisms are mutually exclusive.
For the configuration change indicators, only a mechanism using traditional I/O interrupts is provided, regardless of whether traditional or adapter I/O interrupts are used for virtqueue notifications.
To communicate the location of the indicator bits for host->guest notification, the driver uses the CCW_CMD_SET_IND command, pointing to a location containing the guest address of the indicators in a 64 bit value.
If the driver has already set up two-staged queue indicators via the CCW_CMD_SET_IND_ADAPTER command, the device MUST post a unit check with command reject to any subsequent CCW_CMD_SET_IND command.
To communicate the location of the indicator bits used in the configuration change host->guest notification, the driver issues the CCW_CMD_SET_CONF_IND command, pointing to a location containing the guest address of the indicators in a 64 bit value.
To communicate the location of the summary and queue indicator bits, the driver uses the CCW_CMD_SET_IND_ADAPTER command with the following payload:
summary_indicator contains the guest address of the 8 bit summary indicator. indicator contains the guest address of an area wherein the indicators for the devices are contained, starting at bit_nr, one bit per virtqueue of the device. Bit numbers start at the left, i.e. the most significant bit in the first byte is assigned the bit number 0. isc contains the I/O interruption subclass to be used for the adapter I/O interrupt. It MAY be different from the isc used by the proxy virtio-ccw device’s subchannel. No padding is added at the end of the structure, it is exactly 25 bytes in length.
There are two modes of operation regarding host->guest notification, classic I/O interrupts and adapter I/O interrupts. The mode to be used is determined by the driver by using CCW_CMD_SET_IND respectively CCW_CMD_SET_IND_ADAPTER to set up queue indicators.
For configuration changes, the driver always uses classic I/O interrupts.
For notifying the driver of virtqueue buffers, the device sets the corresponding bit in the guest-provided indicators. If an interrupt is not already pending for the subchannel, the device generates an unsolicited I/O interrupt.
If the device wants to notify the driver about configuration changes, it sets bit 0 in the configuration indicators and generates an unsolicited I/O interrupt, if needed. This also applies if adapter I/O interrupts are used for queue notifications.
For notifying the driver of virtqueue buffers, the device sets the bit in the guest-provided indicator area at the corresponding offset. The guest-provided summary indicator is set to 0x01. An adapter I/O interrupt for the corresponding interruption subclass is generated.
The recommended way to process an adapter I/O interrupt by the driver is as follows:
For notifying the device of virtqueue buffers, the driver unfortunately can’t use a channel command (the asynchronous characteristics of channel I/O interact badly with the host block I/O backend). Instead, it uses a diagnose 0x500 call with subcode 3 specifying the queue, as follows:
GPR | Input Value | Output Value |
1 | 0x3 | |
2 | Subchannel ID | Host Cookie |
3 | Notification data | |
4 | Host Cookie | |
When VIRTIO_F_NOTIFICATION_DATA has not been negotiated, the Notification data contains the Virtqueue number.
When VIRTIO_F_NOTIFICATION_DATA has been negotiated, the value has the following format:
See 2.7.23 Driver notifications for the definition of the components.
The device MAY return a 64-bit host cookie in GPR2 to speed up the notification execution.
In order to reset a device, a driver sends the CCW_CMD_VDEV_RESET command.
The following device IDs are used to identify different types of virtio devices. Some device IDs are reserved for devices which are not currently defined in this standard.
Discovering what devices are available and their type is bus-dependent.
Device ID | Virtio Device |
0 | reserved (invalid) |
1 | network card |
2 | block device |
3 | console |
4 | entropy source |
5 | memory ballooning (traditional) |
6 | ioMemory |
7 | rpmsg |
8 | SCSI host |
9 | 9P transport |
10 | mac80211 wlan |
11 | rproc serial |
12 | virtio CAIF |
13 | memory balloon |
16 | GPU device |
17 | Timer/Clock device |
18 | Input device |
19 | Socket device |
20 | Crypto device |
21 | Signal Distribution Module |
22 | pstore device |
23 | IOMMU device |
24 | Memory device |
26 | file system device |
27 | PMEM device |
Some of the devices above are unspecified by this document, because they are seen as immature or especially niche. Be warned that some are only specified by the sole existing implementation; they could become part of a future specification, be abandoned entirely, or live on outside this standard. We shall speak of them no further.
The virtio network device is a virtual ethernet card, and is the most complex of the devices supported so far by virtio. It has enhanced rapidly and demonstrates clearly how support for new features are added to an existing device. Empty buffers are placed in one virtqueue for receiving packets, and outgoing packets are enqueued into another for transmission in that order. A third command queue is used to control advanced filtering features.
N=1 if VIRTIO_NET_F_MQ is not negotiated, otherwise N is set by max_virtqueue_pairs.
controlq only exists if VIRTIO_NET_F_CTRL_VQ set.
Some networking feature bits require other networking feature bits (see 2.2.1):
Three driver-read-only configuration fields are currently defined. The mac address field always exists (though is only valid if VIRTIO_NET_F_MAC is set), and status only exists if VIRTIO_NET_F_STATUS is set. Two read-only bits (for the driver) are currently defined for the status field: VIRTIO_NET_S_LINK_UP and VIRTIO_NET_S_ANNOUNCE.
The following driver-read-only field, max_virtqueue_pairs only exists if VIRTIO_NET_F_MQ is set. This field specifies the maximum number of each of transmit and receive virtqueues (receiveq1…receiveqN and transmitq1…transmitqN respectively) that can be configured once VIRTIO_NET_F_MQ is negotiated.
The following driver-read-only field, mtu only exists if VIRTIO_NET_F_MTU is set. This field specifies the maximum MTU for the driver to use.
The device MUST set max_virtqueue_pairs to between 1 and 0x8000 inclusive, if it offers VIRTIO_NET_F_MQ.
The device MUST set mtu to between 68 and 65535 inclusive, if it offers VIRTIO_NET_F_MTU.
The device SHOULD set mtu to at least 1280, if it offers VIRTIO_NET_F_MTU.
The device MUST NOT modify mtu once it has been set.
The device MUST NOT pass received packets that exceed mtu (plus low level ethernet header length) size with gso_type NONE or ECN after VIRTIO_NET_F_MTU has been successfully negotiated.
The device MUST forward transmitted packets of up to mtu (plus low level ethernet header length) size with gso_type NONE or ECN, and do so without fragmentation, after VIRTIO_NET_F_MTU has been successfully negotiated.
If the driver negotiates the VIRTIO_NET_F_STANDBY feature, the device MAY act as a standby device for a primary device with the same MAC address.
A driver SHOULD negotiate VIRTIO_NET_F_MAC if the device offers it. If the driver negotiates the VIRTIO_NET_F_MAC feature, the driver MUST set the physical address of the NIC to mac. Otherwise, it SHOULD use a locally-administered MAC address (see IEEE 802, “9.2 48-bit universal LAN MAC addresses”).
If the driver does not negotiate the VIRTIO_NET_F_STATUS feature, it SHOULD assume the link is active, otherwise it SHOULD read the link status from the bottom bit of status.
A driver SHOULD negotiate VIRTIO_NET_F_MTU if the device offers it.
If the driver negotiates VIRTIO_NET_F_MTU, it MUST supply enough receive buffers to receive at least one receive packet of size mtu (plus low level ethernet header length) with gso_type NONE or ECN.
If the driver negotiates VIRTIO_NET_F_MTU, it MUST NOT transmit packets of size exceeding the value of mtu (plus low level ethernet header length) with gso_type NONE or ECN.
A driver SHOULD negotiate the VIRTIO_NET_F_STANDBY feature if the device offers it.
When using the legacy interface, transitional devices and drivers MUST format status and max_virtqueue_pairs in struct virtio_net_config according to the native endian of the guest rather than (necessarily when not using the legacy interface) little-endian.
When using the legacy interface, mac is driver-writable which provided a way for drivers to update the MAC without negotiating VIRTIO_NET_F_CTRL_MAC_ADDR.
A driver would perform a typical initialization routine like so:
A truly minimal driver would only accept VIRTIO_NET_F_MAC and ignore everything else.
Packets are transmitted by placing them in the transmitq1…transmitqN, and buffers for incoming packets are placed in the receiveq1…receiveqN. In each case, the packet itself is preceded by a header:
The controlq is used to control device features such as filtering.
When using the legacy interface, transitional devices and drivers MUST format the fields in struct virtio_net_hdr according to the native endian of the guest rather than (necessarily when not using the legacy interface) little-endian.
The legacy driver only presented num_buffers in the struct virtio_net_hdr when VIRTIO_NET_F_MRG_RXBUF was negotiated; without that feature the structure was 2 bytes shorter.
When using the legacy interface, the driver SHOULD ignore the used length for the transmit queues and the controlq queue. Note: Historically, some devices put the total descriptor length there, even though no data was actually written.
Transmitting a single packet is simple, but varies depending on the different features the driver negotiated.
If VIRTIO_NET_F_CSUM is not negotiated, the driver MUST set flags to zero and SHOULD supply a fully checksummed packet to the device.
If VIRTIO_NET_F_HOST_TSO4 is negotiated, the driver MAY set gso_type to VIRTIO_NET_HDR_GSO_TCPV4 to request TCPv4 segmentation, otherwise the driver MUST NOT set gso_type to VIRTIO_NET_HDR_GSO_TCPV4.
If VIRTIO_NET_F_HOST_TSO6 is negotiated, the driver MAY set gso_type to VIRTIO_NET_HDR_GSO_TCPV6 to request TCPv6 segmentation, otherwise the driver MUST NOT set gso_type to VIRTIO_NET_HDR_GSO_TCPV6.
If VIRTIO_NET_F_HOST_UFO is negotiated, the driver MAY set gso_type to VIRTIO_NET_HDR_GSO_UDP to request UDP segmentation, otherwise the driver MUST NOT set gso_type to VIRTIO_NET_HDR_GSO_UDP.
The driver SHOULD NOT send to the device TCP packets requiring segmentation offload which have the Explicit Congestion Notification bit set, unless the VIRTIO_NET_F_HOST_ECN feature is negotiated, in which case the driver MUST set the VIRTIO_NET_HDR_GSO_ECN bit in gso_type.
If the VIRTIO_NET_F_CSUM feature has been negotiated, the driver MAY set the VIRTIO_NET_HDR_F_NEEDS_CSUM bit in flags, if so:
If none of the VIRTIO_NET_F_HOST_TSO4, TSO6 or UFO options have been negotiated, the driver MUST set gso_type to VIRTIO_NET_HDR_GSO_NONE.
If gso_type differs from VIRTIO_NET_HDR_GSO_NONE, then the driver MUST also set the VIRTIO_NET_HDR_F_NEEDS_CSUM bit in flags and MUST set gso_size to indicate the desired MSS.
If one of the VIRTIO_NET_F_HOST_TSO4, TSO6 or UFO options have been negotiated, the driver SHOULD set hdr_len to a value not less than the length of the headers, including the transport header.
The driver MUST NOT set the VIRTIO_NET_HDR_F_DATA_VALID and VIRTIO_NET_HDR_F_RSC_INFO bits in flags.
If VIRTIO_NET_HDR_F_NEEDS_CSUM bit in flags is not set, the device MUST NOT use the csum_start and csum_offset.
If one of the VIRTIO_NET_F_HOST_TSO4, TSO6 or UFO options have been negotiated, the device MAY use hdr_len only as a hint about the transport header size. The device MUST NOT rely on hdr_len to be correct. Note: This is due to various bugs in implementations.
If VIRTIO_NET_HDR_F_NEEDS_CSUM is not set, the device MUST NOT rely on the packet checksum being correct.
The normal behavior in this interrupt handler is to retrieve used buffers from the virtqueue and free the corresponding headers and packets.
It is generally a good idea to keep the receive virtqueue as fully populated as possible: if it runs out, network performance will suffer.
If the VIRTIO_NET_F_GUEST_TSO4, VIRTIO_NET_F_GUEST_TSO6 or VIRTIO_NET_F_GUEST_UFO features are used, the maximum incoming packet will be to 65550 bytes long (the maximum size of a TCP or UDP packet, plus the 14 byte ethernet header), otherwise 1514 bytes. The 12-byte struct virtio_net_hdr is prepended to this, making for 65562 or 1526 bytes.
If VIRTIO_NET_F_MQ is negotiated, each of receiveq1…receiveqN that will be used SHOULD be populated with receive buffers.
The device MUST use only a single descriptor if VIRTIO_NET_F_MRG_RXBUF was not negotiated. Note: This means that num_buffers will always be 1 if VIRTIO_NET_F_MRG_RXBUF is not negotiated.
When a packet is copied into a buffer in the receiveq, the optimal path is to disable further used buffer notifications for the receiveq and process packets until no more are found, then re-enable them.
Processing incoming packets involves:
Additionally, VIRTIO_NET_F_GUEST_CSUM, TSO4, TSO6, UDP and ECN features enable receive checksum, large receive offload and ECN support which are the input equivalents of the transmit checksum, transmit segmentation offloading and ECN features, as described in 5.1.6.2:
If VIRTIO_NET_F_MRG_RXBUF has been negotiated, the device MUST set num_buffers to indicate the number of buffers the packet (including the header) is spread over.
If a receive packet is spread over multiple buffers, the device MUST use all buffers but the last (i.e. the first numbuffers− 1 buffers) completely up to the full length of each buffer supplied by the driver.
The device MUST use all buffers used by a single receive packet together, such that at least num_buffers are observed by driver as used.
If VIRTIO_NET_F_GUEST_CSUM is not negotiated, the device MUST set flags to zero and SHOULD supply a fully checksummed packet to the driver.
If VIRTIO_NET_F_GUEST_TSO4 is not negotiated, the device MUST NOT set gso_type to VIRTIO_NET_HDR_GSO_TCPV4.
If VIRTIO_NET_F_GUEST_UDP is not negotiated, the device MUST NOT set gso_type to VIRTIO_NET_HDR_GSO_UDP.
If VIRTIO_NET_F_GUEST_TSO6 is not negotiated, the device MUST NOT set gso_type to VIRTIO_NET_HDR_GSO_TCPV6.
The device SHOULD NOT send to the driver TCP packets requiring segmentation offload which have the Explicit Congestion Notification bit set, unless the VIRTIO_NET_F_GUEST_ECN feature is negotiated, in which case the device MUST set the VIRTIO_NET_HDR_GSO_ECN bit in gso_type.
If the VIRTIO_NET_F_GUEST_CSUM feature has been negotiated, the device MAY set the VIRTIO_NET_HDR_F_NEEDS_CSUM bit in flags, if so:
If none of the VIRTIO_NET_F_GUEST_TSO4, TSO6 or UFO options have been negotiated, the device MUST set gso_type to VIRTIO_NET_HDR_GSO_NONE.
