From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id B515245E03;
	Mon,  2 Dec 2024 10:31:44 +0100 (CET)
Received: from mails.dpdk.org (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 8DDCB40261;
	Mon,  2 Dec 2024 10:31:43 +0100 (CET)
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.20])
 by mails.dpdk.org (Postfix) with ESMTP id D52054025E
 for <dev@dpdk.org>; Mon,  2 Dec 2024 10:31:41 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
 d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
 t=1733131902; x=1764667902;
 h=from:to:subject:date:message-id:in-reply-to:references:
 mime-version:content-transfer-encoding;
 bh=q/7brtR5L9LcJjM4G1sqhPJD5z5b2liiNGFYQaiZHog=;
 b=aPJSEQi9bJ/3/rF2DvyMnCeZPiVShMJC7yvF1f7+xlBWTMmpsBy7M5Bb
 Hf9ikJyiv8COUJWlAV5IG3PHQE1q22lY+jTrmO8+qv3XGIUxWuaPTaYgL
 YtEA5Qis0zrpquqNdyEczrWkLAOx5Nn4nJc3aH4G0/qjuLKHwV34bUPr1
 KeT4420gmLpNUVRIAf+S8eEPQdy/Qlka+SBNUc67ZxfiqYFf4hTMqVUmP
 lu4kORgIxGUQ+bbprt8Fg3r5yGVJy7OzJFpN6yNcRgmAFh0rmUAo2bN8o
 5VKdX5JDmSkvGwph4nAlCND/da2AqAqv8oo+yQ7atv7sKruYNQd4EAqof w==;
X-CSE-ConnectionGUID: qZvU3G0ZRASeXwasuN3j+Q==
X-CSE-MsgGUID: uU5FBi1mRuafAtB/IHGMCg==
X-IronPort-AV: E=McAfee;i="6700,10204,11273"; a="33034909"
X-IronPort-AV: E=Sophos;i="6.12,201,1728975600"; d="scan'208";a="33034909"
Received: from fmviesa002.fm.intel.com ([10.60.135.142])
 by orvoesa112.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 02 Dec 2024 01:31:40 -0800
X-CSE-ConnectionGUID: KqvLHBI/R+akum7B7+9SLg==
X-CSE-MsgGUID: /auz4266QOukLV7JjXHQ+A==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.12,201,1728975600"; d="scan'208";a="116319759"
Received: from silpixa00401119.ir.intel.com ([10.55.129.167])
 by fmviesa002.fm.intel.com with ESMTP; 02 Dec 2024 01:31:35 -0800
From: Anatoly Burakov <anatoly.burakov@intel.com>
To: dev@dpdk.org,
	Robin Jarry <rjarry@redhat.com>
Subject: [PATCH v4 1/1] usertools/devbind: allow changing UID/GID for VFIO
Date: Mon,  2 Dec 2024 09:31:33 +0000
Message-ID: <c5d0388620157638338f67291f8862c6c96cec96.1733131888.git.anatoly.burakov@intel.com>
X-Mailer: git-send-email 2.43.5
In-Reply-To: <4cd0282dabfa59e715028ecf255468529655b487.1725285449.git.anatoly.burakov@intel.com>
References: <4cd0282dabfa59e715028ecf255468529655b487.1725285449.git.anatoly.burakov@intel.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org

Currently, when binding a device to VFIO, the UID/GID for the device will
always stay as system default (`root`). Yet, when running DPDK as non-root
user, one has to change the UID/GID of the device to match the user's
UID/GID to use the device.

This patch adds an option to `dpdk-devbind.py` to change the UID/GID of
the device when binding it to VFIO.

