pkg/pillar: add Intel iGPU passthrough support to KVM hypervisor

When an Intel iGPU (vendor 0x8086, class 0x03xx) is in the vfio-pci
passthrough list:

- Place the iGPU at guest BDF 00:02.0 (required for VBIOS/GOP ROM)
- Enable x-igd-opregion=on for OpRegion/VBT passthrough via fw_cfg
- Load igd.rom as the Option ROM (IgdAssignmentDxe sets ASLS/BDSM)
- Move USB root port from slot 0x2 to 0x1b to free the iGPU slot
- Support optional proprietary GOP ROMs for UEFI framebuffer

Update eve-uefi reference to pick up edk2-stable202508.01 and igd.rom.

Signed-off-by: Mikhail Malyshev <mike.malyshev@gmail.com>

Author: rucoder

pkg/pillar/Dockerfile

@@ -10,7 +10,7 @@ ARG BUILD_PKGS_BASE="git gcc linux-headers libc-dev make linux-pam-dev m4 findut
 # we use the same image in several places
 ARG EVE_ALPINE_IMAGE=lfedge/eve-alpine:745ae9066273c73b0fd879c4ba4ff626a8392d04
 
-FROM lfedge/eve-uefi:b3ef9ca37c99439c776673aeba83c52ea8b84626 AS uefi-build
+FROM lfedge/eve-uefi:417cf0c3acf434fb0f775e8a588ae7b6e3523d6d AS uefi-build
 FROM lfedge/eve-dom0-ztools:d19fc83dfbd01562eba914a83d571f7315429052 AS zfs
 RUN mkdir /out
 # copy zfs-related files from dom0-ztools using prepared list of files
@@ -167,7 +167,6 @@ WORKDIR /
 
 RUN mkdir -p /out/usr/lib/xen/boot
 COPY --from=uefi-build /OVMF_VARS.fd /out/usr/lib/xen/boot/OVMF_VARS.fd
-
 COPY --from=zfs /out /out
 COPY --from=fscrypt /opt/zededa/bin /out/opt/zededa/bin
 COPY --from=gpttools / /out

pkg/pillar/hypervisor/kvm.go

@@ -274,12 +274,21 @@ const qemuGlobalConfTemplate = `# This file is automatically generated by domain
   driver = "virtio-gpu-pci"
 {{- end }}
 {{- end }}
+{{- if .HasIntelIGPU }}
+[device "pci.2"]
+  driver = "pcie-root-port"
+  port = "12"
+  chassis = "2"
+  bus = "pcie.0"
+  addr = "0x1b"
+{{- else }}
 [device "pci.2"]
   driver = "pcie-root-port"
   port = "12"
   chassis = "2"
   bus = "pcie.0"
   addr = "0x2"
+{{- end }}
 
 [device "usb"]
   driver = "qemu-xhci"
@@ -434,6 +443,9 @@ const qemuPCIPassthruTemplate = `
 {{- if .Xopregion }}
   x-igd-opregion = "on"
 {{- end}}
+{{- if .Romfile }}
+  romfile = "{{.Romfile}}"
+{{- end}}
 `
 
 const qemuSerialTemplate = `
@@ -492,12 +504,13 @@ const qemuSwtpmTemplate = `
   tpmdev = "tpm0"
 `
 
-// Context for qemuGlobalConfTemplate.
+// Context for qemuGlobalConfContext.
 type tQemuGlobalConfContext struct {
 	Machine                string
 	VirtualizationMode     string
 	BootLoaderSettingsFile string
 	BootOrder              string // Boot order: "usb" (prioritize USB), "nousb" (deprioritize USB), or "" (default)
+	HasIntelIGPU           bool   // true when Intel iGPU is in the passthrough list; moves USB root port to slot 0x1b
 	types.DomainConfig
 	types.DomainStatus
 }
@@ -513,6 +526,7 @@ type tQemuPCIPassthruContext struct {
 	PciShortAddr string
 	Xvga         bool
 	Xopregion    bool
+	Romfile      string // non-empty path to GOP ROM (e.g. /persist/gop/3ea0.rom); omitted if empty
 	Bus          string
 	Addr         string
 }
@@ -1420,6 +1434,7 @@ func multifunctionDevGroup(pcis []pciDevice) multifunctionDevs {
 type pciAssignmentsTemplateFiller struct {
 	multifunctionDevices multifunctionDevs
 	file                 io.Writer
+	domainUUID           string
 }
 