If gso_type differs from VIRTIO_NET_HDR_GSO_NONE, then the device MUST also set the VIRTIO_NET_HDR_F_NEEDS_CSUM bit in flags MUST set gso_size to indicate the desired MSS. If VIRTIO_NET_F_RSC_EXT was negotiated, the device MUST also set VIRTIO_NET_HDR_F_RSC_INFO bit in flags, set csum_start to number of coalesced TCP segments and set csum_offset to number of received duplicated ACK segments.
If VIRTIO_NET_F_RSC_EXT was not negotiated, the device MUST not set VIRTIO_NET_HDR_F_RSC_INFO bit in flags.
If one of the VIRTIO_NET_F_GUEST_TSO4, TSO6 or UFO options have been negotiated, the device SHOULD set hdr_len to a value not less than the length of the headers, including the transport header.
If the VIRTIO_NET_F_GUEST_CSUM feature has been negotiated, the device MAY set the VIRTIO_NET_HDR_F_DATA_VALID bit in flags, if so, the device MUST validate the packet checksum (in case of multiple encapsulated protocols, one level of checksums is validated).
If VIRTIO_NET_HDR_F_NEEDS_CSUM bit in flags is not set or if VIRTIO_NET_HDR_F_RSC_INFO bit flags is set, the driver MUST NOT use the csum_start and csum_offset.
If one of the VIRTIO_NET_F_GUEST_TSO4, TSO6 or UFO options have been negotiated, the driver MAY use hdr_len only as a hint about the transport header size. The driver MUST NOT rely on hdr_len to be correct. Note: This is due to various bugs in implementations.
If neither VIRTIO_NET_HDR_F_NEEDS_CSUM nor VIRTIO_NET_HDR_F_DATA_VALID is set, the driver MUST NOT rely on the packet checksum being correct.
The driver uses the control virtqueue (if VIRTIO_NET_F_CTRL_VQ is negotiated) to send commands to manipulate various features of the device which would not easily map into the configuration space.
All commands are of the following form:
The class, command and command-specific-data are set by the driver, and the device sets the ack byte. There is little it can do except issue a diagnostic if ack is not VIRTIO_NET_OK.
If the VIRTIO_NET_F_CTRL_RX_EXTRA feature has been negotiated, the device MUST support the following VIRTIO_NET_CTRL_RX class commands:
If the VIRTIO_NET_F_CTRL_RX_EXTRA feature has not been negotiated, the driver MUST NOT issue commands VIRTIO_NET_CTRL_RX_ALLUNI, VIRTIO_NET_CTRL_RX_NOMULTI, VIRTIO_NET_CTRL_RX_NOUNI or VIRTIO_NET_CTRL_RX_NOBCAST.
The device can filter incoming packets by any number of destination MAC addresses10. This table is set using the class VIRTIO_NET_CTRL_MAC and the command VIRTIO_NET_CTRL_MAC_TABLE_SET. The command-specific-data is two variable length tables of 6-byte MAC addresses (as described in struct virtio_net_ctrl_mac). The first table contains unicast addresses, and the second contains multicast addresses.
The VIRTIO_NET_CTRL_MAC_ADDR_SET command is used to set the default MAC address which rx filtering accepts (and if VIRTIO_NET_F_MAC_ADDR has been negotiated, this will be reflected in mac in config space).
The command-specific-data for VIRTIO_NET_CTRL_MAC_ADDR_SET is the 6-byte MAC address.
The device MUST update the MAC filtering table before it consumes the VIRTIO_NET_CTRL_MAC_TABLE_SET command.
The device MUST update mac in config space before it consumes the VIRTIO_NET_CTRL_MAC_ADDR_SET command, if VIRTIO_NET_F_MAC_ADDR has been negotiated.
The device SHOULD drop incoming packets which have a destination MAC which matches neither the mac (or that set with VIRTIO_NET_CTRL_MAC_ADDR_SET) nor the MAC filtering table.
If VIRTIO_NET_F_CTRL_RX has been negotiated, the driver SHOULD issue VIRTIO_NET_CTRL_MAC_ADDR_SET to set the default mac if it is different from mac.
The driver MUST follow the VIRTIO_NET_CTRL_MAC_TABLE_SET command by a le32 number, followed by that number of non-multicast MAC addresses, followed by another le32 number, followed by that number of multicast addresses. Either number MAY be 0.
Legacy drivers that didn’t negotiate VIRTIO_NET_F_CTRL_MAC_ADDR changed mac in config space when NIC is accepting incoming packets. These drivers always wrote the mac value from first to last byte, therefore after detecting such drivers, a transitional device MAY defer MAC update, or MAY defer processing incoming packets until driver writes the last byte of mac in the config space.
Both the VIRTIO_NET_CTRL_VLAN_ADD and VIRTIO_NET_CTRL_VLAN_DEL command take a little-endian 16-bit VLAN id as the command-specific-data.
The driver checks VIRTIO_NET_S_ANNOUNCE bit in the device configuration status field when it notices the changes of device configuration. The command VIRTIO_NET_CTRL_ANNOUNCE_ACK is used to indicate that driver has received the notification and device clears the VIRTIO_NET_S_ANNOUNCE bit in status.
Processing this notification involves:
Multiqueue is disabled by default. The driver enables multiqueue by executing the VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET command, specifying the number of the transmit and receive queues to be used up to max_virtqueue_pairs; subsequently, transmitq1…transmitqn and receiveq1…receiveqn where n=virtqueue_pairs MAY be used.
When multiqueue is enabled, the device MUST use automatic receive steering based on packet flow. Programming of the receive steering classificator is implicit. After the driver transmitted a packet of a flow on transmitqX, the device SHOULD cause incoming packets for that flow to be steered to receiveqX. For uni-directional protocols, or where no packets have been transmitted yet, the device MAY steer a packet to a random queue out of the specified receiveq1…receiveqn.
Multiqueue is disabled by setting virtqueue_pairs to 1 (this is the default) and waiting for the device to use the command buffer.
The driver MUST NOT request a virtqueue_pairs of 0 or greater than max_virtqueue_pairs in the device configuration space.
The driver MUST queue packets only on any transmitq1 before the VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET command.
The driver MUST NOT queue packets on transmit queues greater than virtqueue_pairs once it has placed the VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET command in the available ring.
The device MUST NOT queue packets on receive queues greater than virtqueue_pairs once it has placed the VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET command in a used buffer.
The class VIRTIO_NET_CTRL_GUEST_OFFLOADS has one command: VIRTIO_NET_CTRL_GUEST_OFFLOADS_SET applies the new offloads configuration.
le64 value passed as command data is a bitmask, bits set define offloads to be enabled, bits cleared - offloads to be disabled.
There is a corresponding device feature for each offload. Upon feature negotiation corresponding offload gets enabled to preserve backward compartibility.
When using legacy interfaces, transitional drivers which have not negotiated VIRTIO_F_ANY_LAYOUT MUST use a single descriptor for the struct virtio_net_hdr on both transmit and receive, with the network data in the following descriptors.
Additionally, when using the control virtqueue (see 5.1.6.5) , transitional drivers which have not negotiated VIRTIO_F_ANY_LAYOUT MUST:
See 2.6.4.
The virtio block device is a simple virtual block device (ie. disk). Read and write requests (and other exotic requests) are placed in the queue, and serviced (probably out of order) by the device except where noted.
The capacity of the device (expressed in 512-byte sectors) is always present. The availability of the others all depend on various feature bits as indicated above.
The parameters in the configuration space of the device max_discard_sectors discard_sector_alignment are expressed in 512-byte units if the VIRTIO_BLK_F_DISCARD feature bit is negotiated. The max_write_zeroes_sectors is expressed in 512-byte units if the VIRTIO_BLK_F_WRITE_ZEROES feature bit is negotiated.
When using the legacy interface, transitional devices and drivers MUST format the fields in struct virtio_blk_config according to the native endian of the guest rather than (necessarily when not using the legacy interface) little-endian.
Drivers SHOULD NOT negotiate VIRTIO_BLK_F_FLUSH if they are incapable of sending VIRTIO_BLK_T_FLUSH commands.
If neither VIRTIO_BLK_F_CONFIG_WCE nor VIRTIO_BLK_F_FLUSH are negotiated, the driver MAY deduce the presence of a writethrough cache. If VIRTIO_BLK_F_CONFIG_WCE was not negotiated but VIRTIO_BLK_F_FLUSH was, the driver SHOULD assume presence of a writeback cache.
The driver MUST NOT read writeback before setting the FEATURES_OK device status bit.
Devices SHOULD always offer VIRTIO_BLK_F_FLUSH, and MUST offer it if they offer VIRTIO_BLK_F_CONFIG_WCE.
If VIRTIO_BLK_F_CONFIG_WCE is negotiated but VIRTIO_BLK_F_FLUSH is not, the device MUST initialize writeback to 0.
The device MUST initialize padding bytes unused0 and unused1 to 0.
Because legacy devices do not have FEATURES_OK, transitional devices MUST implement slightly different behavior around feature negotiation when used through the legacy interface. In particular, when using the legacy interface:
The driver queues requests to the virtqueue, and they are used by the device (not necessarily in order). Each request is of form:
The type of the request is either a read (VIRTIO_BLK_T_IN), a write (VIRTIO_BLK_T_OUT), a discard (VIRTIO_BLK_T_DISCARD), a write zeroes (VIRTIO_BLK_T_WRITE_ZEROES) or a flush (VIRTIO_BLK_T_FLUSH).
The sector number indicates the offset (multiplied by 512) where the read or write is to occur. This field is unused and set to 0 for commands other than read or write.
VIRTIO_BLK_T_IN requests populate data with the contents of sectors read from the block device (in multiples of 512 bytes). VIRTIO_BLK_T_OUT requests write the contents of data to the block device (in multiples of 512 bytes).
The data used for discard or write zeroes commands consists of one or more segments. The maximum number of segments is max_discard_seg for discard commands and max_write_zeroes_seg for write zeroes commands. Each segment is of form:
sector indicates the starting offset (in 512-byte units) of the segment, while num_sectors indicates the number of sectors in each discarded range. unmap is only used in write zeroes commands and allows the device to discard the specified range, provided that following reads return zeroes.
The final status byte is written by the device: either VIRTIO_BLK_S_OK for success, VIRTIO_BLK_S_IOERR for device or driver error or VIRTIO_BLK_S_UNSUPP for a request unsupported by device:
The status of individual segments is indeterminate when a discard or write zero command produces VIRTIO_BLK_S_IOERR. A segment may have completed successfully, failed, or not been processed by the device.
A driver MUST NOT submit a request which would cause a read or write beyond capacity.
A driver SHOULD accept the VIRTIO_BLK_F_RO feature if offered.
A driver MUST set sector to 0 for a VIRTIO_BLK_T_FLUSH request. A driver SHOULD NOT include any data in a VIRTIO_BLK_T_FLUSH request.
The length of data MUST be a multiple of 512 bytes for VIRTIO_BLK_T_IN and VIRTIO_BLK_T_OUT requests.
The length of data MUST be a multiple of the size of struct virtio_blk_discard_write_zeroes for VIRTIO_BLK_T_DISCARD and VIRTIO_BLK_T_WRITE_ZEROES requests.
VIRTIO_BLK_T_DISCARD requests MUST NOT contain more than max_discard_seg struct virtio_blk_discard_write_zeroes segments in data.
VIRTIO_BLK_T_WRITE_ZEROES requests MUST NOT contain more than max_write_zeroes_seg struct virtio_blk_discard_write_zeroes segments in data.
If the VIRTIO_BLK_F_CONFIG_WCE feature is negotiated, the driver MAY switch to writethrough or writeback mode by writing respectively 0 and 1 to the writeback field. After writing a 0 to writeback, the driver MUST NOT assume that any volatile writes have been committed to persistent device backend storage.
The unmap bit MUST be zero for discard commands. The driver MUST NOT assume anything about the data returned by read requests after a range of sectors has been discarded.
A driver MUST NOT assume that individual segments in a multi-segment VIRTIO_BLK_T_DISCARD or VIRTIO_BLK_T_WRITE_ZEROES request completed successfully, failed, or were processed by the device at all if the request failed with VIRTIO_BLK_S_IOERR.
A device MUST set the status byte to VIRTIO_BLK_S_IOERR for a write request if the VIRTIO_BLK_F_RO feature if offered, and MUST NOT write any data.
The device MUST set the status byte to VIRTIO_BLK_S_UNSUPP for discard and write zeroes commands if any unknown flag is set. Furthermore, the device MUST set the status byte to VIRTIO_BLK_S_UNSUPP for discard commands if the unmap flag is set.
For discard commands, the device MAY deallocate the specified range of sectors in the device backend storage.
For write zeroes commands, if the unmap is set, the device MAY deallocate the specified range of sectors in the device backend storage, as if the discard command had been sent. After a write zeroes command is completed, reads of the specified ranges of sectors MUST return zeroes. This is true independent of whether unmap was set or clear.
The device SHOULD clear the write_zeroes_may_unmap field of the virtio configuration space if and only if a write zeroes request cannot result in deallocating one or more sectors. The device MAY change the content of the field during operation of the device; when this happens, the device SHOULD trigger a configuration change notification.
A write is considered volatile when it is submitted; the contents of sectors covered by a volatile write are undefined in persistent device backend storage until the write becomes stable. A write becomes stable once it is completed and one or more of the following conditions is true:
If the device is backed by persistent storage, the device MUST ensure that stable writes are committed to it, before reporting completion of the write (cases 1 and 2) or the flush (case 3). Failure to do so can cause data loss in case of a crash.
If the driver changes writeback between the submission of the write and its completion, the write could be either volatile or stable when its completion is reported; in other words, the exact behavior is undefined.
If VIRTIO_BLK_F_FLUSH was not offered by the device12, the device MAY also commit writes to persistent device backend storage before reporting their completion. Unlike case 1, however, this is not an absolute requirement of the specification. Note: An implementation that does not offer VIRTIO_BLK_F_FLUSH and does not commit completed writes will not be resilient to data loss in case of crashes. Not offering VIRTIO_BLK_F_FLUSH is an absolute requirement for implementations that do not wish to be safe against such data losses.
When using the legacy interface, transitional devices and drivers MUST format the fields in struct virtio_blk_req according to the native endian of the guest rather than (necessarily when not using the legacy interface) little-endian.
When using the legacy interface, transitional drivers SHOULD ignore the used length values. Note: Historically, some devices put the total descriptor length, or the total length of device-writable buffers there, even when only the status byte was actually written.
The reserved field was previously called ioprio. ioprio is a hint about the relative priorities of requests to the device: higher numbers indicate more important requests.
The command VIRTIO_BLK_T_FLUSH_OUT was a synonym for VIRTIO_BLK_T_FLUSH; a driver MUST treat it as a VIRTIO_BLK_T_FLUSH command.
