tmakatos
commented
3 months ago For virtual NVMe (nvmf/vfio-user), SPDK mapping the memory of all VMs can be a security problem. Having an individual SPDK process per VM solves the security problem but that SPDK process has to run in interrupt mode. A middle ground could be to have a single, dedicated SPDK process do the polling and notify the per-VM SPDK process to do the processing. The single, dedicated SPDK process only has to map the doorbells of all vNVMe devices. This way each doorbell read/write won't result in a VM_EXIT.
[30min]