GPU passthrough with libvirt qemu kvm

GPU passthrough is a technology that allows the Linux kernel to Article description::directly present an internal PCI GPU to a virtual machine.

The device acts as if it were directly driven by the VM, and the VM detects the PCI device as if it were physically connected. GPU passthrough is also often known as IOMMU, although this is a bit of a misnomer, since the IOMMU is the hardware technology that provides this feature but also provides other features such as some protection from DMA attacks or ability to address 64-bit memory spaces with 32-bit addresses.

As you can imagine, the most common application for GPU passthrough at least gaming, since GPU passthrough allows a VM direct access to the graphics card with the end result of being able to play games with nearly the same performance as if you were running the game directly on the computer.

QEMU (Quick EMUlator) is a generic, open source hardware emulator and virtualization suite.

BIOS and UEFI firmware
In order to utilize KVM either VT-x or AMD-V must be supported by the processor. VT-x or AMD-V are Intel and AMD's respective technologies for permitting multiple operating systems to concurrently execute operations on the processors.

To inspect hardware for visualization support issue the following command:

For a period manufacturers were shipping with virtualization turned off by default in the system BIOS

Hardware

 * A CPU that supports Intel VT-d or AMD-Vi. Check List of compatible Intel CPUs (Intel VT-x and Intel VT-d).
 * A motherboard that supports the aforementioned technologies. To find this out, check in your motherboard's BIOS configuration for an option to enable IOMMU or something similar. Chances are that your motherboard will support it if it's from 2013 or newer, but make sure to check since this is a niche technology and some manufacturers may save costs by axing it from their motherboards or delivering a defective implementation (such as Gigabyte's 2015-2016 series) simply because NORPs never use it.
 * At least two GPUs: one for your physical OS, another for your VM. (You can in theory run your computer headless through SSH or a serial console, but it might not work and you risk locking yourself away from your computer if you do so).
 * Optional but recommended: Additional monitor, keyboard and mouse.

EFI configuration
Go into BIOS (EFI) settings and turn on VT-d and IOMMU support.

IOMMU
IOMMU – or input–output memory management unit – is a memory management unit (MMU) that connects a direct-memory-access–capable (DMA-capable) I/O bus to the main memory. The IOMMU maps a device-visible virtual address ( I/O virtual address or IOVA) to a physical memory address. In other words, it translates the IOVA into a real physical address.

In an ideal world, every device has its own IOVA address space and no two devices share the same IOVA. But in practice this is often not the case. Moreover, the PCI-Express (PCIe) specifications allow PCIe devices to communicate with each other directly, called peer-to-peer transactions, thereby escaping the IOMMU.

That is where PCI Access Control Services (ACS) are called to the rescue. ACS is able to tell whether or not these peer-to-peer transactions are possible between any two or more devices, and can disable them. ACS features are implemented within the CPU and the chipset.

Unfortunately the implementation of ACS varies greatly between different CPU or chip-set models.

IOMMU kernel configuration
To enable IOMMU support in kernel:

Re-build the kernel.

GRUB bootloader
When using GRUB as the secondary bootloader, IOMMU will need to be enabled by modifying kernel's commandline parameters. Edit the file and add the following values to the GRUB_CMDLINE_LINUX variable:

Apply changes:

Verify IOMMU has been enabled and is operational:

IOMMU groups
Passing through PCI or VGA devices requires you to pass through all devices within an IOMMU group. The exception to this rule are PCI root devices that reside in the same IOMMU group with the device(s) we want to pass through. These root devices cannot be passed through as they often perform important tasks for the host. A number of (Intel) CPUs, usually consumer-grade CPUs with integrated graphics (IGD), share a root device in the same IOMMU group as the first PCIe 16x slot.

Nvidia in IOMMU Group 13 and AMD Video Card in IOMMU group 15 and 16. Everything looks fine. But if you have buggy IOMMU support and all devices within one IOMMU group, hardware can't guarantee good device isolation. Unfortunately, it is not possible to fix that. The only workaround - use ACS override patch witch ignore IOMMU hardware check. See ACS override patch.

ACS override patch
Next re-emerge the kernel

VFIO
Kernel drivers:

Search for VGA card IDs. Run:

Add VGA PCI IDs to VFIO

Windows
Create Windows 10 as usual via libvirt manager. Edit virtual image, click Add Hardware, select AMD Ati Vega 64 and AMD Ati device. Click Apply.

Now start the Windows 10 guest OS.

AMD cards have 2 devices on PCIe bus -> one video output and another is HDMI output. Windows drivers works only if KVM will bypass to Windows both AMD devices.

Fixed Vega 56/64 reset bug
AMD Vega 56/64 is unable to initialize itself after Guest host shutdown/reboot, because drivers left card in "garbage" state. As workaround of this bug, VFIO should load AMD card ROM at guest startup. To do that:

In my case: 14. Add path to vga rom  So, it should be:
 * 1) Install clear Windows 10 somewhere (not in libvirt. A BARE METAL Windows 10 installation.)
 * 2) Install all latest Windows 10 updates.
 * 3) Install AMD vga drivers.
 * 4) Reboot.
 * 5) Go again to the bare metal Windows 10 installation.
 * 6) Install GPU-Z.
 * 7) In GPU-Z in main tab, near BIOS version will be small button "Save ROM". Click it and save the ROM somewhere. This ROM will be needed for Gentoo and libvirt. For example, for a Vega64 the ROM can be saved as
 * 8) Reboot into Gentoo.
 * 9) Copy to  the ROM file (for this example it is )
 * 10) Go to
 * 11) Edit the xml file with description of the Windows 10 guest.
 * 12) Find section with AMD Video Card device (not AMD HDMI. You can always re-check with )
 * 1) Find section with AMD Video Card device (not AMD HDMI. You can always re-check with )

Fixed Navi reset bug
AMD Navi 10 series GPUs require a vendor specific reset procedure. According to AMD a PSP mode 2 reset should be enough however at this time the details of how to perform this are not available.