If the device has VIRTIO_BLK_F_BARRIER feature the high bit (VIRTIO_BLK_T_BARRIER) indicates that this request acts as a barrier and that all preceding requests SHOULD be complete before this one, and all following requests SHOULD NOT be started until this is complete. Note: A barrier does not flush caches in the underlying backend device in host, and thus does not serve as data consistency guarantee. Only a VIRTIO_BLK_T_FLUSH request does that.
Some older legacy devices did not commit completed writes to persistent device backend storage when VIRTIO_BLK_F_FLUSH was offered but not negotiated. In order to work around this, the driver MAY set the writeback to 0 (if available) or it MAY send an explicit flush request after every completed write.
If the device has VIRTIO_BLK_F_SCSI feature, it can also support scsi packet command requests, each of these requests is of form:
A request type can also be a scsi packet command (VIRTIO_BLK_T_SCSI_CMD or VIRTIO_BLK_T_SCSI_CMD_OUT). The two types are equivalent, the device does not distinguish between them:
The cmd field is only present for scsi packet command requests, and indicates the command to perform. This field MUST reside in a single, separate device-readable buffer; command length can be derived from the length of this buffer.
Note that these first three (four for scsi packet commands) fields are always device-readable: data is either device-readable or device-writable, depending on the request. The size of the read or write can be derived from the total size of the request buffers.
sense is only present for scsi packet command requests, and indicates the buffer for scsi sense data.
data_len is only present for scsi packet command requests, this field is deprecated, and SHOULD be ignored by the driver. Historically, devices copied data length there.
sense_len is only present for scsi packet command requests and indicates the number of bytes actually written to the sense buffer.
residual field is only present for scsi packet command requests and indicates the residual size, calculated as data length - number of bytes actually transferred.
When using legacy interfaces, transitional drivers which have not negotiated VIRTIO_F_ANY_LAYOUT:
See 2.6.4.
The virtio console device is a simple device for data input and output. A device MAY have one or more ports. Each port has a pair of input and output virtqueues. Moreover, a device has a pair of control IO virtqueues. The control virtqueues are used to communicate information between the device and the driver about ports being opened and closed on either side of the connection, indication from the device about whether a particular port is a console port, adding new ports, port hot-plug/unplug, etc., and indication from the driver about whether a port or a device was successfully added, port open/close, etc. For data IO, one or more empty buffers are placed in the receive queue for incoming data and outgoing characters are placed in the transmit queue.
The port 0 receive and transmit queues always exist: other queues only exist if VIRTIO_CONSOLE_F_MULTIPORT is set.
The size of the console is supplied in the configuration space if the VIRTIO_CONSOLE_F_SIZE feature is set. Furthermore, if the VIRTIO_CONSOLE_F_MULTIPORT feature is set, the maximum number of ports supported by the device can be fetched.
If VIRTIO_CONSOLE_F_EMERG_WRITE is set then the driver can use emergency write to output a single character without initializing virtio queues, or even acknowledging the feature.
When using the legacy interface, transitional devices and drivers MUST format the fields in struct virtio_console_config according to the native endian of the guest rather than (necessarily when not using the legacy interface) little-endian.
The device MUST allow a write to emerg_wr, even on an unconfigured device.
The device SHOULD transmit the lower byte written to emerg_wr to an appropriate log or output method.
The driver MUST NOT put a device-readable in a receiveq. The driver MUST NOT put a device-writable buffer in a transmitq.
If the driver negotiated the VIRTIO_CONSOLE_F_MULTIPORT, the two control queues are used to manipulate the different console ports: the control receiveq for messages from the device to the driver, and the control sendq for driver-to-device messages. The layout of the control messages is:
The values for event are:
The device MUST NOT specify a port in VIRTIO_CONSOLE_DEVICE_REMOVE which has not been created with a previous VIRTIO_CONSOLE_DEVICE_ADD.
Upon receipt of a VIRTIO_CONSOLE_CONSOLE_PORT message, the driver SHOULD treat the port in a manner suitable for text console access and MUST respond with a VIRTIO_CONSOLE_PORT_OPEN message, which MUST have value set to 1.
When using the legacy interface, transitional devices and drivers MUST format the fields in struct virtio_console_control according to the native endian of the guest rather than (necessarily when not using the legacy interface) little-endian.
When using the legacy interface, the driver SHOULD ignore the used length values for the transmit queues and the control transmitq. Note: Historically, some devices put the total descriptor length there, even though no data was actually written.
When using legacy interfaces, transitional drivers which have not negotiated VIRTIO_F_ANY_LAYOUT MUST use only a single descriptor for all buffers in the control receiveq and control transmitq.
The virtio entropy device supplies high-quality randomness for guest use.
When the driver requires random bytes, it places the descriptor of one or more buffers in the queue. It will be completely filled by random data by the device.
The driver MUST NOT place driver-readable buffers into the queue.
The driver MUST examine the length written by the device to determine how many random bytes were received.
The device MUST place one or more random bytes into the buffer, but it MAY use less than the entire buffer length.
This is the traditional balloon device. The device number 13 is reserved for a new memory balloon interface, with different semantics, which is expected in a future version of the standard.
The traditional virtio memory balloon device is a primitive device for managing guest memory: the device asks for a certain amount of memory, and the driver supplies it (or withdraws it, if the device has more than it asks for). This allows the guest to adapt to changes in allowance of underlying physical memory. If the feature is negotiated, the device can also be used to communicate guest memory statistics to the host.
Virtqueue 2 only exists if VIRTIO_BALLON_F_STATS_VQ set.
The driver SHOULD accept the VIRTIO_BALLOON_F_MUST_TELL_HOST feature if offered by the device.
If the device offers the VIRTIO_BALLOON_F_MUST_TELL_HOST feature bit, and if the driver did not accept this feature bit, the device MAY signal failure by failing to set FEATURES_OK device status bit when the driver writes it.
Both fields of this configuration are always available.
The device initialization process is outlined below:
The device is driven either by the receipt of a configuration change notification, or by changing guest memory needs, such as performing memory compaction or responding to out of memory conditions.
The driver SHOULD supply pages to the balloon when num_pages is greater than the actual number of pages in the balloon.
The driver MAY use pages from the balloon when num_pages is less than the actual number of pages in the balloon.
The driver MAY supply pages to the balloon when num_pages is greater than or equal to the actual number of pages in the balloon.
If VIRTIO_BALLOON_F_DEFLATE_ON_OOM has not been negotiated, the driver MUST NOT use pages from the balloon when num_pages is less than or equal to the actual number of pages in the balloon.
If VIRTIO_BALLOON_F_DEFLATE_ON_OOM has been negotiated, the driver MAY use pages from the balloon when num_pages is less than or equal to the actual number of pages in the balloon if this is required for system stability (e.g. if memory is required by applications running within the guest).
The driver MUST use the deflateq to inform the device of pages that it wants to use from the balloon.
If the VIRTIO_BALLOON_F_MUST_TELL_HOST feature is negotiated, the driver MUST NOT use pages from the balloon until the device has acknowledged the deflate request.
Otherwise, if the VIRTIO_BALLOON_F_MUST_TELL_HOST feature is not negotiated, the driver MAY begin to re-use pages previously given to the balloon before the device has acknowledged the deflate request.
In any case, the driver MUST NOT use pages from the balloon after adding the pages to the balloon, but before the device has acknowledged the inflate request.
The driver MUST NOT request deflation of pages in the balloon before the device has acknowledged the inflate request.
The driver MUST update actual after changing the number of pages in the balloon.
The driver MAY update actual once after multiple inflate and deflate operations.
The device MAY modify the contents of a page in the balloon after detecting its physical number in an inflate request and before acknowledging the inflate request by using the inflateq descriptor.
If the VIRTIO_BALLOON_F_MUST_TELL_HOST feature is negotiated, the device MAY modify the contents of a page in the balloon after detecting its physical number in an inflate request and before detecting its physical number in a deflate request and acknowledging the deflate request.
When using the legacy interface, the driver MUST write out all 4 bytes each time it updates the actual value in the configuration space, using a single atomic operation.
When using the legacy interface, the device SHOULD NOT use the actual value written by the driver in the configuration space, until the last, most-significant byte of the value has been written. Note: Historically, devices used the actual value, even though when using Virtio Over PCI Bus the device-specific configuration space was not guaranteed to be atomic. Using intermediate values during update by driver is best avoided, except for debugging.
Historically, drivers using Virtio Over PCI Bus wrote the actual value by using multiple single-byte writes in order, from the least-significant to the most-significant value.
The stats virtqueue is atypical because communication is driven by the device (not the driver). The channel becomes active at driver initialization time when the driver adds an empty buffer and notifies the device. A request for memory statistics proceeds as follows:
Within the buffer, statistics are an array of 6-byte entries. Each statistic consists of a 16 bit tag and a 64 bit value. All statistics are optional and the driver chooses which ones to supply. To guarantee backwards compatibility, devices omit unsupported statistics.
The driver MUST make at most one buffer available to the device in the statsq, at all times.
After initializing the device, the driver MUST make an output buffer available in the statsq.
Upon detecting that device has used a buffer in the statsq, the driver MUST make an output buffer available in the statsq.
Before making an output buffer available in the statsq, the driver MUST initialize it, including one struct virtio_balloon_stat entry for each statistic that it supports.
Driver MUST use an output buffer size which is a multiple of 6 bytes for all buffers submitted to the statsq.
Driver MAY supply struct virtio_balloon_stat entries in the output buffer submitted to the statsq in any order, without regard to tag values.
Driver MAY supply a subset of all statistics in the output buffer submitted to the statsq.
Driver MUST supply the same subset of statistics in all buffers submitted to the statsq.
Within an output buffer submitted to the statsq, the device MUST ignore entries with tag values that it does not recognize.
Within an output buffer submitted to the statsq, the device MUST accept struct virtio_balloon_stat entries in any order without regard to tag values.
When using the legacy interface, the device SHOULD ignore all values in the first buffer in the statsq supplied by the driver after device initialization. Note: Historically, drivers supplied an uninitialized buffer in the first buffer.
The virtio SCSI host device groups together one or more virtual logical units (such as disks), and allows communicating to them using the SCSI protocol. An instance of the device represents a SCSI host to which many targets and LUNs are attached.
The virtio SCSI device services two kinds of requests:
The device is also able to send out notifications about added and removed logical units. Together, these capabilities provide a SCSI transport protocol that uses virtqueues as the transfer medium. In the transport protocol, the virtio driver acts as the initiator, while the virtio SCSI host provides one or more targets that receive and process the requests.
This section relies on definitions from SAM.
All fields of this configuration are always available.
The driver MUST NOT write to device configuration fields other than sense_size and cdb_size.
The driver MUST NOT send more than cmd_per_lun linked commands to one LUN, and MUST NOT send more than the virtqueue size number of linked commands to one LUN.
On reset, the device MUST set sense_size to 96 and cdb_size to 32.
When using the legacy interface, transitional devices and drivers MUST format the fields in struct virtio_scsi_config according to the native endian of the guest rather than (necessarily when not using the legacy interface) little-endian.
On initialization the driver SHOULD first discover the device’s virtqueues.
If the driver uses the eventq, the driver SHOULD place at least one buffer in the eventq.
The driver MAY immediately issue requests16 or task management functions17.
Device operation consists of operating request queues, the control queue and the event queue.
The driver queues requests to an arbitrary request queue, and they are used by the device on that same queue. It is the responsibility of the driver to ensure strict request ordering for commands placed on different queues, because they will be consumed with no order constraints.
Requests have the following format:
lun addresses the REPORT LUNS well-known logical unit, or a target and logical unit in the virtio-scsi device’s SCSI domain. When used to address the REPORT LUNS logical unit, lun is 0xC1, 0x01 and six zero bytes. The virtio-scsi device SHOULD implement the REPORT LUNS well-known logical unit.
When used to address a target and logical unit, the only supported format for lun is: first byte set to 1, second byte set to target, third and fourth byte representing a single level LUN structure, followed by four zero bytes. With this representation, a virtio-scsi device can serve up to 256 targets and 16384 LUNs per target. The device MAY also support having a well-known logical units in the third and fourth byte.
id is the command identifier (“tag”).
task_attr defines the task attribute as in the table above, but all task attributes MAY be mapped to SIMPLE by the device. Some commands are defined by SCSI standards as "implicit head of queue"; for such commands, all task attributes MAY also be mapped to HEAD OF QUEUE. Drivers and applications SHOULD NOT send a command with the ORDERED task attribute if the command has an implicit HEAD OF QUEUE attribute, because whether the ORDERED task attribute is honored is vendor-specific.
crn may also be provided by clients, but is generally expected to be 0. The maximum CRN value defined by the protocol is 255, since CRN is stored in an 8-bit integer.
The CDB is included in cdb and its size, cdb_size, is taken from the configuration space.
All of these fields are defined in SAM and are always device-readable.
pi_bytesout determines the size of the pi_out field in bytes. If it is nonzero, the pi_out field contains outgoing protection information for write operations. pi_bytesin determines the size of the pi_in field in the device-writable section, in bytes. All three fields are only present if VIRTIO_SCSI_F_T10_PI has been negotiated.
The remainder of the device-readable part is the data output buffer, dataout.
sense and subsequent fields are always device-writable. sense_len indicates the number of bytes actually written to the sense buffer.
residual indicates the residual size, calculated as “data_length - number_of_transferred_bytes”, for read or write operations. For bidirectional commands, the number_of_transferred_bytes includes both read and written bytes. A residual that is less than the size of datain means that dataout was processed entirely. A residual that exceeds the size of datain means that dataout was processed partially and datain was not processed at all.
If the pi_bytesin is nonzero, the pi_in field contains incoming protection information for read operations. pi_in is only present if VIRTIO_SCSI_F_T10_PI has been negotiated18.
The remainder of the device-writable part is the data input buffer, datain.
The device MUST write the response byte as one of the following:
All commands must be completed before the virtio-scsi device is reset or unplugged. The device MAY choose to abort them, or if it does not do so MUST pick the VIRTIO_SCSI_S_FAILURE response.
Upon receiving a VIRTIO_SCSI_S_TARGET_FAILURE response, the driver SHOULD NOT retry the request on other paths.
The controlq is used for other SCSI transport operations. Requests have the following format:
The type identifies the remaining fields.
The following commands are defined:
The type is VIRTIO_SCSI_T_TMF; subtype defines which task management function. All fields except response are filled by the driver.
Other fields which are irrelevant for the requested TMF are ignored but they are still present. lun is in the same format specified for request queues; the single level LUN is ignored when the task management function addresses a whole I_T nexus. When relevant, the value of id is matched against the id values passed on the requestq.
The outcome of the task management function is written by the device in response. The command-specific response values map 1-to-1 with those defined in SAM.
