diff mbox series

[RFC,v3,1/2] iommu: Add capability IOMMU_CAP_VIOMMU

Message ID 20210114013003.297050-2-baolu.lu@linux.intel.com (mailing list archive)
State Not Applicable
Headers show
Series Add platform check for subdevice irq domain | expand

Commit Message

Baolu Lu Jan. 14, 2021, 1:30 a.m. UTC
Some vendor IOMMU drivers are able to declare that it is running in a VM
context. This is very valuable for the features that only want to be
supported on bare metal. Add a capability bit so that it could be used.

Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
---
 drivers/iommu/intel/iommu.c  | 20 ++++++++++++++++++++
 drivers/iommu/virtio-iommu.c |  9 +++++++++
 include/linux/iommu.h        |  1 +
 3 files changed, 30 insertions(+)

Comments

Leon Romanovsky Jan. 14, 2021, 1:26 p.m. UTC | #1
On Thu, Jan 14, 2021 at 09:30:02AM +0800, Lu Baolu wrote:
> Some vendor IOMMU drivers are able to declare that it is running in a VM
> context. This is very valuable for the features that only want to be
> supported on bare metal. Add a capability bit so that it could be used.

And how is it used? Who and how will set it?

>
> Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
> ---
>  drivers/iommu/intel/iommu.c  | 20 ++++++++++++++++++++
>  drivers/iommu/virtio-iommu.c |  9 +++++++++
>  include/linux/iommu.h        |  1 +
>  3 files changed, 30 insertions(+)
>
> diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c
> index cb205a04fe4c..8eb022d0e8aa 100644
> --- a/drivers/iommu/intel/iommu.c
> +++ b/drivers/iommu/intel/iommu.c
> @@ -5738,12 +5738,32 @@ static inline bool nested_mode_support(void)
>  	return ret;
>  }
>
> +static inline bool caching_mode_enabled(void)
> +{

Kernel coding style is not in favour of inline functions in *.c files.

> +	struct dmar_drhd_unit *drhd;
> +	struct intel_iommu *iommu;
> +	bool ret = false;
> +
> +	rcu_read_lock();
> +	for_each_active_iommu(iommu, drhd) {
> +		if (cap_caching_mode(iommu->cap)) {
> +			ret = true;
> +			break;
> +		}
> +	}
> +	rcu_read_unlock();
> +
> +	return ret;
> +}
> +
>  static bool intel_iommu_capable(enum iommu_cap cap)
>  {
>  	if (cap == IOMMU_CAP_CACHE_COHERENCY)
>  		return domain_update_iommu_snooping(NULL) == 1;
>  	if (cap == IOMMU_CAP_INTR_REMAP)
>  		return irq_remapping_enabled == 1;
> +	if (cap == IOMMU_CAP_VIOMMU)
> +		return caching_mode_enabled();
>
>  	return false;
>  }
> diff --git a/drivers/iommu/virtio-iommu.c b/drivers/iommu/virtio-iommu.c
> index 2bfdd5734844..719793e103db 100644
> --- a/drivers/iommu/virtio-iommu.c
> +++ b/drivers/iommu/virtio-iommu.c
> @@ -931,7 +931,16 @@ static int viommu_of_xlate(struct device *dev, struct of_phandle_args *args)
>  	return iommu_fwspec_add_ids(dev, args->args, 1);
>  }
>
> +static bool viommu_capable(enum iommu_cap cap)
> +{
> +	if (cap == IOMMU_CAP_VIOMMU)
> +		return true;
> +
> +	return false;
> +}
> +
>  static struct iommu_ops viommu_ops = {
> +	.capable		= viommu_capable,
>  	.domain_alloc		= viommu_domain_alloc,
>  	.domain_free		= viommu_domain_free,
>  	.attach_dev		= viommu_attach_dev,
> diff --git a/include/linux/iommu.h b/include/linux/iommu.h
> index b95a6f8db6ff..1d24be667a03 100644
> --- a/include/linux/iommu.h
> +++ b/include/linux/iommu.h
> @@ -94,6 +94,7 @@ enum iommu_cap {
>  					   transactions */
>  	IOMMU_CAP_INTR_REMAP,		/* IOMMU supports interrupt isolation */
>  	IOMMU_CAP_NOEXEC,		/* IOMMU_NOEXEC flag */
> +	IOMMU_CAP_VIOMMU,		/* IOMMU can declar running in a VM */
>  };
>
>  /*
> --
> 2.25.1
>
Baolu Lu Jan. 14, 2021, 11:49 p.m. UTC | #2
Hi Leon,

