pkg/pillar: ship igd.rom and use it for Intel iGPU passthrough

Add Intel iGPU passthrough support to the KVM hypervisor:
- Copy igd.rom from eve-uefi to /usr/lib/xen/boot/igd.rom so the
  bundled VfioIgdPkg Option ROM is always available at a fixed path
- Always load igd.rom as the Option ROM for Intel iGPU passthrough;
  if a proprietary GOP ROM exists in /persist/gop/ for the device,
  prefer it (adds IntelGopDriver: UEFI framebuffer + pre-OS display),
  otherwise fall back to the bundled igd.rom (IgdAssignmentDxe only:
  OS display driver works correctly, no pre-OS UEFI framebuffer)
- Place iGPU at guest BDF 00:02.0 on pcie.0 with x-igd-opregion=on
- Move USB root port from addr=0x2 to addr=0x1b to free slot 2

Signed-off-by: Mikhail Malyshev <mike.malyshev@gmail.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: rucoder

pkg/pillar/hypervisor/kvm.go

@@ -1472,7 +1472,7 @@ func (f *pciAssignmentsTemplateFiller) do(pciAssignments []pciDevice) error {
 					pciPTContext.Romfile = gopRomPath(devid)
 					if pciPTContext.Romfile == igdRomPath {
 						logrus.Infof("iGPU passthrough: no proprietary GOP ROM in %s for device %s, "+
-							"using bundled VfioIgdPkg ROM (no display output) for domain %s",
+							"using bundled VfioIgdPkg ROM (OS display works; no pre-OS UEFI framebuffer) for domain %s",
 							gopRomDir, devid, f.domainUUID)
 					} else {
 						logrus.Infof("iGPU passthrough: using proprietary GOP ROM %s for domain %s",
@@ -1582,8 +1582,10 @@ const igdRomPath = "/usr/lib/xen/boot/igd.rom"
 
 // gopRomPath returns the path to a proprietary GOP ROM for the given PCI device ID
 // (as read from sysfs, e.g. "0x3ea0") if one exists in gopRomDir, otherwise returns
-// igdRomPath. A proprietary ROM enables physical display output; the bundled ROM
-// enables passthrough without display but with correct ASLS/BDSM for all generations.
+// igdRomPath. A proprietary ROM provides the Intel GOP driver which enables the UEFI
+// framebuffer (pre-OS display: GRUB, bootloader, UEFI shell). The bundled ROM provides
+// only IgdAssignmentDxe: ASLS/BDSM are set correctly so the guest OS display driver
+// works, but there is no display output before the OS driver loads.
 func gopRomPath(devid string) string {
 	name := strings.TrimPrefix(strings.ToLower(strings.TrimSpace(devid)), "0x")
 	for _, filename := range []string{name + ".rom", "0x" + name + ".rom"} {

pkg/xen-tools/Dockerfile

@@ -3,7 +3,7 @@
 # Copyright (c) 2023-2026 Zededa, Inc.
 # SPDX-License-Identifier: Apache-2.0
 
-FROM lfedge/eve-uefi:b3ef9ca37c99439c776673aeba83c52ea8b84626 AS uefi-build
+FROM lfedge/eve-uefi:f34ddf148f2ad94c1a9c669efcd28ceaf3cac685 AS uefi-build
 FROM lfedge/eve-alpine:745ae9066273c73b0fd879c4ba4ff626a8392d04 AS runx-build
 ENV BUILD_PKGS="mkinitfs gcc musl-dev e2fsprogs chrony agetty"
 RUN eve-alpine-deploy.sh

pkg/xen-tools/patches-4.19.0/x86_64/08-Revert__Revert__vfio_pci-quirks_c__Disable_stolen_memory_for_igd_VFIO__.patch