Task management function can affect the response value for commands that are in the request queue and have not been completed yet. For example, the device MUST complete all active commands on a logical unit or target (possibly with a VIRTIO_SCSI_S_RESET response code) upon receiving a "logical unit reset" or "I_T nexus reset" TMF. Similarly, the device MUST complete the selected commands (possibly with a VIRTIO_SCSI_S_ABORTED response code) upon receiving an "abort task" or "abort task set" TMF. Such effects MUST take place before the TMF itself is successfully completed, and the device MUST use memory barriers appropriately in order to ensure that the driver sees these writes in the correct order.
By sending this command, the driver asks the device which events the given LUN can report, as described in paragraphs 6.6 and A.6 of SCSI MMC. The driver writes the events it is interested in into event_requested; the device responds by writing the events that it supports into event_actual.
The type is VIRTIO_SCSI_T_AN_QUERY. lun and event_requested are written by the driver. event_actual and response fields are written by the device.
No command-specific values are defined for the response byte.
By sending this command, the driver asks the specified LUN to report events for its physical interface, again as described in SCSI MMC. The driver writes the events it is interested in into event_requested; the device responds by writing the events that it supports into event_actual.
Event types are the same as for the asynchronous notification query message.
The type is VIRTIO_SCSI_T_AN_SUBSCRIBE. lun and event_requested are written by the driver. event_actual and response are written by the device.
No command-specific values are defined for the response byte.
The eventq is populated by the driver for the device to report information on logical units that are attached to it. In general, the device will not queue events to cope with an empty eventq, and will end up dropping events if it finds no buffer ready. However, when reporting events for many LUNs (e.g. when a whole target disappears), the device can throttle events to avoid dropping them. For this reason, placing 10-15 buffers on the event queue is sufficient.
Buffers returned by the device on the eventq will be referred to as “events” in the rest of this section. Events have the following format:
The devices sets bit 31 in event to report lost events due to missing buffers.
The meaning of reason depends on the contents of event. The following events are defined:
This event is fired in the following cases:
By sending this event, the device signals that a logical unit on a target has been reset, including the case of a new device appearing or disappearing on the bus. The device fills in all fields. event is set to VIRTIO_SCSI_T_TRANSPORT_RESET. lun addresses a logical unit in the SCSI host.
The reason value is one of the three #define values appearing above:
The “removed” and “rescan” events can happen when VIRTIO_SCSI_F_HOTPLUG feature was negotiated; when sent for LUN 0, they MAY apply to the entire target so the driver can ask the initiator to rescan the target to detect this.
Events will also be reported via sense codes (this obviously does not apply to newly appeared buses or targets, since the application has never discovered them):
The preferred way to detect transport reset is always to use events, because sense codes are only seen by the driver when it sends a SCSI command to the logical unit or target. However, in case events are dropped, the initiator will still be able to synchronize with the actual state of the controller if the driver asks the initiator to rescan of the SCSI bus. During the rescan, the initiator will be able to observe the above sense codes, and it will process them as if it the driver had received the equivalent event.
By sending this event, the device signals that an asynchronous event was fired from a physical interface.
All fields are written by the device. event is set to VIRTIO_SCSI_T_ASYNC_NOTIFY. lun addresses a logical unit in the SCSI host. reason is a subset of the events that the driver has subscribed to via the “Asynchronous notification subscription” command.
By sending this event, the device signals a change in the configuration parameters of a logical unit, for example the capacity or cache mode. event is set to VIRTIO_SCSI_T_PARAM_CHANGE. lun addresses a logical unit in the SCSI host.
The same event SHOULD also be reported as a unit attention condition. reason contains the additional sense code and additional sense code qualifier, respectively in bits 0…7 and 8…15. Note: For example, a change in capacity will be reported as asc 0x2a, ascq 0x09 (CAPACITY DATA HAS CHANGED).
For MMC devices (inquiry type 5) there would be some overlap between this event and the asynchronous notification event, so for simplicity the host never reports this event for MMC devices.
If event has bit 31 set, the driver SHOULD poll the logical units for unit attention conditions, and/or do whatever form of bus scan is appropriate for the guest operating system and SHOULD poll for asynchronous events manually using SCSI commands.
When receiving a VIRTIO_SCSI_T_TRANSPORT_RESET message with reason set to VIRTIO_SCSI_EVT_RESET_REMOVED or VIRTIO_SCSI_EVT_RESET_RESCAN for LUN 0, the driver SHOULD ask the initiator to rescan the target, in order to detect the case when an entire target has appeared or disappeared.
The device MUST NOT send VIRTIO_SCSI_T_TRANSPORT_RESET messages with reason set to VIRTIO_SCSI_EVT_RESET_REMOVED or VIRTIO_SCSI_EVT_RESET_RESCAN unless VIRTIO_SCSI_F_HOTPLUG was negotiated.
The device MUST NOT report VIRTIO_SCSI_T_PARAM_CHANGE for MMC devices.
When using legacy interfaces, transitional drivers which have not negotiated VIRTIO_F_ANY_LAYOUT MUST use a single descriptor for the lun, id, task_attr, prio, crn and cdb fields, and MUST only use a single descriptor for the sense_len, residual, status_qualifier, status, response and sense fields.
virtio-gpu is a virtio based graphics adapter. It can operate in 2D mode and in 3D (virgl) mode. 3D mode will offload rendering ops to the host gpu and therefore requires a gpu with 3D support on the host machine.
3D mode is not covered (yet) in this specification, even though it is mentioned here and there due to some details of the virtual hardware being designed with 3D mode in mind.
In 2D mode the virtio-gpu device provides support for ARGB Hardware cursors and multiple scanouts (aka heads).
Both queues have the same format. Each request and each response have a fixed header, followed by command specific data fields. The separate cursor queue is the "fast track" for cursor commands (VIRTIO_GPU_CMD_UPDATE_CURSOR and VIRTIO_GPU_CMD_MOVE_CURSOR), so they go though without being delayed by time-consuming commands in the control queue.
GPU device configuration uses the following layout structure and definitions:
The driver SHOULD query the display information from the device using the VIRTIO_GPU_CMD_GET_DISPLAY_INFO command and use that information for the initial scanout setup. In case no information is available or all displays are disabled the driver MAY choose to use a fallback, such as 1024x768 at display 0.
The virtio-gpu is based around the concept of resources private to the host, the guest must DMA transfer into these resources. This is a design requirement in order to interface with future 3D rendering. In the unaccelerated 2D mode there is no support for DMA transfers from resources, just to them.
Resources are initially simple 2D resources, consisting of a width, height and format along with an identifier. The guest must then attach backing store to the resources in order for DMA transfers to work. This is like a GART in a real GPU.
It is possible to create multiple framebuffers, flip between them using VIRTIO_GPU_CMD_SET_SCANOUT and VIRTIO_GPU_CMD_RESOURCE_FLUSH, and update the invisible framebuffer using VIRTIO_GPU_CMD_TRANSFER_TO_HOST_2D.
In case two or more displays are present there are different ways to configure things:
The device MAY process controlq commands asyncronously and return them to the driver before the processing is complete. If the driver needs to know when the processing is finished it can set the VIRTIO_GPU_FLAG_FENCE flag in the request. The device MUST finish the processing before returning the command then.
Note: current qemu implementation does asyncrounous processing only in 3d mode, when offloading the processing to the host gpu.
The mouse cursor image is a normal resource, except that it must be 64x64 in size. The driver MUST create and populate the resource (using the usual VIRTIO_GPU_CMD_RESOURCE_CREATE_2D, VIRTIO_GPU_CMD_RESOURCE_ATTACH_BACKING and VIRTIO_GPU_CMD_TRANSFER_TO_HOST_2D controlq commands) and make sure they are completed (using VIRTIO_GPU_FLAG_FENCE).
Then VIRTIO_GPU_CMD_UPDATE_CURSOR can be sent to the cursorq to set the pointer shape and position. To move the pointer without updating the shape use VIRTIO_GPU_CMD_MOVE_CURSOR instead.
All requests and responses on the virt queues have a fixed header using the following layout structure and definitions:
The fixed header struct virtio_gpu_ctrl_hdr in each request includes the following fields:
On success the device will return VIRTIO_GPU_RESP_OK_NODATA in case there is no payload. Otherwise the type field will indicate the kind of payload.
On error the device will return one of the VIRTIO_GPU_RESP_ERR_* error codes.
For any coordinates given 0,0 is top left, larger x moves right, larger y moves down.
The response contains a list of per-scanout information. The info contains whether the scanout is enabled and what its preferred position and size is.
The size (fields width and height) is similar to the native panel resolution in EDID display information, except that in the virtual machine case the size can change when the host window representing the guest display is gets resized.
The position (fields x and y) describe how the displays are arranged (i.e. which is – for example – the left display).
The enabled field is set when the user enabled the display. It is roughly the same as the connected state of a phyiscal display connector.
The response contains the EDID display data blob (as specified by VESA) for the scanout.
This creates a 2D resource on the host with the specified width, height and format. The resource ids are generated by the guest.
This informs the host that a resource is no longer required by the guest.
This sets the scanout parameters for a single scanout. The resource_id is the resource to be scanned out from, along with a rectangle.
Scanout rectangles must be completely covered by the underlying resource. Overlapping (or identical) scanouts are allowed, typical use case is screen mirroring.
The driver can use resource_id = 0 to disable a scanout.
This flushes a resource to screen. It takes a rectangle and a resource id, and flushes any scanouts the resource is being used on.
This takes a resource id along with an destination offset into the resource, and a box to transfer to the host backing for the resource.
This assign an array of guest pages as the backing store for a resource. These pages are then used for the transfer operations for that resource from that point on.
This detaches any backing pages from a resource, to be used in case of guest swapping or object destruction.
Both cursorq commands use the same command struct.
Full cursor update. Cursor will be loaded from the specified resource_id and will be moved to pos. The driver must transfer the cursor into the resource beforehand (using control queue commands) and make sure the commands to fill the resource are actually processed (using fencing).
Move cursor to the place specified in pos. The other fields are not used and will be ignored by the device.
Applies to Virtio Over PCI only. The GPU device can come with and without VGA compatibility. The PCI class should be DISPLAY_VGA if VGA compatibility is present and DISPLAY_OTHER otherwise.
VGA compatibility: PCI region 0 has the linear framebuffer, standard vga registers are present. Configuring a scanout (VIRTIO_GPU_CMD_SET_SCANOUT) switches the device from vga compatibility mode into native virtio mode. A reset switches it back into vga compatibility mode.
Note: qemu implementation also provides bochs dispi interface io ports and mmio bar at pci region 1 and is therefore fully compatible with the qemu stdvga (see docs/specs/standard-vga.txt in the qemu source tree).
The virtio input device can be used to create virtual human interface devices such as keyboards, mice and tablets. An instance of the virtio device represents one such input device. Device behavior mirrors that of the evdev layer in Linux, making pass-through implementations on top of evdev easy.
This specification defines how evdev events are transported over virtio and how the set of supported events is discovered by a driver. It does not, however, define the semantics of input events as this is dependent on the particular evdev implementation. For the list of events used by Linux input devices, see include/uapi/linux/input-event-codes.h in the Linux source tree.
Device configuration holds all information the guest needs to handle the device, most importantly the events which are supported.
To query a specific piece of information the driver sets select and subsel accordingly, then checks size to see how much information is available. size can be zero if no information is available. Strings do not include a NUL terminator. Related evdev ioctl names are provided for reference.
Similar to EVIOCGNAME ioctl for Linux evdev devices.
Similar to EVIOCGID ioctl for Linux evdev devices.
Similar to EVIOCGPROP ioctl for Linux evdev devices.
Similar to EVIOCGBIT ioctl for Linux evdev devices.
Similar to EVIOCGABS ioctl for Linux evdev devices.
A driver MUST set both select and subsel when querying device configuration, in any order.
A driver MUST NOT write to configuration fields other than select and subsel.
A driver SHOULD check the size field before accessing the configuration information.
A device MUST set the size field to zero if it doesn’t support a given select and subsel combination.
A driver SHOULD keep the eventq populated with buffers. These buffers MUST be device-writable and MUST be at least the size of struct virtio_input_event.
Buffers placed into the statusq by a driver MUST be at least the size of struct virtio_input_event.
A driver SHOULD ignore eventq input events it does not recognize. Note that evdev devices generally maintain backward compatibility by sending redundant events and relying on the consuming side using only the events it understands and ignoring the rest.
A device MAY drop input events if the eventq does not have enough available buffers. It SHOULD NOT drop individual input events if they are part of a sequence forming one input device update. For example, a pointing device update typically consists of several input events, one for each axis, and a terminating EV_SYN event. A device SHOULD either buffer or drop the entire sequence.
The virtio crypto device is a virtual cryptography device as well as a virtual cryptographic accelerator. The virtio crypto device provides the following crypto services: CIPHER, MAC, HASH, and AEAD. Virtio crypto devices have a single control queue and at least one data queue. Crypto operation requests are placed into a data queue, and serviced by the device. Some crypto operation requests are only valid in the context of a session. The role of the control queue is facilitating control operation requests. Sessions management is realized with control operation requests.
Some crypto feature bits require other crypto feature bits (see 2.2.1):
The following crypto services are defined:
The above constants designate bits used to indicate the which of crypto services are offered by the device as described in, see 5.9.5.
The following CIPHER algorithms are defined:
The above constants have two usages:
The following HASH algorithms are defined:
The above constants have two usages:
The following MAC algorithms are defined:
The above constants have two usages:
The following AEAD algorithms are defined:
The above constants have two usages:
Crypto device configuration uses the following layout structure:
The operation of a virtio crypto device is driven by requests placed on the virtqueues. Requests consist of a queue-type specific header (specifying among others the operation) and an operation specific payload.
If VIRTIO_CRYPTO_F_REVISION_1 is negotiated the device may support both session mode (See 5.9.7.2.1) and stateless mode operation requests. In stateless mode all operation parameters are supplied as a part of each request, while in session mode, some or all operation parameters are managed within the session. Stateless mode is guarded by feature bits 0-4 on a service level. If stateless mode is negotiated for a service, the service accepts both session mode and stateless requests; otherwise stateless mode requests are rejected (via operation status).
The device MUST return a status code as part of the operation (both session operation and service operation) result. The valid operation status as follows:
The driver uses the control virtqueue to send control commands to the device, such as session operations (See 5.9.7.2.1).
The header for controlq is of the following form:
The controlq request is composed of four parts:
header is a general header (see above).
op_flf is the opcode (in header) specific fixed-length paramenters.
flf_len depends on the VIRTIO_CRYPTO_F_REVISION_1 feature bit (see below).
op_vlf is the opcode (in header) specific variable-length paramenters.
vlf_len is the size of the specific structure used. Note: The vlf_len of session-destroy operation and the hash-session-create operation is ZERO.
op_outcome stores the result of operation and must be struct virtio_crypto_destroy_session_input for destroy session or struct virtio_crypto_create_session_input for create session.
outcome_len is the size of the structure used.