On 1/14/21 9:26 PM, Leon Romanovsky wrote:
> On Thu, Jan 14, 2021 at 09:30:02AM +0800, Lu Baolu wrote:
>> Some vendor IOMMU drivers are able to declare that it is running in a VM
>> context. This is very valuable for the features that only want to be
>> supported on bare metal. Add a capability bit so that it could be used.
> 
> And how is it used? Who and how will set it?

Use the existing iommu_capable(). I should add more descriptions about
who and how to use it.

> 
>>
>> Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
>> ---
>>   drivers/iommu/intel/iommu.c  | 20 ++++++++++++++++++++
>>   drivers/iommu/virtio-iommu.c |  9 +++++++++
>>   include/linux/iommu.h        |  1 +
>>   3 files changed, 30 insertions(+)
>>
>> diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c
>> index cb205a04fe4c..8eb022d0e8aa 100644
>> --- a/drivers/iommu/intel/iommu.c
>> +++ b/drivers/iommu/intel/iommu.c
>> @@ -5738,12 +5738,32 @@ static inline bool nested_mode_support(void)
>>   	return ret;
>>   }
>>
>> +static inline bool caching_mode_enabled(void)
>> +{
> 
> Kernel coding style is not in favour of inline functions in *.c files.

Yes, agreed.

Best regards,
baolu

> 
>> +	struct dmar_drhd_unit *drhd;
>> +	struct intel_iommu *iommu;
>> +	bool ret = false;
>> +
>> +	rcu_read_lock();
>> +	for_each_active_iommu(iommu, drhd) {
>> +		if (cap_caching_mode(iommu->cap)) {
>> +			ret = true;
>> +			break;
>> +		}
>> +	}
>> +	rcu_read_unlock();
>> +
>> +	return ret;
>> +}
>> +
>>   static bool intel_iommu_capable(enum iommu_cap cap)
>>   {
>>   	if (cap == IOMMU_CAP_CACHE_COHERENCY)
>>   		return domain_update_iommu_snooping(NULL) == 1;
>>   	if (cap == IOMMU_CAP_INTR_REMAP)
>>   		return irq_remapping_enabled == 1;
>> +	if (cap == IOMMU_CAP_VIOMMU)
>> +		return caching_mode_enabled();
>>
>>   	return false;
>>   }
>> diff --git a/drivers/iommu/virtio-iommu.c b/drivers/iommu/virtio-iommu.c
>> index 2bfdd5734844..719793e103db 100644
>> --- a/drivers/iommu/virtio-iommu.c
>> +++ b/drivers/iommu/virtio-iommu.c
>> @@ -931,7 +931,16 @@ static int viommu_of_xlate(struct device *dev, struct of_phandle_args *args)
>>   	return iommu_fwspec_add_ids(dev, args->args, 1);
>>   }
>>
>> +static bool viommu_capable(enum iommu_cap cap)
>> +{
>> +	if (cap == IOMMU_CAP_VIOMMU)
>> +		return true;
>> +
>> +	return false;
>> +}
>> +
>>   static struct iommu_ops viommu_ops = {
>> +	.capable		= viommu_capable,
>>   	.domain_alloc		= viommu_domain_alloc,
>>   	.domain_free		= viommu_domain_free,
>>   	.attach_dev		= viommu_attach_dev,
>> diff --git a/include/linux/iommu.h b/include/linux/iommu.h
>> index b95a6f8db6ff..1d24be667a03 100644
>> --- a/include/linux/iommu.h
>> +++ b/include/linux/iommu.h
>> @@ -94,6 +94,7 @@ enum iommu_cap {
>>   					   transactions */
>>   	IOMMU_CAP_INTR_REMAP,		/* IOMMU supports interrupt isolation */
>>   	IOMMU_CAP_NOEXEC,		/* IOMMU_NOEXEC flag */
>> +	IOMMU_CAP_VIOMMU,		/* IOMMU can declar running in a VM */
>>   };
>>
>>   /*
>> --
>> 2.25.1
>>
Jason Wang Jan. 15, 2021, 4:46 a.m. UTC | #3
On 2021/1/14 上午9:30, Lu Baolu wrote:
> Some vendor IOMMU drivers are able to declare that it is running in a VM
> context. This is very valuable for the features that only want to be
> supported on bare metal. Add a capability bit so that it could be used.
>
> Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
> ---
>   drivers/iommu/intel/iommu.c  | 20 ++++++++++++++++++++
>   drivers/iommu/virtio-iommu.c |  9 +++++++++
>   include/linux/iommu.h        |  1 +
>   3 files changed, 30 insertions(+)
>
> diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c
> index cb205a04fe4c..8eb022d0e8aa 100644
> --- a/drivers/iommu/intel/iommu.c
> +++ b/drivers/iommu/intel/iommu.c
> @@ -5738,12 +5738,32 @@ static inline bool nested_mode_support(void)
>   	return ret;
>   }
>   
> +static inline bool caching_mode_enabled(void)
> +{
> +	struct dmar_drhd_unit *drhd;
> +	struct intel_iommu *iommu;
> +	bool ret = false;
> +
> +	rcu_read_lock();
> +	for_each_active_iommu(iommu, drhd) {
> +		if (cap_caching_mode(iommu->cap)) {
> +			ret = true;
> +			break;
> +		}
> +	}
> +	rcu_read_unlock();
> +
> +	return ret;
> +}
> +
>   static bool intel_iommu_capable(enum iommu_cap cap)
>   {
>   	if (cap == IOMMU_CAP_CACHE_COHERENCY)
>   		return domain_update_iommu_snooping(NULL) == 1;
>   	if (cap == IOMMU_CAP_INTR_REMAP)
>   		return irq_remapping_enabled == 1;
> +	if (cap == IOMMU_CAP_VIOMMU)
> +		return caching_mode_enabled();


