Xen has a feature which lets you pass a PCI device through to an unprivileged domain. Only the unprivileged domain has access to this specific PCI device – the privileged domain binds to the PCI device with a dummy drive that stops the dom0 from accessing it as well.

This could be used for passing a SCSI controller or NIC through to one domain, eg. for a file server or FireWall domU.

What you'll need

You'll have to compile in the right PCI backend driver for Xen.

    CONFIG_XEN_PCIDEV_FRONTEND=y (for DomU kernels)
    CONFIG_XEN_PCIDEV_BACKEND=y (for Dom0 kernels)

You'll also need the PCI ID of the device in question, in the xx:xx:x notation displayed by lspci(8). Note that the formatting is important – don't drop or add leading 0's!

For most recent version of Xen (, the PCI backend command line parameters have changed.

Earlier to Linux 2.6.31, it was in some cases required to set the pciback.permissive option – this is for drivers which need to write to registers on the PCI device itself. Apparently some NICs will fail to operate without this, and from what I've read it doesn't hurt to have it enabled regardless. In 2.6.31 and further the option is now pci=resource_alignment=xx:xx:x.

Kernel options

In grub.conf, add something like the following to your module line corresponding to the dom0 kernel (this is for kernels prior to 2.6.31):

pciback.permissive pciback.hide=(03:00.0)

Linux kernel 2.6.31 and further:

pci=resource_alignment=03:00.0 xen-pciback.hide=(03:00.0)

This assumes the device we are passing through has a PCI ID of 03:00.0.

Xen config file

In your Xen config file for the domain, add a line that looks like the following, again assuming a PCI ID of 03:00.0:

pci = ['03:00.0']

Note that if this is a network interface, it will come up in addition to any you specify with your vif config option.

Part of CategoryXen