The following structure stores the result of session creation set by the device:
A request to destroy a session includes the following information:
The length of auth_key is specified in auth_key_len in the struct virtio_crypto_mac_create_session_flf.
The fixed-length and the variable-length parameters of CIPHER session requests are as follows:
The length of cipher_key is specified in key_len in the struct virtio_crypto_cipher_session_flf.
The fixed-length and the variable-length parameters of Chain session requests are as follows:
hash_mode decides the type used by algo_flf.
algo_flf is fixed to 16 bytes and MUST contains or be one of the following types:
The data of unused part (if has) in algo_flf will be ignored.
The length of cipher_key is specified in key_len in cipher_hdr.
The length of auth_key is specified in auth_key_len in struct virtio_crypto_mac_create_session_flf.
The fixed-length parameters of Symmetric session requests are as follows:
op_flf is fixed to 48 bytes, MUST contains or be one of the following types:
The data of unused part (if has) in op_flf will be ignored.
op_type decides the type used by op_flf.
The variable-length parameters of Symmetric session requests are as follows:
op_vlf MUST contains or be one of the following types:
op_type in struct virtio_crypto_sym_create_session_flf decides the type used by op_vlf.
vlf_len is the size of the specific structure used.
The length of key is specified in key_len in struct virtio_crypto_aead_create_session_flf.
The driver uses the data virtqueues to transmit crypto operation requests to the device, and completes the crypto operations.
The header for dataq is as follows:
If VIRTIO_CRYPTO_F_REVISION_1 is negotiated
but VIRTIO_CRYPTO_F_ The dataq request is composed of four parts:
header is a general header (see above).
op_flf is the opcode (in header) specific header.
flf_len depends on the VIRTIO_CRYPTO_F_REVISION_1 feature bit (see
below).
op_vlf is the opcode (in header) specific parameters.
vlf_len is the size of the specific structure used.
inhdr is a unified input header that used to return the status of the operations, is
defined as follows:
Session mode HASH service requests are as follows:
Each data request uses the virtio_crypto_hash_data_flf structure and the
virtio_crypto_hash_data_vlf structure to store information used to run the HASH
operations.
src_data is the source data that will be processed. src_data_len is the length of
source data. hash_result is the result data and hash_result_len is the length of
it.
Stateless mode HASH service requests are as follows:
Session mode MAC service requests are as follows:
Each request uses the virtio_crypto_mac_data_flf structure and the
virtio_crypto_mac_data_vlf structure to store information used to run the MAC
operations.
src_data is the source data that will be processed. src_data_len is the length of
source data. hash_result is the result data and hash_result_len is the length of
it.
Stateless mode MAC service requests are as follows:
auth_key is the authenticated key that will be used during the process. auth_key_len
is the length of the key.
Session mode CIPHER service requests are as follows:
Session mode requests of algorithm chaining are as follows:
Session mode requests of symmetric algorithm are as follows:
Each request uses the virtio_crypto_sym_data_flf structure and the
virtio_crypto_sym_data_flf structure to store information used to run the CIPHER
operations.
op_type_flf is the op_type specific header, it MUST starts with or be one of the
following structures:
The length of op_type_flf is fixed to 40 bytes, the data of unused part (if has) will be
ingored.
op_type_vlf is the op_type specific parameters, it MUST starts with or be one of the
following structures:
sym_para_len is the size of the specific structure used.
Stateless mode CIPHER service requests are as follows:
Stateless mode requests of algorithm chaining are as follows:
Stateless mode requests of symmetric algorithm are as follows:
op_type_flf is the op_type specific header, it MUST starts with or be one of the
following structures:
The length of op_type_flf is fixed to 72 bytes, the data of unused part (if has) will be
ingored.
op_type_vlf is the op_type specific parameters, it MUST starts with or be one of the
following structures:
sym_para_len is the size of the specific structure used.
Session mode requests of symmetric algorithm are as follows:
Each request uses the virtio_crypto_aead_data_flf structure and the
virtio_crypto_aead_data_flf structure to store information used to run the AEAD
operations.
Stateless mode AEAD service requests are as follows:
The virtio socket device is a zero-configuration socket communications device. It
facilitates data transfer between the guest and device without using the Ethernet or
IP protocols.
There are currently no feature bits defined for this device.
Socket device configuration uses the following layout structure:
The guest_cid field contains the guest’s context ID, which uniquely identifies
the device for its lifetime. The upper 32 bits of the CID are reserved and
zeroed.
The following CIDs are reserved and cannot be used as the guest’s context
ID:
Packets transmitted or received contain a header before the payload:
The upper 32 bits of src_cid and dst_cid are reserved and zeroed.
Most packets simply transfer data but control packets are also used for connection
and buffer space management. op is one of the following operation constants:
The tx virtqueue carries packets initiated by applications and replies to received
packets. The rx virtqueue carries packets initiated by the device and replies to
previously transmitted packets.
If both rx and tx virtqueues are filled by the driver and device at the same time then
it appears that a deadlock is reached. The driver has no free tx descriptors to send
replies. The device has no free rx descriptors to send replies either. Therefore neither
device nor driver can process virtqueues since that may involve sending new
replies.
This is solved using additional resources outside the virtqueue to hold packets. With
additional resources, it becomes possible to process incoming packets even when
outgoing packets cannot be sent.
Eventually even the additional resources will be exhausted and further processing is
not possible until the other side processes the virtqueue that it has neglected. This
stop to processing prevents one side from causing unbounded resource consumption
in the other side.
Flows are identified by a (source, destination) address tuple. An address consists of a
(cid, port number) tuple. The header fields used for this are src_cid, src_port, dst_cid,
and dst_port.
Currently only stream sockets are supported. type is 1 for stream socket
types.
Stream sockets provide in-order, guaranteed, connection-oriented delivery without
message boundaries.
buf_alloc and fwd_cnt are used for buffer space management of stream sockets. The
guest and the device publish how much buffer space is available per socket. Only
payload bytes are counted and header bytes are not included. This facilitates flow
control so data is never dropped.
buf_alloc is the total receive buffer space, in bytes, for this socket. This includes both
free and in-use buffers. fwd_cnt is the free-running bytes received counter. The sender
calculates the amount of free receive buffer space as follows:
If there is insufficient buffer space, the sender waits until virtqueue
buffers are returned and checks buf_alloc and fwd_cnt again. Sending the
VIRTIO_VSOCK_OP_CREDIT_REQUEST packet queries how much buffer space is
available. The reply to this query is a VIRTIO_VSOCK_OP_CREDIT_UPDATE
packet. It is also valid to send a VIRTIO_VSOCK_OP_CREDIT_UPDATE packet
without previously receiving a VIRTIO_VSOCK_OP_CREDIT_REQUEST
packet. This allows communicating updates any time a change in buffer space
occurs.
All packets associated with a stream flow MUST contain valid information in
buf_alloc and fwd_cnt fields.
All packets associated with a stream flow MUST contain valid information in
buf_alloc and fwd_cnt fields.
The driver queues outgoing packets on the tx virtqueue and incoming packet receive
buffers on the rx virtqueue. Packets are of the following form:
Virtqueue buffers for outgoing packets are read-only. Virtqueue buffers for incoming
packets are write-only.
A VIRTIO_VSOCK_OP_RST reply MUST be sent if a packet is received with an
unknown type value.
A VIRTIO_VSOCK_OP_RST reply MUST be sent if a packet is received with an
unknown type value.
Connections are established by sending a VIRTIO_VSOCK_OP_REQUEST packet. If
a listening socket exists on the destination a VIRTIO_VSOCK_OP_RESPONSE reply
is sent and the connection is established. A VIRTIO_VSOCK_OP_RST reply is sent if
a listening socket does not exist on the destination or the destination has insufficient
resources to establish the connection.
When a connected socket receives VIRTIO_VSOCK_OP_SHUTDOWN the header
flags field bit 0 indicates that the peer will not receive any more data and
bit 1 indicates that the peer will not send any more data. These hints are
permanent once sent and successive packets with bits clear do not reset
them.
The VIRTIO_VSOCK_OP_RST packet aborts the connection process or forcibly
disconnects a connected socket.
Clean disconnect is achieved by one or more VIRTIO_VSOCK_OP_SHUTDOWN
packets that indicate no more data will be sent and received, followed by a
VIRTIO_VSOCK_OP_RST response from the peer. If no VIRTIO_VSOCK_OP_RST
response is received within an implementation-specific amount of time, a
VIRTIO_VSOCK_OP_RST packet is sent to forcibly disconnect the socket.
The clean disconnect process ensures that neither peer reuses the (source,
destination) address tuple for a new connection while the other peer is still processing
the old connection.
Certain events are communicated by the device to the driver using the event
virtqueue.
The event buffer is as follows:
The VIRTIO_VSOCK_EVENT_TRANSPORT_RESET event indicates that
communication has been interrupted. This usually occurs if the guest has been
physically migrated. The driver shuts down established connections and the guest_cid
configuration field is fetched again. Existing listen sockets remain but their CID is
updated to reflect the current guest_cid.
The guest_cid configuration field MUST be fetched to determine the current CID
when a VIRTIO_VSOCK_EVENT_TRANSPORT_RESET event is received.
Existing connections MUST be shut down when a VIRTIO_VSOCK_EVENT_TRANSPORT_RESET
event is received.
Listen connections MUST remain operational with the current CID when a
VIRTIO_VSOCK_EVENT_TRANSPORT_RESET event is received.
The virtio file system device provides file system access. The device either directly
manages a file system or it acts as a gateway to a remote file system. The details of
how the device implementation accesses files are hidden by the device interface,
allowing for a range of use cases.
Unlike block-level storage devices such as virtio block and SCSI, the virtio file system
device provides file-level access to data. The device interface is based on the Linux
Filesystem in Userspace (FUSE) protocol. This consists of requests for file system
traversal and access the files and directories within it. The protocol details are
defined by FUSE.
The device acts as the FUSE file system daemon and the driver acts as the FUSE
client mounting the file system. The virtio file system device provides the mechanism
for transporting FUSE requests, much like /dev/fuse in a traditional FUSE
application.
This section relies on definitions from FUSE.
There are currently no feature bits defined.
All fields of this configuration are always available.
The driver MUST NOT write to device configuration fields.
The driver MAY use from one up to num_queues virtqueues.
The device MUST set num_queues to 1 or greater.
On initialization the driver first discovers the device’s virtqueues. The FUSE session
is started by sending a FUSE_INIT request as defined by the FUSE protocol on one
request virtqueue. All virtqueues provide access to the same FUSE session and
therefore only one FUSE_INIT request is required regardless of the number of
available virtqueues.
Device operation consists of operating the virtqueues to facilitate file system
access.
The FUSE request types are as follows:
Note that FUSE notification requests are not supported.
The driver enqueues normal requests on an arbitrary request queue and they are
completed by the device on that same queue. The device processes requests in any
order. The driver is responsible for ensuring that ordering constraints are met by
making available a dependent request only after its prerequisite request has been
used.
Requests have the following format:
Note that the words "in" and "out" follow the FUSE meaning and do not indicate the
direction of data transfer under VIRTIO. "In" means input to a request and "out"
means output from processing a request.
in is the common header for all types of FUSE requests.
datain consists of request-specific data, if any. This is identical to the data read from
the /dev/fuse device by a FUSE daemon.
out is the completion header common to all types of FUSE requests.
dataout consists of request-specific data, if any. This is identical to the data written
to the /dev/fuse device by a FUSE daemon.
For example, the full layout of a FUSE_READ request is as follows:
The FUSE protocol documented in FUSE specifies the set of request types and their
contents.
The endianness of the FUSE protocol session is detectable by inspecting the uint32_t
in.opcode field of the FUSE_INIT request sent by the driver to the device.
This allows the device to determine whether the session is little-endian or
big-endian.
The hiprio queue follows the same request format as the request queues. This queue
only contains FUSE_INTERRUPT, FUSE_FORGET, and FUSE_BATCH_FORGET
requests.
Interrupt and forget requests have a higher priority than normal requests. The
separate hiprio queue is used for these requests to ensure they can be delivered even
when all request queues are full.
The device MAY process request queues concurrently with the hiprio queue.
The driver MUST anticipate that request queues are processed concurrently with the
hiprio queue.
FUSE_READ and FUSE_WRITE requests transfer file contents between the
driver-provided buffer and the device. In cases where data transfer is undesirable, the
device can map file contents into the DAX window shared memory region. The driver
then accesses file contents directly in device-owned memory without a data
transfer.
Shared memory region ID 0 is called the DAX window. Drivers map this
shared memory region with writeback caching as if it were regular RAM. The
contents of the DAX window are undefined unless a mapping exists for that
range.
The driver maps a file range into the DAX window using the FUSE_SETUPMAPPING
request. Alignment constraints for FUSE_SETUPMAPPING and
FUSE_REMOVEMAPPING requests are communicated during FUSE_INIT
negotiation.
When a FUSE_SETUPMAPPING request perfectly overlaps a previous mapping, the
previous mapping is replaced. When a mapping partially overlaps a previous
mapping, the previous mapping is split into one or two smaller mappings. When
a mapping is partially unmapped it is also split into one or two smaller
mappings.
Establishing new mappings or splitting existing mappings consumes resources. If the
device runs out of resources the FUSE_SETUPMAPPING request fails until
resources are available again following FUSE_REMOVEMAPPING.
After FUSE_SETUPMAPPING has completed successfully the file range is
accessible from the DAX window at the offset provided by the driver in
the request. A mapping is removed using the FUSE_REMOVEMAPPING
request.
Data is only guaranteed to be persistent when a FUSE_FSYNC request is used
by the device after having been made available by the driver following the
write.
The device MUST reject mappings that would go beyond the end of the DAX
window.
The driver MUST NOT access DAX window areas that have not been mapped.
The device provides access to a file system containing files owned by one or more
POSIX user ids and group ids. The device has no secure way of differentiating
between users originating requests via the driver. Therefore the device accepts the
POSIX user ids and group ids provided by the driver and security is enforced by the
driver rather than the device. It is nevertheless possible for devices to implement
POSIX user id and group id mapping or whitelisting to control the ownership and
access available to the driver.
File systems containing special files including device nodes and setuid executable files
pose a security concern. These properties are defined by the file type and mode,
which are set by the driver when creating new files or by changes at a later time.
These special files present a security risk when the file system is shared with another
system, such as the host or another guest. This issue can be solved on some
operating systems using mount options that ignore special files. It is also
possible for devices to implement restrictions on special files by refusing their
creation.
When the device provides shared access to a file system, symlink race conditions,
exhausting file system capacity, and overwriting or deleting files used by others are
factors to consider. These issues have a long history in multi-user operating systems
and also apply to virtio-fs. They are typically managed at the file system
administration level by providing shared access only to mutually trusted
users.
When a guest is migrated to a new host it is necessary to consider the FUSE
session and its state. The continuity of FUSE inode numbers (also known as
nodeids) and fh values is necessary so the driver can continue operation without
disruption.