This part I don't understand. Does it mean Intel IOMMU can't be used in 
VM without caching mode?

Thanks


>   
>   	return false;
>   }
> diff --git a/drivers/iommu/virtio-iommu.c b/drivers/iommu/virtio-iommu.c
> index 2bfdd5734844..719793e103db 100644
> --- a/drivers/iommu/virtio-iommu.c
> +++ b/drivers/iommu/virtio-iommu.c
> @@ -931,7 +931,16 @@ static int viommu_of_xlate(struct device *dev, struct of_phandle_args *args)
>   	return iommu_fwspec_add_ids(dev, args->args, 1);
>   }
>   
> +static bool viommu_capable(enum iommu_cap cap)
> +{
> +	if (cap == IOMMU_CAP_VIOMMU)
> +		return true;
> +
> +	return false;
> +}
> +
>   static struct iommu_ops viommu_ops = {
> +	.capable		= viommu_capable,
>   	.domain_alloc		= viommu_domain_alloc,
>   	.domain_free		= viommu_domain_free,
>   	.attach_dev		= viommu_attach_dev,
> diff --git a/include/linux/iommu.h b/include/linux/iommu.h
> index b95a6f8db6ff..1d24be667a03 100644
> --- a/include/linux/iommu.h
> +++ b/include/linux/iommu.h
> @@ -94,6 +94,7 @@ enum iommu_cap {
>   					   transactions */
>   	IOMMU_CAP_INTR_REMAP,		/* IOMMU supports interrupt isolation */
>   	IOMMU_CAP_NOEXEC,		/* IOMMU_NOEXEC flag */
> +	IOMMU_CAP_VIOMMU,		/* IOMMU can declar running in a VM */
>   };
>   
>   /*
Leon Romanovsky Jan. 15, 2021, 6:31 a.m. UTC | #4
On Fri, Jan 15, 2021 at 07:49:47AM +0800, Lu Baolu wrote:
> Hi Leon,
>
> On 1/14/21 9:26 PM, Leon Romanovsky wrote:
> > On Thu, Jan 14, 2021 at 09:30:02AM +0800, Lu Baolu wrote:
> > > Some vendor IOMMU drivers are able to declare that it is running in a VM
> > > context. This is very valuable for the features that only want to be
> > > supported on bare metal. Add a capability bit so that it could be used.
> >
> > And how is it used? Who and how will set it?
>
> Use the existing iommu_capable(). I should add more descriptions about
> who and how to use it.