Instead kernel can signal the SMU to enter and exit BACO which has the same desired effect.

To apply workaround (for kernel 4.19.72. For newer kernel replace number 4.19.72 with newer kernel):


 * 1) Download patchset https://github.com/feniksa/gentoo_ACS_override_patch/blob/master/sys-kernel/gentoo-sources-4.19.72/navi_reset.patch
 * 2) Put patchset into: /etc/portage/patches/sys-kernel/gentoo-sources-4.19.72
 * 3) Re-emerge gentoo-sources package:
 * 4) Re-compile the kernel

Applied patchset contain custom logic for reset GPU.

Sound
Change the home directory for the user:

QEMU
In case you want to use QEMU directly, here are some configurations to get you started. In general, as a typical QEMU call will usually require many command-line flags, it is typically advised to place the QEMU call in a bash script and to run it that way. Don't forget to make the script file executable!

Minimal
This minimal configuration will simply boot into the bios - there aren't any drives connected so there is nothing else for QEMU to do. However, this allows us to verify that the GPU passthrough is actually working.

Here's an explanation of each line:


 * 1)   stops qemu from creating some default devices. Specifically, it creates a VGA device by default, which interferes with our attempt to pass through the video card (if you have a multi-video card host this may not be an issue for you)
 * 2)   enables acceleration
 * 3)   this makes the virtual machine match the CPU architecture of the host. Not really sure what `kvm=off` does...
 * 4)   give the guest 8 gigabytes of RAM
 * 5)   I guess it just gives the virtual machine a name
 * 6)   how many cores the guest should have. I'm matching the host.
 * 7)   a dedicate root port other than pcie.0 is required by amd gpu for windows driver
 * 8)   add a device using vfio-pci kernel module, from the host's address "09:00.0"
 * 9)   video must on .0 and audio on .1 while both video and audio must be on the same pci-root-port other than pcie.0
 * 10)   this is an option for the vfio-pci module (I think)
 * 11)   since our card is doing both audio and video, it needs multifunction (I think...)
 * 12)   due to known issues on NVIDIA cards, it may be necessary to use a modified vbios. This is how you make qemu use that modified vbios.
 * 13)   just like above - this is the audio device that is in the same IOMMU group as the video device.
 * 14)   this will drop you into a qemu "command line" (they call it a monitor) once you launch the VM, allowing you to do things.
 * 15)   this is probably redundant since we did "nodefaults"

As noted above, there are certain known issues with NVIDIA drivers. I used this tool to patch my vbios, after first downloading my vbios in windows 10 using this gpuz tool.

Linux Guest
Here is a slightly more complicated qemu call, that actually loads a Gentoo VM.

Here is an explanation of the new configuration options:


 * 1)   despite the patched vbios, the NVIDIA driver still recognized that it is being run in a virtual machine and refuses to load. This "spoofs" the vendor id (somewhere) and tricks the driver
 * 2)   boot the hard drive first
 * 3)   this is a drive that is emulated in the VM. The "Gentoo_VM.img" file is a qcow QEMU-style virtual drive file.
 * 4)   actually, I can't remember why I put this in there....
 * 5)   create a Ethernet in the guest vm
 * 6)   forwards the ports from host 50000 and 50001 to the guest ports 22 and 5900. Now, from the host, you can ssh into the guest using `ssh -p 50000 myuser@127.0.0.1`, and if you have a vnc server running in the guest on port 5900, you can access it using port 50001 in the host
 * 7)   this may not be needed if you have a dedicated graphics card for the guest
 * 8)   emulate a USB device on the guest
 * 9)   these two lines forward the keyboard and mouse from the host to the guest. The vendorid and productid can be found using  in the host.

Please note that without the `hv_vendor_id` portion, you can boot in and use the console in the guest with the forwarded graphics card. But whenever you launch X, which initialized the proprietary NVIDIA driver, it will fail.

Here is a little variation of the above qemu script for Gentoo host and Gentoo guest. It uses separate CPUs for the guest. Works on a notebook with Ryzen CPU, where the 2nd NVIDIA GPU is passed through to the guest. The guest runs the NVIDIA driver. Installation is performed according to the Gentoo installation guide using UEFI and a GPT partition table. It uses no custom ROMs.

The kernel of the Gentoo host has been build with. The NVIDIA GPU has been bound to vfio-pci with on the host:

This way the internal graphic of the Ryzen processor shows the host on the laptop display, Gentoo guest is displayed on the monitor connected to the HDMI of the NVIDIA graphic. To get sound in the VM, i have to replug the HDMI cable after the VM has booted. Maybe this issue is related to the HDMI cable or the external monitor.

External resources

 * https://heiko-sieger.info/iommu-groups-what-you-need-to-consider/#What_is_IOMMU_and_why_do_I_need_it
 * https://wiki.installgentoo.com/index.php/PCI_passthrough - PCI passthrough on gentoo
 * https://www.reddit.com/r/VFIO/comments/ahg1ta/bsod_when_launching_gpuz/
 * https://forum.level1techs.com/t/navi-reset-kernel-patch/147547
 * https://forum.level1techs.com/t/linux-host-windows-guest-gpu-passthrough-reinitialization-fix/121097?source_topic_id=121737 - AMD GPU on windows guest
 * https://www.reddit.com/r/VFIO/comments/baa8e3/issue_unable_to_power_on_device_stuck_in_d3/