It is possible to maintain the FUSE session across live migration either by transferring
the state or by redirecting requests from the new host to the old host where the state
resides. The details of how to achieve this are implementation-dependent and are not
visible at the device interface level.
Maintaining version and feature information negotiated by FUSE_INIT is necessary
so that no FUSE protocol feature changes are visible to the driver across live
migration. The FUSE_INIT information forms part of the FUSE session state that
needs to be transferred during live migration.
If this feature bit is negotiated, the ordering in effect for any memory
accesses by the driver that need to be ordered in a specific way with respect
to accesses by the device is the one suitable for devices described by the
platform. This implies that the driver needs to use memory barriers suitable
for devices described by the platform; e.g. for the PCI transport in the case
of hardware PCI devices.
If this feature bit is not negotiated, then the device and driver are assumed
to be implemented in software, that is they can be assumed to run on
identical CPUs in an SMP configuration. Thus a weaker form of memory
barriers is sufficient to yield better performance.
A driver MUST accept VIRTIO_F_VERSION_1 if it is offered. A driver MAY fail to
operate further if VIRTIO_F_VERSION_1 is not offered.
A driver SHOULD accept VIRTIO_F_ACCESS_PLATFORM if it is offered, and it
MUST then either disable the IOMMU or configure the IOMMU to translate
bus addresses passed to the device into physical addresses in memory. If
VIRTIO_F_ACCESS_PLATFORM is not offered, then a driver MUST pass only
physical addresses to the device.
A driver SHOULD accept VIRTIO_F_RING_PACKED if it is offered.
A driver SHOULD accept VIRTIO_F_ORDER_PLATFORM if it is offered. If
VIRTIO_F_ORDER_PLATFORM has been negotiated, a driver MUST use the
barriers suitable for hardware devices.
If VIRTIO_F_SR_IOV has been negotiated, a driver MAY enable virtual
functions through the device’s PCI SR-IOV capability structure. A driver
MUST NOT negotiate VIRTIO_F_SR_IOV if the device does not have a PCI
SR-IOV capability structure or is not a PCI device. A driver MUST negotiate
VIRTIO_F_SR_IOV and complete the feature negotiation (including checking the
FEATURES_OK device status bit) before enabling virtual functions through the
device’s PCI SR-IOV capability structure. After once successfully negotiating
VIRTIO_F_SR_IOV, the driver MAY enable virtual functions through the device’s
PCI SR-IOV capability structure even if the device or the system has been fully or
partially reset, and even without re-negotiating VIRTIO_F_SR_IOV after the
reset.
A device MUST offer VIRTIO_F_VERSION_1. A device MAY fail to operate further
if VIRTIO_F_VERSION_1 is not accepted.
A device SHOULD offer VIRTIO_F_ACCESS_PLATFORM if its access to memory is
through bus addresses distinct from and translated by the platform to physical
addresses used by the driver, and/or if it can only access certain memory
addresses with said access specified and/or granted by the platform. A device
MAY fail to operate further if VIRTIO_F_ACCESS_PLATFORM is not
accepted.
If VIRTIO_F_IN_ORDER has been negotiated, a device MUST use buffers in the
same order in which they have been available.
A device MAY fail to operate further if VIRTIO_F_ORDER_PLATFORM is offered
but not accepted. A device MAY operate in a slower emulation mode if
VIRTIO_F_ORDER_PLATFORM is offered but not accepted.
It is RECOMMENDED that an add-in card based PCI device offers both
VIRTIO_F_ACCESS_PLATFORM and VIRTIO_F_ORDER_PLATFORM for
maximum portability.
A device SHOULD offer VIRTIO_F_SR_IOV if it is a PCI device and presents a PCI
SR-IOV capability structure, otherwise it MUST NOT offer VIRTIO_F_SR_IOV.
Transitional devices MAY offer the following:
Transitional devices MUST offer, and if offered by the device transitional drivers
MUST accept the following:
Conformance targets:
A driver MUST conform to the following normative statements:
A PCI driver MUST conform to the following normative statements:
An MMIO driver MUST conform to the following normative statements:
A Channel I/O driver MUST conform to the following normative statements:
A network driver MUST conform to the following normative statements:
A block driver MUST conform to the following normative statements:
A console driver MUST conform to the following normative statements:
An entropy driver MUST conform to the following normative statements:
A traditional memory balloon driver MUST conform to the following normative
statements:
An SCSI host driver MUST conform to the following normative statements:
An input driver MUST conform to the following normative statements:
A Crypto driver MUST conform to the following normative statements:
A socket driver MUST conform to the following normative statements:
A device MUST conform to the following normative statements:
A PCI device MUST conform to the following normative statements:
An MMIO device MUST conform to the following normative statements:
A Channel I/O device MUST conform to the following normative statements:
A network device MUST conform to the following normative statements:
A block device MUST conform to the following normative statements:
A console device MUST conform to the following normative statements:
An entropy device MUST conform to the following normative statements:
A traditional memory balloon device MUST conform to the following normative
statements:
An SCSI host device MUST conform to the following normative statements:
An input device MUST conform to the following normative statements:
A Crypto device MUST conform to the following normative statements:
A socket device MUST conform to the following normative statements:
A conformant implementation MUST be either transitional or non-transitional, see
1.3.1.
An implementation MAY choose to implement OPTIONAL support for the legacy
interface, including support for legacy drivers or devices, by conforming to all of the
MUST or REQUIRED level requirements for the legacy interface for the transitional
devices and drivers.
The requirements for the legacy interface for transitional implementations are located
in sections named “Legacy Interface” listed below:
It is possible that a very simple device will operate entirely through its device
configuration space, but most will need at least one virtqueue in which it
will place requests. A device with both input and output (eg. console and
network devices described here) need two queues: one which the driver fills with
buffers to receive input, and one which the driver places buffers to transmit
output.
Device configuration space should only be used for initialization-time parameters. It
is a limited resource with no synchronization between field written by the driver, so
for most uses it is better to use a virtqueue to update configuration information (the
network device does this for filtering, otherwise the table in the config space could
potentially be very large).
Remember that configuration fields over 32 bits wide might not be atomically
writable by the driver. Therefore, no writeable field which triggers an action ought to
be wider than 32 bits.
Device numbers can be reserved by the OASIS committee: email
virtio-dev@lists.oasis-open.org to secure a unique one.
Meanwhile for experimental drivers, use 65535 and work backwards.
Using the optional MSI-X capability devices can speed up interrupt processing by
removing the need to read ISR Status register by guest driver (which might be an
expensive operation), reducing interrupt sharing between devices and queues within
the device, and handling interrupts from multiple CPUs. However, some systems
impose a limit (which might be as low as 256) on the total number of MSI-X vectors
that can be allocated to all devices. Devices and/or drivers should take this into
account, limiting the number of vectors used unless the device is expected
to cause a high volume of interrupts. Devices can control the number of
vectors used by limiting the MSI-X Table Size or not presenting MSI-X
capability in PCI configuration space. Drivers can control this by mapping events
to as small number of vectors as possible, or disabling MSI-X capability
altogether.
Any change to device configuration space, or new virtqueues, or behavioural changes,
should be indicated by negotiation of a new feature bit. This establishes
clarity19
and avoids future expansion problems.
Clusters of functionality which are always implemented together can use a single bit,
but if one feature makes sense without the others they should not be gratuitously
grouped together to conserve feature bits.
Allen Chia, Oracle The following non-members have provided valuable feedback on this specification and
are gratefully acknowledged:
Aaron Conole, Red Hat Changes Made ccw: be more precise about the
semantic of revision 1
Revision
1 of the CCW transport is
currently defined as virtio 1.0.
This could become confusing
when we bump the version of
the virtio specification to 1.1,
in a sense that it could be
interpreted like one can not use
any features not part of the 1.0
specification.
So let us try to avoid confusion
regarding the semantic of
virtio-ccw revision 1.
Fixes:
https://issues.oasis-open.org/browse/VIRTIO-163
Signed-off-by: Halil Pasic
Reviewed-by: Cornelia Huck
Signed-off-by: Michael S.
Tsirkin See 4.3.2.1.
introduction: simplify the
designation of legacy
The sentence designating the
documents defining what later
became known as the legacy
virtio interface had the most
important piece of information
placed in parenthesis.
Let’s reword this sentence so
we avoid using an ambiguous
designation based on a relative
anchor (i.e. ’earlier drafts of this
specification’) and just use the
absolute anchor (version 1.0).
Fixes:
https://issues.oasis-open.org/browse/VIRTIO-164
Signed-off-by: Halil Pasic
Reviewed-by: Cornelia Huck
Signed-off-by: Michael S.
Tsirkin See 1.3.1. virtio-blk: document data[] size
constraints
The struct
virtio_blk_req->data[] field is a
multiple of 512 bytes long for
read and write requests. Flush
requests don’t use data[] at all.
The new discard
and write zeroes requests being
introduced in VIRTIO 1.1 put
struct
virtio_blk_discard_write_zeroes
elements into data[], so it must
be a multiple of the struct size.
The uint8_t
data[][512] pseudo-code makes
it look like discard and write
zeroes requests must pad to
512 bytes. This wastes memory
since struct
virtio_blk_discard_write_data is
only 16 bytes long.
Furthermore, all known
implementations wishing to
take advantage of this upcoming
VIRTIO 1.1 feature do not
use 512-byte padding (Linux
virtio_blk.ko, QEMU virtio-blk
device emulation, the SPDK
virtio-blk driver, and the SPDK
vhost-user-blk device backend).
This patch documents the
data[] size constraints clearly
in the driver normative section.
This is clearer than the current
pseudo-code.
Fixes:
https://github.com/oasis-tcs/virtio-spec/issues/32
Cc: Michael S. Tsirkin
Cc: Changpeng Liu
Cc: Stefano Garzarella
Signed-off-by: Stefan Hajnoczi
Signed-off-by: Michael S.
Tsirkin See 5.2.6. virtio-blk: move
virtio_blk_discard_write_zeroes
definition
struct
virtio_blk_discard_write_zeroes
is defined alongside
struct virtio_blk_req but only
discussed later in the text. Move
it to where it belongs.
Fixes:
https://github.com/oasis-tcs/virtio-spec/issues/32
Suggested-by: Michael S.
Tsirkin Signed-off-by: Stefan Hajnoczi
Signed-off-by: Michael S.
Tsirkin See 5.2.6. virtio-blk: describe write zeroes
unmap semantics
Explain
the meaning of the unmap flag.
The details are already covered
in the device normative section
but mentioning it here makes
the text easier to understand.
Fixes:
https://github.com/oasis-tcs/virtio-spec/issues/32
Suggested-by: Michael S.
Tsirkin Signed-off-by: Stefan Hajnoczi
Signed-off-by: Michael S.
Tsirkin See 5.2.6. virtio-blk: avoid inconsistent
"DISCARD" term
"discard" (lowercase) is used
throughout the text. Remove
a lone instance of "DISCARD"
(uppercase).
Fixes:
https://github.com/oasis-tcs/virtio-spec/issues/32
Suggested-by: Michael S.
Tsirkin Signed-off-by: Stefan Hajnoczi
Signed-off-by: Michael S.
Tsirkin See 5.2.6. virtio-blk: clarify semantics
of multi-segment discard/write
zeroes commands
Describe the failure case and
maximum number
of segments in a multi-segment
discard/write zeroes command.
Fixes:
https://github.com/oasis-tcs/virtio-spec/issues/34
Signed-off-by: Stefan Hajnoczi
Signed-off-by: Michael S.
Tsirkin See 5.2.6.1. format: replace "- i.e." with ",
i.e.,"
This seems to be preferred by
native speakers, and seems just
as effective as a sentence device.
Fixes:
https://issues.oasis-open.org/browse/VIRTIO-171
Signed-off-by: Michael S.
Tsirkin conformance: add links to
crypto and input devices
Fixes:
https://issues.oasis-open.org/browse/VIRTIO-174
Signed-off-by: Michael S.
Tsirkin Reviewed-by: Stefan Hajnoczi
See 7.1. signal start and end of
structures consistently
Make sure all structs have the
format:
struct X .
... };
Fixes:
https://issues.oasis-open.org/browse/VIRTIO-170
Signed-off-by: Michael S.
Tsirkin See 5.6.6.2. editorial: explain each structure
before use
Several structures are listed
before they are introduced in
some way. Add a sentence
before each one so they don’t
appear prior to any prose.
Fixes:
https://issues.oasis-open.org/browse/VIRTIO-166
Signed-off-by: Michael S.
Tsirkin See 5.1.6.5, 2.6.8, 5.9.5, 5.7.4,
5.7.6.7, 5.7.6.7 amd 5.10.4. conformance: tweak to match
OASIS requirements
Number clauses as required by
OASIS.
Also reference the transitional
clause.
Fixes:
https://issues.oasis-open.org/browse/VIRTIO-168
Signed-off-by: Michael S.
Tsirkin Reviewed-by: Stefan Hajnoczi
Reviewed-by: Cornelia Huck
See 7. introduction: update link to
IEEE 802
Looks like all GETIEEE links
got broken. Let’s just point to
their main page.
Fixes:
https://issues.oasis-open.org/browse/VIRTIO-175
Signed-off-by: Michael S.
Tsirkin Reviewed-by: Stefan Hajnoczi
Reviewed-by: Jens Freimann
See 1.1. editorial: upgrade links to https
Several links have been
upgraded and now redirect to
the https version. Upgrade our
version accordingly.
Note that some other links
use the status 301 - moved
permanently apparently in error
(e.g. for a language specific
redirect), not updating these.
Fixes:
https://issues.oasis-open.org/browse/VIRTIO-173
Signed-off-by: Michael S.
Tsirkin Reviewed-by: Stefan Hajnoczi
conformance: fix confusion
about legacy interface
The text describing the legacy
interface also obliquely refers to
a non-transitional
implementation. This seems to
cause confusion and there’s no
good reason to do it here: this
section is about legacy interface
and transitional devices, it add
not value at all. Just drop it.
Note: the spec does not make
it clear whether description of
the legacy interface is normative
or not, and in particular, this
section is not linked to from any
conformance targets. Resolving
that is left for later.
Fixes:
https://issues.oasis-open.org/browse/VIRTIO-167
Signed-off-by: Michael S.
Tsirkin Reviewed-by: Cornelia Huck
Acked-by: Halil Pasic
See 7.4. block: drop duplicate text
In version 1.1 draft 01 - Section
5.2.6.4 - second bullet:
Duplicated
text "errors, data_len, sense_len
and residual MUST reside in a
single, separate device-writable
descriptor" appears +both in
the beginning and at the end of
the 2nd sentence.