@@ -1,23 +1,25 @@
-From 9eb4883e57224db64588d724d5764cdccb164c7d Mon Sep 17 00:00:00 2001
-From: Petr Fedchenkov <giggsoff@gmail.com>
-Date: Mon, 11 Oct 2021 17:30:15 +0300
-Subject: [PATCH] Revert "Revert "vfio/pci-quirks.c: Disable stolen memory for
- igd VFIO"" and adopts it to the new qemu with moved vfio_probe_igd_bar4_quirk
- into igd.c.
+From 22e1ac33571bbb70740bb181e4729018b6402442 Mon Sep 17 00:00:00 2001
+From: Mikhail Malyshev <mike.malyshev@gmail.com>
+Date: Fri, 27 Mar 2026 23:26:25 +0000
+Subject: [PATCH] vfio/igd: q35 iGPU passthrough support (GMCH/BDSM/bdsm-size)
 
-This reverts commit 93587e3af3a259deac89c12863d93653d69d22b8.
 ---
- tools/qemu-xen/hw/vfio/igd.c | 64 ++++++++++++++++++++++++++++++---------------------
- 1 file changed, 38 insertions(+), 26 deletions(-)
+ hw/vfio/igd.c | 133 ++++++++++++++++++++++++++++++++++----------------
+ 1 file changed, 91 insertions(+), 42 deletions(-)
 