Signed-off-by: Anatoly Burakov <anatoly.burakov@intel.com>
---

Notes:
    v3 -> v4:
    - Added documentation
    
    v2 -> v3:
    - Replaced error printout back to hard exit
    - Reworked UID/GID validation to be at command line parsing
    - Simplified chown code
    
    v1 -> v2:
    - Replaced hard exit with an error printout

 doc/guides/tools/devbind.rst |  6 ++++++
 usertools/dpdk-devbind.py    | 41 +++++++++++++++++++++++++++++++++---
 2 files changed, 44 insertions(+), 3 deletions(-)

diff --git a/doc/guides/tools/devbind.rst b/doc/guides/tools/devbind.rst
index df4f3505ac..841615570f 100644
--- a/doc/guides/tools/devbind.rst
+++ b/doc/guides/tools/devbind.rst
@@ -56,6 +56,12 @@ OPTIONS
         WARNING: This can lead to loss of network connection and should be used
         with caution.
 
+* ``--uid uid, --gid gid``
+
+      By default, devices which are bound to VFIO will be owned by ``root``.
+      Use this flag to change ownership to the specified user and group, so that
+      devices bound to VFIO would be usable by unprivileged users.
+
 
 .. warning::
 
diff --git a/usertools/dpdk-devbind.py b/usertools/dpdk-devbind.py
index f2a2a9a12f..ed1ef0cabc 100755
--- a/usertools/dpdk-devbind.py
+++ b/usertools/dpdk-devbind.py
@@ -3,11 +3,13 @@
 # Copyright(c) 2010-2014 Intel Corporation
 #
 
-import sys
-import os
-import subprocess
 import argparse
+import grp
+import os
 import platform
+import pwd
+import subprocess
+import sys
 
 from glob import glob
 from os.path import exists, basename
@@ -108,6 +110,8 @@
 status_flag = False
 force_flag = False
 noiommu_flag = False
+vfio_uid = -1
+vfio_gid = -1
 args = []
 
 
@@ -544,6 +548,19 @@ def bind_all(dev_list, driver, force=False):
 
     for d in dev_list:
         bind_one(d, driver, force)
+        # if we're binding to vfio-pci, set the IOMMU user/group ownership if one was specified
+        if driver == "vfio-pci" and (vfio_uid != -1 or vfio_gid != -1):
+            # find IOMMU group for a particular PCI device
+            iommu_grp_base_path = os.path.join("/sys/bus/pci/devices", d, "iommu_group")
+            # extract the IOMMU group number
+            iommu_grp = os.path.basename(os.readlink(iommu_grp_base_path))
+            # find VFIO device correspondiong to this IOMMU group
+            dev_path = os.path.join("/dev/vfio", iommu_grp)
+            # set ownership
+            try:
+                os.chown(dev_path, vfio_uid, vfio_gid)
+            except OSError as err:
+                sys.exit(f"Error: failed to set IOMMU group ownership for {d}: {err}")
 
     # For kernels < 3.15 when binding devices to a generic driver
     # (i.e. one that doesn't have a PCI ID table) using new_id, some devices
@@ -697,6 +714,8 @@ def parse_args():
     global force_flag
     global noiommu_flag
     global args
+    global vfio_uid
+    global vfio_gid
 
     parser = argparse.ArgumentParser(
         description='Utility to bind and unbind devices from Linux kernel',
@@ -746,6 +765,20 @@ def parse_args():
         '--noiommu-mode',
         action='store_true',
         help="If IOMMU is not available, enable no IOMMU mode for VFIO drivers")
+    parser.add_argument(
+        "-U",
+        "--uid",
+        help="For VFIO, specify the UID to set IOMMU group ownership",
+        type=lambda u: pwd.getpwnam(u).pw_uid,
+        default=-1,
+    )
+    parser.add_argument(
+        "-G",
+        "--gid",
+        help="For VFIO, specify the GID to set IOMMU group ownership",
+        type=lambda g: grp.getgrnam(g).gr_gid,
+        default=-1,
+    )
     parser.add_argument(
         '--force',
         action='store_true',
@@ -778,6 +811,8 @@ def parse_args():
         b_flag = opt.bind
     elif opt.unbind:
         b_flag = "none"
+    vfio_uid = opt.uid
+    vfio_gid = opt.gid
     args = opt.devices
 
     if not b_flag and not status_flag:
-- 
2.43.5