The original text:
For SCSI commands there are
additional constraints. errors,
data_len, sense_len and residual
MUST reside in a
single, separate device-writable
descriptor, sense MUST reside
in a
single separate device-writable
descriptor of size 96 bytes,
and errors, data_len, sense_len
and residual MUST reside a
single separate device-writable
descriptor. I suggest to delete
the 1st one, so in the end
result, fields are described in
same order as appear in struct
virtio_scsi_pc_req.
Fixes:
https://github.com/oasis-tcs/virtio-spec/issues/39
Reported-by: Gil Savir
Signed-off-by: Michael S.
Tsirkin See 5.2.6.4. 1This lack of page-sharing implies that the implementation of the device (e.g. the hypervisor
or host) needs full access to the guest memory. Communication with untrusted parties (i.e.
inter-guest communication) requires copying.
2The Linux implementation further separates the virtio transport code from the specific
virtio drivers: these drivers are shared between different transports.
3For example, the simplest network device has one virtqueue for transmit and one for
receive.
4For example, if Queue Size is 4 then at most 4 buffers can be queued at any given
time.
5For example, if Queue Size is 4 then at most 4 buffers can be queued at any given
time.
6For example, the simplest network device has two virtqueues.
7The 4096 is based on the x86 page size, but it’s also large enough to ensure that the separate
parts of the virtqueue are on separate cache lines.
8Due to various bugs in implementations, this field is not useful as a guarantee of the
transport header size.
9This case is not handled by some older hardware, so is called out specifically in the
protocol.
10Since there are no guarantees, it can use a hash filter or silently switch to allmulti or
promiscuous mode if it is given too many addresses.
11Consistent with 5.2.6.2, a writethrough cache can be defined broadly as a cache that
commits writes to persistent device backend storage before reporting their completion. For
example, a battery-backed writeback cache actually counts as writethrough according to this
definition.
12Note that in this case, according to 5.2.5.2, the device will not have offered
VIRTIO_BLK_F_CONFIG_WCE either.
13Because this is high importance and low bandwidth, the current Linux implementation
polls for the buffer to become used, rather than waiting for a used buffer notification,
simplifying the implementation significantly. However, for generic serial ports with the
O_NONBLOCK flag set, the polling limitation is relaxed and the consumed buffers are freed
upon the next write or poll call or when a port is closed or hot-unplugged.
14This is historical, and independent of the guest page size.
15In this case, deflation advice is merely a courtesy.
16For example, INQUIRY or REPORT LUNS.
17For example, I_T RESET.
18There is no separate residual size for pi_bytesout and pi_bytesin. It can be computed from the
residual field, the size of the data integrity information per sector, and the sizes of pi_out, pi_in,
dataout and datain.
19Even if it does mean documenting design or implementation mistakes!
/* Device read only portion */
struct virtio_crypto_op_header header;
#define VIRTIO_CRYPTO_DATAQ_OP_SPEC_HDR_LEGACY 48
/* fixed length fields, opcode specific */
u8 op_flf[flf_len];
/* Device read && write portion */
/* variable length fields, opcode specific */
u8 op_vlf[vlf_len];
/* Device write only portion */
struct virtio_crypto_inhdr inhdr;
};
5.9.7.4 HASH Service Operation
/* length of source data */
le32 src_data_len;
/* hash result length */
le32 hash_result_len;
};
struct virtio_crypto_hash_data_vlf {
/* Device read only portion */
/* Source data */
u8 src_data[src_data_len];
/* Device write only portion */
/* Hash result data */
u8 hash_result[hash_result_len];
};
struct {
/* See VIRTIO_CRYPTO_HASH_* above */
le32 algo;
} sess_para;
/* length of source data */
le32 src_data_len;
/* hash result length */
le32 hash_result_len;
le32 reserved;
};
struct virtio_crypto_hash_data_vlf_stateless {
/* Device read only portion */
/* Source data */
u8 src_data[src_data_len];
/* Device write only portion */
/* Hash result data */
u8 hash_result[hash_result_len];
};
5.9.7.4.1 Driver Requirements: HASH Service Operation
5.9.7.4.2 Device Requirements: HASH Service Operation
5.9.7.5 MAC Service Operation
struct virtio_crypto_hash_data_flf hdr;
};
struct virtio_crypto_mac_data_vlf {
/* Device read only portion */
/* Source data */
u8 src_data[src_data_len];
/* Device write only portion */
/* Hash result data */
u8 hash_result[hash_result_len];
};
struct {
/* See VIRTIO_CRYPTO_MAC_* above */
le32 algo;
/* length of authenticated key */
le32 auth_key_len;
} sess_para;
/* length of source data */
le32 src_data_len;
/* hash result length */
le32 hash_result_len;
};
struct virtio_crypto_mac_data_vlf_stateless {
/* Device read only portion */
/* The authenticated key */
u8 auth_key[auth_key_len];
/* Source data */
u8 src_data[src_data_len];
/* Device write only portion */
/* Hash result data */
u8 hash_result[hash_result_len];
};
5.9.7.5.1 Driver Requirements: MAC Service Operation
5.9.7.5.2 Device Requirements: MAC Service Operation
5.9.7.6 Symmetric algorithms Operation
/*
* Byte Length of valid IV/Counter data pointed to by the below iv data.
*
* For block ciphers in CBC or F8 mode, or for Kasumi in F8 mode, or for
* SNOW3G in UEA2 mode, this is the length of the IV (which
* must be the same as the block length of the cipher).
* For block ciphers in CTR mode, this is the length of the counter
* (which must be the same as the block length of the cipher).
*/
le32 iv_len;
/* length of source data */
le32 src_data_len;
/* length of destination data */
le32 dst_data_len;
le32 padding;
};
struct virtio_crypto_cipher_data_vlf {
/* Device read only portion */
/*
* Initialization Vector or Counter data.
*
* For block ciphers in CBC or F8 mode, or for Kasumi in F8 mode, or for
* SNOW3G in UEA2 mode, this is the Initialization Vector (IV)
* value.
* For block ciphers in CTR mode, this is the counter.
* For AES-XTS, this is the 128bit tweak, i, from IEEE Std 1619-2007.
*
* The IV/Counter will be updated after every partial cryptographic
* operation.
*/
u8 iv[iv_len];
/* Source data */
u8 src_data[src_data_len];
/* Device write only portion */
/* Destination data */
u8 dst_data[dst_data_len];
};
le32 iv_len;
/* Length of source data */
le32 src_data_len;
/* Length of destination data */
le32 dst_data_len;
/* Starting point for cipher processing in source data */
le32 cipher_start_src_offset;
/* Length of the source data that the cipher will be computed on */
le32 len_to_cipher;
/* Starting point for hash processing in source data */
le32 hash_start_src_offset;
/* Length of the source data that the hash will be computed on */
le32 len_to_hash;
/* Length of the additional auth data */
le32 aad_len;
/* Length of the hash result */
le32 hash_result_len;
le32 reserved;
};
struct virtio_crypto_alg_chain_data_vlf {
/* Device read only portion */
/* Initialization Vector or Counter data */
u8 iv[iv_len];
/* Source data */
u8 src_data[src_data_len];
/* Additional authenticated data if exists */
u8 aad[aad_len];
/* Device write only portion */
/* Destination data */
u8 dst_data[dst_data_len];
/* Hash result data */
u8 hash_result[hash_result_len];
};
/* Device read only portion */
#define VIRTIO_CRYPTO_SYM_DATA_REQ_HDR_SIZE 40
u8 op_type_flf[VIRTIO_CRYPTO_SYM_DATA_REQ_HDR_SIZE];
/* See above VIRTIO_CRYPTO_SYM_OP_* */
le32 op_type;
le32 padding;
};
struct virtio_crypto_sym_data_vlf {
u8 op_type_vlf[sym_para_len];
};
struct {
/* See VIRTIO_CRYPTO_CIPHER* above */
le32 algo;
/* length of key */
le32 key_len;
/* See VIRTIO_CRYPTO_OP_* above */
le32 op;
} sess_para;
/*
* Byte Length of valid IV/Counter data pointed to by the below iv data.
*/
le32 iv_len;
/* length of source data */
le32 src_data_len;
/* length of destination data */
le32 dst_data_len;
};
struct virtio_crypto_cipher_data_vlf_stateless {
/* Device read only portion */
/* The cipher key */
u8 cipher_key[key_len];
/* Initialization Vector or Counter data. */
u8 iv[iv_len];
/* Source data */
u8 src_data[src_data_len];
/* Device write only portion */
/* Destination data */
u8 dst_data[dst_data_len];
};
struct {
/* See VIRTIO_CRYPTO_SYM_ALG_CHAIN_ORDER_* above */
le32 alg_chain_order;
/* length of the additional authenticated data in bytes */
le32 aad_len;
struct {
/* See VIRTIO_CRYPTO_CIPHER* above */
le32 algo;
/* length of key */
le32 key_len;
/* See VIRTIO_CRYPTO_OP_* above */
le32 op;
} cipher;
struct {
/* See VIRTIO_CRYPTO_HASH_* or VIRTIO_CRYPTO_MAC_* above */
le32 algo;
/* length of authenticated key */
le32 auth_key_len;
/* See VIRTIO_CRYPTO_SYM_HASH_MODE_* above */
le32 hash_mode;
} hash;
} sess_para;
le32 iv_len;
/* Length of source data */
le32 src_data_len;
/* Length of destination data */
le32 dst_data_len;
/* Starting point for cipher processing in source data */
le32 cipher_start_src_offset;
/* Length of the source data that the cipher will be computed on */
le32 len_to_cipher;
/* Starting point for hash processing in source data */
le32 hash_start_src_offset;
/* Length of the source data that the hash will be computed on */
le32 len_to_hash;
/* Length of the additional auth data */
le32 aad_len;
/* Length of the hash result */
le32 hash_result_len;
le32 reserved;
};
struct virtio_crypto_alg_chain_data_vlf_stateless {
/* Device read only portion */
/* The cipher key */
u8 cipher_key[key_len];
/* The auth key */
u8 auth_key[auth_key_len];
/* Initialization Vector or Counter data */
u8 iv[iv_len];
/* Additional authenticated data if exists */
u8 aad[aad_len];
/* Source data */
u8 src_data[src_data_len];
/* Device write only portion */
/* Destination data */
u8 dst_data[dst_data_len];
/* Hash result data */
u8 hash_result[hash_result_len];
};
/* Device read only portion */
#define VIRTIO_CRYPTO_SYM_DATE_REQ_HDR_STATELESS_SIZE 72
u8 op_type_flf[VIRTIO_CRYPTO_SYM_DATE_REQ_HDR_STATELESS_SIZE];
/* Device write only portion */
/* See above VIRTIO_CRYPTO_SYM_OP_* */
le32 op_type;
};
struct virtio_crypto_sym_data_vlf_stateless {
u8 op_type_vlf[sym_para_len];
};
5.9.7.6.1 Driver Requirements: Symmetric algorithms Operation
5.9.7.6.2 Device Requirements: Symmetric algorithms Operation
5.9.7.7 AEAD Service Operation
/*
* Byte Length of valid IV data.
*
* For GCM mode, this is either 12 (for 96-bit IVs) or 16, in which
* case iv points to J0.
* For CCM mode, this is the length of the nonce, which can be in the
* range 7 to 13 inclusive.
*/
le32 iv_len;
/* length of additional auth data */
le32 aad_len;
/* length of source data */
le32 src_data_len;
/* length of dst data, this should be at least src_data_len + tag_len */
le32 dst_data_len;
/* Authentication tag length */
le32 tag_len;
le32 reserved;
};
struct virtio_crypto_aead_data_vlf {
/* Device read only portion */
/*
* Initialization Vector data.
*
* For GCM mode, this is either the IV (if the length is 96 bits) or J0
* (for other sizes), where J0 is as defined by NIST SP800-38D.
* Regardless of the IV length, a full 16 bytes needs to be allocated.
* For CCM mode, the first byte is reserved, and the nonce should be
* written starting at &iv[1] (to allow space for the implementation
* to write in the flags in the first byte). Note that a full 16 bytes
* should be allocated, even though the iv_len field will have
* a value less than this.
*
* The IV will be updated after every partial cryptographic operation.
*/
u8 iv[iv_len];
/* Source data */
u8 src_data[src_data_len];
/* Additional authenticated data if exists */
u8 aad[aad_len];
/* Device write only portion */
/* Pointer to output data */
u8 dst_data[dst_data_len];
};
struct {
/* See VIRTIO_CRYPTO_AEAD_* above */
le32 algo;
/* length of key */
le32 key_len;
/* encrypt or decrypt, See above VIRTIO_CRYPTO_OP_* */
le32 op;
} sess_para;
/* Byte Length of valid IV data. */
le32 iv_len;
/* Authentication tag length */
le32 tag_len;
/* length of additional auth data */
le32 aad_len;
/* length of source data */
le32 src_data_len;
/* length of dst data, this should be at least src_data_len + tag_len */
le32 dst_data_len;
};
struct virtio_crypto_aead_data_vlf_stateless {
/* Device read only portion */
/* The cipher key */
u8 key[key_len];
/* Initialization Vector data. */
u8 iv[iv_len];
/* Source data */
u8 src_data[src_data_len];
/* Additional authenticated data if exists */
u8 aad[aad_len];
/* Device write only portion */
/* Pointer to output data */
u8 dst_data[dst_data_len];
};
5.9.7.7.1 Driver Requirements: AEAD Service Operation
5.9.7.7.2 Device Requirements: AEAD Service Operation
5.10 Socket Device
5.10.1 Device ID
5.10.2 Virtqueues
5.10.3 Feature bits
5.10.4 Device configuration layout
CID Notes 0 Reserved
1 Reserved
2 Well-known CID for the host
0xffffffff Reserved
0xffffffffffffffff Reserved
5.10.5 Device Initialization
5.10.6 Device Operation
le64 src_cid;
le64 dst_cid;
le32 src_port;
le32 dst_port;
le32 len;
le16 type;
le16 op;
le32 flags;
le32 buf_alloc;
le32 fwd_cnt;
};
VIRTIO_VSOCK_OP_INVALID = 0,
/* Connect operations */
VIRTIO_VSOCK_OP_REQUEST = 1,
VIRTIO_VSOCK_OP_RESPONSE = 2,
VIRTIO_VSOCK_OP_RST = 3,
VIRTIO_VSOCK_OP_SHUTDOWN = 4,
/* To send payload */
VIRTIO_VSOCK_OP_RW = 5,
/* Tell the peer our credit info */
VIRTIO_VSOCK_OP_CREDIT_UPDATE = 6,
/* Request the peer to send the credit info to us */
VIRTIO_VSOCK_OP_CREDIT_REQUEST = 7,
};
5.10.6.1 Virtqueue Flow Control
5.10.6.1.1 Driver Requirements: Device Operation: Virtqueue Flow Control
The rx virtqueue MUST be processed even when the tx virtqueue is full so long
as there are additional resources available to hold packets outside the tx
virtqueue.