 diff --git a/tools/qemu-xen/hw/vfio/igd.c b/tools/qemu-xen/hw/vfio/igd.c
-index 64e332746b..573cd53803 100644
+index d320d032a7..cb37f8ce08 100644
 --- a/tools/qemu-xen/hw/vfio/igd.c
 +++ b/tools/qemu-xen/hw/vfio/igd.c
-@@ -377,14 +377,45 @@ void vfio_probe_igd_bar4_quirk(VFIOPCIDevice *vdev, int nr)
+@@ -375,19 +375,98 @@ void vfio_probe_igd_bar4_quirk(VFIOPCIDevice *vdev, int nr)
+     VFIOIGDQuirk *igd;
+     PCIDevice *lpc_bridge;
+     int i, ret, ggms_mb, gms_mb = 0, gen;
+-    uint64_t *bdsm_size;
+     uint32_t gmch;
      uint16_t cmd_orig, cmd;
      Error *err = NULL;
-
+ 
 +    /* This must be an Intel VGA device. */
 +    if (!vfio_pci_is(vdev, PCI_VENDOR_ID_INTEL, PCI_ANY_ID) ||
 +        !vfio_is_vga(vdev) || nr != 4 ) {
@@ -29,16 +31,16 @@ index 64e332746b..573cd53803 100644
 -     * consider enabling legacy mode.  The vBIOS has dependencies on the
 -     * PCI bus address.
 +     * IGD is not a standard, they like to change their specs often.  We
-+     * only attempt to support back to SandBridge and we hope that newer
-+     * devices maintain compatibility with generation 8.
++     * support Sandy Bridge (gen 6) through Raptor Lake (gen 12) and assume
++     * future devices maintain compatibility with the gen 8 GMCH layout.
       */
 -    if (!vfio_pci_is(vdev, PCI_VENDOR_ID_INTEL, PCI_ANY_ID) ||
 -        !vfio_is_vga(vdev) || nr != 4 ||
 -        &vdev->pdev != pci_find_device(pci_device_root_bus(&vdev->pdev),
 +    gen = igd_gen(vdev);
-+    if (gen != 6 && gen != 8) {
-+        error_report("IGD device %s is unsupported by IGD quirks, "
-+                     "try SandyBridge or newer", vdev->vbasedev.name);
++    if (gen < 0) {
++        error_report("IGD device %s has unknown generation, skipping IGD quirks",
++                     vdev->vbasedev.name);
 +        return;
 +    }
 +
@@ -51,6 +53,40 @@ index 64e332746b..573cd53803 100644
 +     * this below.
 +     */
 +    gmch = vfio_pci_read_config(&vdev->pdev, IGD_GMCH, 4);
++
++    /*
++     * Write the GMS-based stolen memory size to fw_cfg so that OVMF's
++     * IgdAssignmentDxe can allocate guest stolen memory and set BDSM
++     * (PCI config 0x5C).  We do this before the BDF and LPC bridge checks
++     * so the entry is available on q35 where the legacy-mode path never
++     * runs ("Sorry Q35").
++     *
++     * GMS codes 1-16 map to 32-512 MB (code * 32 MB).
++     */
++    {
++        uint32_t gms = (gmch >> (gen < 8 ? 3 : 8)) & (gen < 8 ? 0x1f : 0xff);
++        uint64_t bdsm_bytes = (uint64_t)gms * 32 * MiB;
++        error_report("IGD bdsm-size: device %04x gen=%d gmch=0x%08x "
++                     "gms=%u bdsm_bytes=%" PRIu64,
++                     vdev->device_id, gen, gmch, gms, bdsm_bytes);
++        if (gms) {
++            FWCfgState *fw_cfg = fw_cfg_find();
++            if (fw_cfg) {
++                uint64_t *bdsm_size = g_malloc(sizeof(*bdsm_size));
++                *bdsm_size = cpu_to_le64(bdsm_bytes);
++                fw_cfg_add_file(fw_cfg, "etc/igd-bdsm-size",
++                                bdsm_size, sizeof(*bdsm_size));
++                error_report("IGD bdsm-size: wrote etc/igd-bdsm-size = %"
++                             PRIu64 " bytes to fw_cfg", bdsm_bytes);
++            } else {
++                error_report("IGD bdsm-size: fw_cfg not found, skipping");
++            }
++        } else {
++            error_report("IGD bdsm-size: gms=0, no stolen memory "
++                         "reported by host GMCH");
++        }
++    }
++
 +    gmch &= ~((gen < 8 ? 0x1f : 0xff) << (gen < 8 ? 3 : 8));
 +
 +    /* GMCH is read-only, emulated */
@@ -59,17 +95,32 @@ index 64e332746b..573cd53803 100644
 +    pci_set_long(vdev->emulated_config_bits + IGD_GMCH, ~0);
 +
 +    /*
++     * BDSM is read-write, emulated.  Initialize to 0 here (before the BDF
++     * and LPC bridge checks) so that:
++     *   1. On q35 ("Sorry Q35"), where the legacy path never runs, OVMF's
++     *      IgdAssignmentDxe sees BDSM=0 and proceeds to allocate guest
++     *      stolen memory, writing the guest PA back here.
++     *   2. The guest driver reads the guest PA written by OVMF, not the
++     *      host PA (which would cause DMA into the wrong guest memory).