 func (f *pciAssignmentsTemplateFiller) pciEBridge(pciID int, pciWOFunction string) error {
@@ -1443,17 +1458,48 @@ func (f *pciAssignmentsTemplateFiller) do(pciAssignments []pciDevice) error {
 			Xvga:         pa.isVGA(),
 			Xopregion:    false,
 		}
-		if vendor, err := pa.vid(); err == nil {
-			// check for Intel vendor
-			if vendor == "0x8086" {
-				if pciPTContext.Xvga {
-					// we set opregion for Intel vga
-					// https://github.com/qemu/qemu/blob/stable-5.0/docs/igd-assign.txt#L91-L96
-					pciPTContext.Xopregion = true
+
+		isIntelIGPU := false
+		if vendor, err := pa.vid(); err == nil && vendor == "0x8086" {
+			if pciPTContext.Xvga {
+				// Enable OpRegion passthrough for Intel iGPU — writes etc/igd-opregion to fw_cfg.
+				// https://github.com/qemu/qemu/blob/stable-5.0/docs/igd-assign.txt#L91-L96
+				pciPTContext.Xopregion = true
+				isIntelIGPU = true
+				logrus.Infof("iGPU passthrough: detected Intel GPU at host PCI %s for domain %s",
+					pa.ioBundle.PciLong, f.domainUUID)
+				if devid, err := pa.devid(); err == nil {
+					pciPTContext.Romfile = gopRomPath(devid)
+					if pciPTContext.Romfile == igdRomPath {
+						logrus.Infof("iGPU passthrough: no proprietary GOP ROM in %s for device %s, "+
+							"using bundled VfioIgdPkg ROM (OS display works; no pre-OS UEFI framebuffer) for domain %s",
+							gopRomDir, devid, f.domainUUID)
+					} else {
+						logrus.Infof("iGPU passthrough: using proprietary GOP ROM %s for domain %s",
+							pciPTContext.Romfile, f.domainUUID)
+					}
+				} else {
+					logrus.Warnf("iGPU passthrough: could not read device ID for %s (domain %s): %v",
+						pa.ioBundle.PciLong, f.domainUUID, err)
+					pciPTContext.Romfile = igdRomPath
 				}
 			}
 		}
 
+		if isIntelIGPU {
+			// Intel iGPU must appear at guest BDF 00:02.0 for VBIOS/GOP ROM initialization.
+			// Place directly on the root bus — no pcie-root-port wrapper.
+			// The USB root port was moved from 0x2 to 0x1b in qemuGlobalConfTemplate.
+			logrus.Infof("iGPU passthrough: placing device %s at guest BDF 00:02.0 for domain %s",
+				pa.ioBundle.PciLong, f.domainUUID)
+			pciPTContext.Bus = "pcie.0"
+			pciPTContext.Addr = "0x2"
+			if err := tQemuPCIPassthru.Execute(f.file, pciPTContext); err != nil {
+				return logError("can't write iGPU passthrough to config file (%v)", err)
+			}
+			continue
+		}
+
 		pciLongWoFunc, err := pa.pciLongWOFunction()
 		if err != nil {
 			logrus.Warnf("retrieving pci address without function failed: %v", err)
@@ -1524,6 +1570,55 @@ func (f *virtNetworkTemplateFiller) do(virtualNetworks []virtualNetwork,
 	return nil
 }
 