I want to see the code that sets this capability.

Thanks
Baolu Lu Jan. 16, 2021, 1:20 a.m. UTC | #5
Hi,

On 2021/1/15 14:31, Leon Romanovsky wrote:
> On Fri, Jan 15, 2021 at 07:49:47AM +0800, Lu Baolu wrote:
>> Hi Leon,
>>
>> On 1/14/21 9:26 PM, Leon Romanovsky wrote:
>>> On Thu, Jan 14, 2021 at 09:30:02AM +0800, Lu Baolu wrote:
>>>> Some vendor IOMMU drivers are able to declare that it is running in a VM
>>>> context. This is very valuable for the features that only want to be
>>>> supported on bare metal. Add a capability bit so that it could be used.
>>>
>>> And how is it used? Who and how will set it?
>>
>> Use the existing iommu_capable(). I should add more descriptions about
>> who and how to use it.
> 
> I want to see the code that sets this capability.

Currently we have Intel VT-d and the virt-iommu setting this capability.

  static bool intel_iommu_capable(enum iommu_cap cap)
  {
  	if (cap == IOMMU_CAP_CACHE_COHERENCY)
  		return domain_update_iommu_snooping(NULL) == 1;
  	if (cap == IOMMU_CAP_INTR_REMAP)
  		return irq_remapping_enabled == 1;
+	if (cap == IOMMU_CAP_VIOMMU)
+		return caching_mode_enabled();

  	return false;
  }

And,

+static bool viommu_capable(enum iommu_cap cap)
+{
+	if (cap == IOMMU_CAP_VIOMMU)
+		return true;
+
+	return false;
+}

Best regards,
baolu
Leon Romanovsky Jan. 16, 2021, 8:39 a.m. UTC | #6
On Sat, Jan 16, 2021 at 09:20:16AM +0800, Lu Baolu wrote:
> Hi,
>
> On 2021/1/15 14:31, Leon Romanovsky wrote:
> > On Fri, Jan 15, 2021 at 07:49:47AM +0800, Lu Baolu wrote:
> > > Hi Leon,
> > >
> > > On 1/14/21 9:26 PM, Leon Romanovsky wrote:
> > > > On Thu, Jan 14, 2021 at 09:30:02AM +0800, Lu Baolu wrote:
> > > > > Some vendor IOMMU drivers are able to declare that it is running in a VM
> > > > > context. This is very valuable for the features that only want to be
> > > > > supported on bare metal. Add a capability bit so that it could be used.
> > > >
> > > > And how is it used? Who and how will set it?
> > >
> > > Use the existing iommu_capable(). I should add more descriptions about
> > > who and how to use it.
> >
> > I want to see the code that sets this capability.
>
> Currently we have Intel VT-d and the virt-iommu setting this capability.
>
>  static bool intel_iommu_capable(enum iommu_cap cap)
>  {
>  	if (cap == IOMMU_CAP_CACHE_COHERENCY)
>  		return domain_update_iommu_snooping(NULL) == 1;
>  	if (cap == IOMMU_CAP_INTR_REMAP)
>  		return irq_remapping_enabled == 1;
> +	if (cap == IOMMU_CAP_VIOMMU)
> +		return caching_mode_enabled();
>
>  	return false;
>  }
>
> And,
>
> +static bool viommu_capable(enum iommu_cap cap)
> +{
> +	if (cap == IOMMU_CAP_VIOMMU)
> +		return true;
> +
> +	return false;
> +}

These two functions are reading this cap and not setting.
Where can I see code that does "cap = IOMMU_CAP_VIOMMU" and not "=="?