++     *   3. IgdAssignmentDxe's idempotency check ("if BDSM != 0, skip")
++     *      is not falsely triggered by the host's physical address.
++     */
++    pci_set_long(vdev->pdev.config + IGD_BDSM, 0);
++    pci_set_long(vdev->pdev.wmask + IGD_BDSM, ~0);
++    pci_set_long(vdev->emulated_config_bits + IGD_BDSM, ~0);
++
++    /*
 +     * This must be at address 00:02.0 for us to even onsider enabling
 +     * legacy mode.  The vBIOS has dependencies on the PCI bus address.
 +     */
 +    if (&vdev->pdev != pci_find_device(pci_device_root_bus(&vdev->pdev),
                                         0, PCI_DEVFN(0x2, 0))) {
          return;
      }
-@@ -403,18 +434,6 @@ void vfio_probe_igd_bar4_quirk(VFIOPCIDevice *vdev, int nr)
+@@ -406,18 +485,6 @@ void vfio_probe_igd_bar4_quirk(VFIOPCIDevice *vdev, int nr)
          return;
      }
-
+ 
 -    /*
 -     * IGD is not a standard, they like to change their specs often.  We
 -     * only attempt to support back to SandBridge and we hope that newer
@@ -85,21 +136,21 @@ index 64e332746b..573cd53803 100644
      /*
       * Most of what we're doing here is to enable the ROM to run, so if
       * there's no ROM, there's no point in setting up this quirk.
-@@ -470,8 +489,6 @@ void vfio_probe_igd_bar4_quirk(VFIOPCIDevice *vdev, int nr)
-         goto out;
+@@ -473,8 +540,6 @@ void vfio_probe_igd_bar4_quirk(VFIOPCIDevice *vdev, int nr)
+         return;
      }
-
+ 
 -    gmch = vfio_pci_read_config(&vdev->pdev, IGD_GMCH, 4);
 -
      /*
       * If IGD VGA Disable is clear (expected) and VGA is not already enabled,
       * try to enable it.  Probably shouldn't be using legacy mode without VGA,
-@@ -540,12 +557,12 @@ void vfio_probe_igd_bar4_quirk(VFIOPCIDevice *vdev, int nr)
+@@ -542,12 +607,12 @@ void vfio_probe_igd_bar4_quirk(VFIOPCIDevice *vdev, int nr)
       * when IVD (IGD VGA Disable) is clear, but the claim is that it's unused,
       * so let's not waste VM memory for it.
       */
 -    gmch &= ~((gen < 8 ? 0x1f : 0xff) << (gen < 8 ? 3 : 8));
-
+ 
      if (vdev->igd_gms) {
          if (vdev->igd_gms <= 0x10) {
              gms_mb = vdev->igd_gms * 32;
@@ -108,17 +159,38 @@ index 64e332746b..573cd53803 100644
          } else {
              error_report("Unsupported IGD GMS value 0x%x", vdev->igd_gms);
              vdev->igd_gms = 0;
-@@ -565,11 +582,6 @@ void vfio_probe_igd_bar4_quirk(VFIOPCIDevice *vdev, int nr)
-     fw_cfg_add_file(fw_cfg_find(), "etc/igd-bdsm-size",
-                     bdsm_size, sizeof(*bdsm_size));
-
+@@ -555,27 +620,11 @@ void vfio_probe_igd_bar4_quirk(VFIOPCIDevice *vdev, int nr)
+     }
+ 
+     /*
+-     * Request reserved memory for stolen memory via fw_cfg.  VM firmware
+-     * must allocate a 1MB aligned reserved memory region below 4GB with
+-     * the requested size (in bytes) for use by the Intel PCI class VGA
+-     * device at VM address 00:02.0.  The base address of this reserved
+-     * memory region must be written to the device BDSM register at PCI
+-     * config offset 0x5C.
++     * etc/igd-bdsm-size is written before the BDF check (above) so that it
++     * is available on q35 machines where the legacy path never runs.
++     * Do not write it again here to avoid a duplicate fw_cfg key.
++     * BDSM emulation is also set up before the BDF check.
+      */
+-    bdsm_size = g_malloc(sizeof(*bdsm_size));
+-    *bdsm_size = cpu_to_le64((ggms_mb + gms_mb) * MiB);
+-    fw_cfg_add_file(fw_cfg_find(), "etc/igd-bdsm-size",
+-                    bdsm_size, sizeof(*bdsm_size));
+-
 -    /* GMCH is read-only, emulated */
 -    pci_set_long(vdev->pdev.config + IGD_GMCH, gmch);
 -    pci_set_long(vdev->pdev.wmask + IGD_GMCH, 0);
 -    pci_set_long(vdev->emulated_config_bits + IGD_GMCH, ~0);
 -
-     /* BDSM is read-write, emulated.  The BIOS needs to be able to write it */
-     pci_set_long(vdev->pdev.config + IGD_BDSM, 0);
-     pci_set_long(vdev->pdev.wmask + IGD_BDSM, ~0);
---
-2.30.2
+-    /* BDSM is read-write, emulated.  The BIOS needs to be able to write it */
+-    pci_set_long(vdev->pdev.config + IGD_BDSM, 0);
+-    pci_set_long(vdev->pdev.wmask + IGD_BDSM, ~0);
+-    pci_set_long(vdev->emulated_config_bits + IGD_BDSM, ~0);
+ 
+     /*
+      * This IOBAR gives us access to GTTADR, which allows us to write to
+-- 
+2.43.0
+