+// gopRomDir is where proprietary Intel GOP Option ROMs can be placed for display output.
+// ROMs are named by PCI device ID, e.g. /persist/gop/3ea0.rom for device 0x3ea0.
+// The 0x-prefixed form (0x3ea0.rom) is also accepted as a fallback.
+const gopRomDir = "/persist/gop"
+
+// igdRomPath is the bundled open-source IGD Option ROM built from VfioIgdPkg.
+// It provides IgdAssignmentDxe which sets ASLS and BDSM (including Gen11+ 64-bit
+// BDSM at PCI config 0xC0) without requiring a proprietary Intel GOP driver.
+const igdRomPath = "/usr/lib/xen/boot/igd.rom"
+
+// gopRomPath returns the path to a proprietary GOP ROM for the given PCI device ID
+// (as read from sysfs, e.g. "0x3ea0") if one exists in gopRomDir, otherwise returns
+// igdRomPath. A proprietary ROM provides the Intel GOP driver which enables the UEFI
+// framebuffer (pre-OS display: GRUB, bootloader, UEFI shell). The bundled ROM provides
+// only IgdAssignmentDxe: ASLS/BDSM are set correctly so the guest OS display driver
+// works, but there is no display output before the OS driver loads.
+func gopRomPath(devid string) string {
+	name := strings.TrimPrefix(strings.ToLower(strings.TrimSpace(devid)), "0x")
+	for _, filename := range []string{name + ".rom", "0x" + name + ".rom"} {
+		path := filepath.Join(gopRomDir, filename)
+		if _, err := os.Stat(path); err == nil {
+			return path
+		}
+	}
+	return igdRomPath
+}
+
+// detectIntelIGPU returns true if any adapter in the passthrough list is an Intel VGA device.
+func detectIntelIGPU(adapters []types.IoAdapter, aa *types.AssignableAdapters) bool {
+	if aa == nil {
+		return false
+	}
+	for _, adapter := range adapters {
+		for _, ib := range aa.LookupIoBundleAny(adapter.Name) {
+			if ib == nil || ib.PciLong == "" || ib.UsbAddr != "" {
+				continue
+			}
+			dev := pciDevice{ioBundle: *ib}
+			if !dev.isVGA() {
+				continue
+			}
+			if vendor, err := dev.vid(); err == nil && vendor == "0x8086" {
+				return true
+			}
+		}
+	}
+	return false
+}
+
 // CreateDomConfig creates a domain config (a qemu config file,
 // typically named something like xen-%d.cfg)
 func (ctx KvmContext) CreateDomConfig(domainName string,
@@ -1548,12 +1643,14 @@ func (ctx KvmContext) CreateDomConfig(domainName string,
 	//   4. Default (BOOT_ORDER_UNSPECIFIED) - no boot order modification
 	// By the time we get here, config.BootOrder has the final resolved value.
 	bootOrder := bootOrderToFwCfgString(config.BootOrder)
+	hasIntelIGPU := detectIntelIGPU(config.IoAdapterList, aa)
 
 	qemuConfContext := tQemuGlobalConfContext{
 		Machine:                ctx.devicemodel,
 		VirtualizationMode:     virtualizationMode,
 		BootLoaderSettingsFile: bootLoaderSettingsFile,
 		BootOrder:              bootOrder,
+		HasIntelIGPU:           hasIntelIGPU,
 		DomainConfig:           config,
 		DomainStatus:           status,
 	}
@@ -1702,6 +1799,7 @@ func (ctx KvmContext) CreateDomConfig(domainName string,
 	pciAssignmentsFiller := pciAssignmentsTemplateFiller{
 		multifunctionDevices: multifunctionDevices,
 		file:                 file,
+		domainUUID:           config.UUIDandVersion.UUID.String(),
 	}
 	err = pciAssignmentsFiller.do(pciAssignments)
 	if err != nil {