>
> Best regards,
> baolu
Baolu Lu Jan. 16, 2021, 8:47 a.m. UTC | #7
Hi Leon,

On 2021/1/16 16:39, Leon Romanovsky wrote:
> On Sat, Jan 16, 2021 at 09:20:16AM +0800, Lu Baolu wrote:
>> Hi,
>>
>> On 2021/1/15 14:31, Leon Romanovsky wrote:
>>> On Fri, Jan 15, 2021 at 07:49:47AM +0800, Lu Baolu wrote:
>>>> Hi Leon,
>>>>
>>>> On 1/14/21 9:26 PM, Leon Romanovsky wrote:
>>>>> On Thu, Jan 14, 2021 at 09:30:02AM +0800, Lu Baolu wrote:
>>>>>> Some vendor IOMMU drivers are able to declare that it is running in a VM
>>>>>> context. This is very valuable for the features that only want to be
>>>>>> supported on bare metal. Add a capability bit so that it could be used.
>>>>>
>>>>> And how is it used? Who and how will set it?
>>>>
>>>> Use the existing iommu_capable(). I should add more descriptions about
>>>> who and how to use it.
>>>
>>> I want to see the code that sets this capability.
>>
>> Currently we have Intel VT-d and the virt-iommu setting this capability.
>>
>>   static bool intel_iommu_capable(enum iommu_cap cap)
>>   {
>>   	if (cap == IOMMU_CAP_CACHE_COHERENCY)
>>   		return domain_update_iommu_snooping(NULL) == 1;
>>   	if (cap == IOMMU_CAP_INTR_REMAP)
>>   		return irq_remapping_enabled == 1;
>> +	if (cap == IOMMU_CAP_VIOMMU)
>> +		return caching_mode_enabled();
>>
>>   	return false;
>>   }
>>
>> And,
>>
>> +static bool viommu_capable(enum iommu_cap cap)
>> +{
>> +	if (cap == IOMMU_CAP_VIOMMU)
>> +		return true;
>> +
>> +	return false;
>> +}
> 
> These two functions are reading this cap and not setting.
> Where can I see code that does "cap = IOMMU_CAP_VIOMMU" and not "=="?

The iommu_capable() is a generic IOMMU interface to query IOMMU
capabilities. It takes @bus and @cap as input, and calls the callback
of vendor iommu. If the vendor iommu driver supports the specific
capability, it returns true. Otherwise, it returns false.

bool iommu_capable(struct bus_type *bus, enum iommu_cap cap)
{
         if (!bus->iommu_ops || !bus->iommu_ops->capable)
                 return false;

         return bus->iommu_ops->capable(cap);
}
EXPORT_SYMBOL_GPL(iommu_capable);

In the vendor iommu's callback, it checks the capability and returns a
value according to its capability, just as showed above.

Best regards,
baolu
Leon Romanovsky Jan. 17, 2021, 5:30 a.m. UTC | #8
On Sat, Jan 16, 2021 at 04:47:40PM +0800, Lu Baolu wrote:
> Hi Leon,
>
> On 2021/1/16 16:39, Leon Romanovsky wrote:
> > On Sat, Jan 16, 2021 at 09:20:16AM +0800, Lu Baolu wrote:
> > > Hi,
> > >
> > > On 2021/1/15 14:31, Leon Romanovsky wrote:
> > > > On Fri, Jan 15, 2021 at 07:49:47AM +0800, Lu Baolu wrote:
> > > > > Hi Leon,
> > > > >
> > > > > On 1/14/21 9:26 PM, Leon Romanovsky wrote:
> > > > > > On Thu, Jan 14, 2021 at 09:30:02AM +0800, Lu Baolu wrote:
> > > > > > > Some vendor IOMMU drivers are able to declare that it is running in a VM
> > > > > > > context. This is very valuable for the features that only want to be
> > > > > > > supported on bare metal. Add a capability bit so that it could be used.
> > > > > >
> > > > > > And how is it used? Who and how will set it?
> > > > >
> > > > > Use the existing iommu_capable(). I should add more descriptions about
> > > > > who and how to use it.
> > > >
> > > > I want to see the code that sets this capability.
> > >
> > > Currently we have Intel VT-d and the virt-iommu setting this capability.
> > >
> > >   static bool intel_iommu_capable(enum iommu_cap cap)
> > >   {
> > >   	if (cap == IOMMU_CAP_CACHE_COHERENCY)
> > >   		return domain_update_iommu_snooping(NULL) == 1;
> > >   	if (cap == IOMMU_CAP_INTR_REMAP)
> > >   		return irq_remapping_enabled == 1;
> > > +	if (cap == IOMMU_CAP_VIOMMU)
> > > +		return caching_mode_enabled();
> > >
> > >   	return false;
> > >   }
> > >
> > > And,
> > >
> > > +static bool viommu_capable(enum iommu_cap cap)
> > > +{
> > > +	if (cap == IOMMU_CAP_VIOMMU)
> > > +		return true;
> > > +
> > > +	return false;
> > > +}
> >
> > These two functions are reading this cap and not setting.
> > Where can I see code that does "cap = IOMMU_CAP_VIOMMU" and not "=="?
>
> The iommu_capable() is a generic IOMMU interface to query IOMMU
> capabilities. It takes @bus and @cap as input, and calls the callback
> of vendor iommu. If the vendor iommu driver supports the specific
> capability, it returns true. Otherwise, it returns false.
>
> bool iommu_capable(struct bus_type *bus, enum iommu_cap cap)
> {
>         if (!bus->iommu_ops || !bus->iommu_ops->capable)
>                 return false;
>
>         return bus->iommu_ops->capable(cap);
> }
> EXPORT_SYMBOL_GPL(iommu_capable);
>
> In the vendor iommu's callback, it checks the capability and returns a
> value according to its capability, just as showed above.

