On Fri, May 16, 2025 at 02:19:45PM +0800, Xu Yilun wrote:

...

I don't know why you'd disable a viommu while the VM is running, doesn't make sense.

Here it means remove the CC setup for viommu, shared setup is still kept.

That might makes sense for the vPCI function, but not the vIOMMU. A secure VIOMMU needs to be running at all times while the guest is running. Perhaps it has no devices it can be used with, but it's functionality has to be there because a driver in the VM will be connected to it.

At most "bind" should only tell the already existing secure vIOMMU that it is allowed to translate for a specific vPCI function.

Jason