5.10.6.1.2 Device Requirements: Device Operation: Virtqueue Flow Control
The tx virtqueue MUST be processed even when the rx virtqueue is full so long
as there are additional resources available to hold packets outside the rx
virtqueue.
5.10.6.2 Addressing
5.10.6.3 Buffer Space Management
u32 peer_free = peer_buf_alloc - (tx_cnt - peer_fwd_cnt);
5.10.6.3.1 Driver Requirements: Device Operation: Buffer Space Management
VIRTIO_VSOCK_OP_RW data packets MUST only be transmitted when the peer
has sufficient free buffer space for the payload.
5.10.6.3.2 Device Requirements: Device Operation: Buffer Space Management
VIRTIO_VSOCK_OP_RW data packets MUST only be transmitted when the peer
has sufficient free buffer space for the payload.
5.10.6.4 Receive and Transmit
5.10.6.4.1 Driver Requirements: Device Operation: Receive and Transmit
The guest_cid configuration field MUST be used as the source CID when sending
outgoing packets.
5.10.6.4.2 Device Requirements: Device Operation: Receive and Transmit
The guest_cid configuration field MUST NOT contain a reserved CID as listed in
5.10.4.
5.10.6.5 Stream Sockets
5.10.6.6 Device Events
VIRTIO_VSOCK_EVENT_TRANSPORT_RESET = 0,
};
struct virtio_vsock_event {
le32 id;
};
5.10.6.6.1 Driver Requirements: Device Operation: Device Events
Event virtqueue buffers SHOULD be replenished quickly so that no events are
missed.
5.11 File System Device
5.11.1 Device ID
5.11.2 Virtqueues
5.11.3 Feature bits
5.11.4 Device configuration layout
5.11.4.1 Driver Requirements: Device configuration layout
5.11.4.2 Device Requirements: Device configuration layout
5.11.5 Device Initialization
5.11.6 Device Operation
5.11.6.1 Device Operation: Request Queues
// Device-readable part
struct fuse_in_header in;
u8 datain[];
// Device-writable part
struct fuse_out_header out;
u8 dataout[];
};
// Device-readable part
struct fuse_in_header in;
union {
struct fuse_read_in readin;
u8 datain[sizeof(struct fuse_read_in)];
};
// Device-writable part
struct fuse_out_header out;
u8 dataout[out.len - sizeof(struct fuse_out_header)];
};
5.11.6.2 Device Operation: High Priority Queue
5.11.6.2.1 Device Requirements: Device Operation: High Priority Queue
The device MUST NOT pause processing of the hiprio queue due to activity on a
normal request queue.
5.11.6.2.2 Driver Requirements: Device Operation: High Priority Queue
The driver MUST submit FUSE_INTERRUPT, FUSE_FORGET, and
FUSE_BATCH_FORGET requests solely on the hiprio queue.
5.11.6.3 Device Operation: DAX Window
5.11.6.3.1 Device Requirements: Device Operation: DAX Window
The device MUST allow mappings that completely or partially overlap existing
mappings within the DAX window.
5.11.6.3.2 Driver Requirements: Device Operation: DAX Window
The driver SHOULD be prepared to find shared memory region ID 0 absent and fall
back to FUSE_READ and FUSE_WRITE requests.
5.11.6.4 Security Considerations
5.11.6.5 Live migration considerations
Currently these device-independent feature bits defined:
6 Reserved Feature Bits6.1 Driver Requirements: Reserved Feature Bits
6.2 Device Requirements: Reserved Feature Bits
6.3 Legacy Interface: Reserved Feature Bits
This chapter lists the conformance targets and clauses for each; this also forms a
useful checklist which authors are asked to consult for their implementations!
7 Conformance7.1 Conformance Targets
7.2 Clause 1: Driver Conformance
7.2.1 Clause 2: PCI Driver Conformance
7.2.2 Clause 3: MMIO Driver Conformance
7.2.3 Clause 4: Channel I/O Driver Conformance
7.2.4 Clause 5: Network Driver Conformance
7.2.5 Clause 6: Block Driver Conformance
7.2.6 Clause 7: Console Driver Conformance
7.2.7 Clause 8: Entropy Driver Conformance
7.2.8 Clause 9: Traditional Memory Balloon Driver Conformance
7.2.9 Clause 10: SCSI Host Driver Conformance
7.2.10 Clause 11: Input Driver Conformance
7.2.11 Clause 12: Crypto Driver Conformance
7.2.12 Clause 13: Socket Driver Conformance
7.3 Clause 14: Device Conformance
7.3.1 Clause 15: PCI Device Conformance
7.3.2 Clause 16: MMIO Device Conformance
7.3.3 Clause 17: Channel I/O Device Conformance
7.3.4 Clause 18: Network Device Conformance
7.3.5 Clause 19: Block Device Conformance
7.3.6 Clause 20: Console Device Conformance
7.3.7 Clause 21: Entropy Device Conformance
7.3.8 Clause 22: Traditional Memory Balloon Device Conformance
7.3.9 Clause 23: SCSI Host Device Conformance
7.3.10 Clause 24: Input Device Conformance
7.3.11 Clause 25: Crypto Device Conformance
7.3.12 Clause 26: Socket Device Conformance
7.4 Clause 27: Legacy Interface: Transitional Device and Transitional Driver
Conformance
Appendix A. virtio_queue.h
This file is also available at the link https://docs.oasis-open.org/virtio/virtio/v1.1/cs01/listings/virtio_queue.h.
All definitions in this section are for non-normative reference only.
#ifndef VIRTQUEUE_H
#define VIRTQUEUE_H
/* An interface for efficient virtio implementation.
*
* This header is BSD licensed so anyone can use the definitions
* to implement compatible drivers/servers.
*
* Copyright 2007, 2009, IBM Corporation
* Copyright 2011, Red Hat, Inc
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of IBM nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ‘‘AS IS’’ AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL IBM OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include <stdint.h>
/* This marks a buffer as continuing via the next field. */
#define VIRTQ_DESC_F_NEXT 1
/* This marks a buffer as write-only (otherwise read-only). */
#define VIRTQ_DESC_F_WRITE 2
/* This means the buffer contains a list of buffer descriptors. */
#define VIRTQ_DESC_F_INDIRECT 4
/* The device uses this in used->flags to advise the driver: don’t kick me
* when you add a buffer. It’s unreliable, so it’s simply an
* optimization. */
#define VIRTQ_USED_F_NO_NOTIFY 1
/* The driver uses this in avail->flags to advise the device: don’t
* interrupt me when you consume a buffer. It’s unreliable, so it’s
* simply an optimization. */
#define VIRTQ_AVAIL_F_NO_INTERRUPT 1
/* Support for indirect descriptors */
#define VIRTIO_F_INDIRECT_DESC 28
/* Support for avail_event and used_event fields */
#define VIRTIO_F_EVENT_IDX 29
/* Arbitrary descriptor layouts. */
#define VIRTIO_F_ANY_LAYOUT 27
/* Virtqueue descriptors: 16 bytes.
* These can chain together via "next". */
struct virtq_desc {
/* Address (guest-physical). */
le64 addr;
/* Length. */
le32 len;
/* The flags as indicated above. */
le16 flags;
/* We chain unused descriptors via this, too */
le16 next;
};
struct virtq_avail {
le16 flags;
le16 idx;
le16 ring[];
/* Only if VIRTIO_F_EVENT_IDX: le16 used_event; */
};
/* le32 is used here for ids for padding reasons. */
struct virtq_used_elem {
/* Index of start of used descriptor chain. */
le32 id;
/* Total length of the descriptor chain which was written to. */
le32 len;
};
struct virtq_used {
le16 flags;
le16 idx;
struct virtq_used_elem ring[];
/* Only if VIRTIO_F_EVENT_IDX: le16 avail_event; */
};
struct virtq {
unsigned int num;
struct virtq_desc *desc;
struct virtq_avail *avail;
struct virtq_used *used;
};
static inline int virtq_need_event(uint16_t event_idx, uint16_t new_idx, uint16_t old_idx)
{
return (uint16_t)(new_idx - event_idx - 1) < (uint16_t)(new_idx - old_idx);
}
/* Get location of event indices (only with VIRTIO_F_EVENT_IDX) */
static inline le16 *virtq_used_event(struct virtq *vq)
{
/* For backwards compat, used event index is at *end* of avail ring. */
return &vq->avail->ring[vq->num];
}
static inline le16 *virtq_avail_event(struct virtq *vq)
{
/* For backwards compat, avail event index is at *end* of used ring. */
return (le16 *)&vq->used->ring[vq->num];
}
#endif /* VIRTQUEUE_H */
Appendix B. Creating New Device Types
Various considerations are necessary when creating a new device type.
B.1 How Many Virtqueues?
B.2 What Device Configuration Space Layout?
B.3 What Device Number?
B.4 How many MSI-X vectors? (for PCI)
B.5 Device Improvements
Appendix C. Acknowledgements
The following individuals have participated in the creation of this specification and
are gratefully acknowledged:
Participants
Amit Shah, Red Hat
Amos Kong, Red Hat
Anthony Liguori, IBM
Bruce Rogers, SUSE
Bryan Venteicher, NetApp
Chandra Thyamagondlu, Xilinx
Chet Ensign, OASIS
Cornelia Huck, Red Hat
Cunming, Liang, Intel
Damjan, Marion, Cisco
Daniel Kiper, Oracle
Fang Chen, Huawei
Fang You, Huawei
Geoff Brown, M2Mi
Gerd Hoffmann, Red Hat
Gershon Janssen, Individual Member
Grant Likely, ARM
Haggai Eran, Mellanox
Halil Pasic, IBM
James Bottomley, Parallels IP Holdings GmbH
Jani Kokkonen, Huawei
Jan Kiszka, Siemens AG
Jens Freimann, Red Hat
Jian Zhou, Huawei
Karen Xie, Xilinx
Kumar Sanghvi, Xilinx
Lei Gong, Huawei
Lior Narkis, Mellanox
Luiz Capitulino, Red Hat
Marc-André Lureau, Red Hat
Mark Gray, Intel
Michael S. Tsirkin, Red Hat
Mihai Carabas, Oracle
Nishank Trivedi, NetApp
Paolo Bonzini, Red Hat
Paul Mundt, Huawei
Pawel Moll, ARM
Peng Long, Huawei
Piotr Uminski, Intel
Qian Xum, Intel
Richard Sohn, Alcatel-Lucent
Rusty Russell, IBM
Sasha Levin, Oracle
Sergey Tverdyshev, Thales e-Security
Stefan Hajnoczi, Red Hat
Sundar Mohan, Xilinx
Tom Lyon, Samya Systems, Inc.
Victor Kaplansky, Red Hat
Vijay Balakrishna, Oracle
Wei Wang, Intel
Xin Zeng, Intel
Reviewers
Adam Tao, Huawei
Alexander Duyck, Intel
Andreas Pape, ADITG/ESB
Andrew Thornton, Google
Arun Subbarao, LynuxWorks
Baptiste Reynal, Virtual Open Systems
Bharat Bhushan, NXP Semiconductors
Brian Foley, ARM
Chandra Thyamagondlu, Xilinx
Changpeng Liu, Intel
Christian Pinto, Virtual Open Systems
Christoffer Dall, ARM
Christoph Hellwig, Individual
Christian Borntraeger, IBM
Daniel Marcovitch, Mellanox
David Alan Gilbert, Red Hat
David Hildenbrand, Red Hat
David Riddoch, Solarflare
Denis V. Lunev, OpenVZ
Dmitry Fleytman, Red Hat
Don Wallwork, Broadcom
Emily Drea, ARM
Eric Auger, Red Hat
Fam Zheng, Red Hat
Francesco Fusco, Red Hat
Frank Yang, Google
Gil Savir, Intel
Gonglei (Arei), Huawei
Greg Kurz, IBM
Hannes Reiencke, SUSE
Ian Campbell, Docker
Ilya Lesokhin, Mellanox
Jacques Durand, Fujutsu
Jakub Jermar, Kernkonzept
Jan Scheurich, Ericsson
Jason Baron, Akamai
Jason Wang, Red Hat
Jean-Philippe Brucker, ARM
Jianfeng Tan, intel
Jonathan Helman, Oracle
Karandeep Chahal, DDN
Kevin Lo, MSI
Kevin Tian, Intel
Kully Dhanoa, Intel
Laura Novich, Red Hat
Ladi Prosek, Red Hat
Lars Ganrot, Napatech
Longpeng (Mike), Huawei
Mario Torrecillas Rodriguez, ARM
Mark Rustad, Intel
Maxime Coquelin, Red Hat
Namhyung Kim, LG
Ola Liljedahl, ARM
Pankaj Gupta, Red Hat
Patrick Durusau, OASIS
Pierre Pfister, Cisco
Pranavkumar Sawargaonkar, Linaro
Rauchfuss Holm, Huawei
Rob Miller, Broadcom
Roman Kiryanov, Google
Robin Cover, OASIS
Roger S Chien, Intel
Sameeh Jubran, Red Hat / Daynix
Si-Wei Liu, Oracle
Sridhar Samudrala, Intel
Stefan Fritsch, Individual
Stefano Garzarella, Red Hat
Steven Luong, Cisco
Thomas Huth, Red Hat
Tiwei Bie, Intel
Tomáš Golembiovský, Red Hat
Venu Busireddy, Oracle
Victor Kaplansky, Red Hat
Vijayabhaskar Balakrishna, Oracle
Vlad Yasevich, Red Hat
Yan Vugenfirer, Red Hat / Daynix
Wei Xu, Red Hat
Will Deacon, ARM
Willem de Bruijn, Google
Yuanhan Liu, Intel
Yuri Benditovich, Red Hat / Daynix
Zhi Yong Wu, IBM
Zhoujian, Huawei
Appendix D. Revision History
The following changes have been made since the previous version of this
specification:
Revision Date Editor
5c43ad7 27 Feb 2019 Halil Pasic
d348ac0 27 Feb 2019 Halil Pasic
bef3ff7 07 Mar 2019 Stefan Hajnoczi
c5c0ce7 07 Mar 2019 Stefan Hajnoczi
caffe5c 07 Mar 2019 Stefan Hajnoczi
5f1e981 07 Mar 2019 Stefan Hajnoczi
31a52d2 07 Mar 2019 Stefan Hajnoczi
90047f5 21 Mar 2019 Michael S. Tsirkin
c7b2503 21 Mar 2019 Michael S. Tsirkin
0b5288f 21 Mar 2019 Michael S. Tsirkin
69daf06 21 Mar 2019 Michael S. Tsirkin
d608f47 21 Mar 2019 Michael S. Tsirkin
0dbd52d 21 Mar 2019 Michael S. Tsirkin
7b361ea 21 Mar 2019 Michael S. Tsirkin
3e49aec 21 Mar 2019 Michael S. Tsirkin
4cc8a4d 21 Mar 2019 Michael S. Tsirkin