Ohh, sorry.
I missed "iommu_capable(dev->bus, IOMMU_CAP_VIOMMU)" from second patch.

Thanks

>
> Best regards,
> baolu
diff mbox series

Patch

diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c
index cb205a04fe4c..8eb022d0e8aa 100644
--- a/drivers/iommu/intel/iommu.c
+++ b/drivers/iommu/intel/iommu.c
@@ -5738,12 +5738,32 @@  static inline bool nested_mode_support(void)
 	return ret;
 }
 
+static inline bool caching_mode_enabled(void)
+{
+	struct dmar_drhd_unit *drhd;
+	struct intel_iommu *iommu;
+	bool ret = false;
+
+	rcu_read_lock();
+	for_each_active_iommu(iommu, drhd) {
+		if (cap_caching_mode(iommu->cap)) {
+			ret = true;
+			break;
+		}
+	}
+	rcu_read_unlock();
+
+	return ret;
+}
+
 static bool intel_iommu_capable(enum iommu_cap cap)
 {
 	if (cap == IOMMU_CAP_CACHE_COHERENCY)
 		return domain_update_iommu_snooping(NULL) == 1;
 	if (cap == IOMMU_CAP_INTR_REMAP)
 		return irq_remapping_enabled == 1;
+	if (cap == IOMMU_CAP_VIOMMU)
+		return caching_mode_enabled();
 
 	return false;
 }
diff --git a/drivers/iommu/virtio-iommu.c b/drivers/iommu/virtio-iommu.c
index 2bfdd5734844..719793e103db 100644
--- a/drivers/iommu/virtio-iommu.c
+++ b/drivers/iommu/virtio-iommu.c
@@ -931,7 +931,16 @@  static int viommu_of_xlate(struct device *dev, struct of_phandle_args *args)
 	return iommu_fwspec_add_ids(dev, args->args, 1);
 }
 
+static bool viommu_capable(enum iommu_cap cap)
+{
+	if (cap == IOMMU_CAP_VIOMMU)
+		return true;
+
+	return false;
+}
+
 static struct iommu_ops viommu_ops = {
+	.capable		= viommu_capable,
 	.domain_alloc		= viommu_domain_alloc,
 	.domain_free		= viommu_domain_free,
 	.attach_dev		= viommu_attach_dev,
diff --git a/include/linux/iommu.h b/include/linux/iommu.h
index b95a6f8db6ff..1d24be667a03 100644
--- a/include/linux/iommu.h
+++ b/include/linux/iommu.h
@@ -94,6 +94,7 @@  enum iommu_cap {
 					   transactions */
 	IOMMU_CAP_INTR_REMAP,		/* IOMMU supports interrupt isolation */
 	IOMMU_CAP_NOEXEC,		/* IOMMU_NOEXEC flag */
+	IOMMU_CAP_VIOMMU,		/* IOMMU can declar running in a VM */
 };
 
 /*