Proxmox PCI Passthrough Checklist: 12 Things to Verify Before You Blame VFIO

PCI passthrough failures rarely announce themselves with dignity. They show up as a VM that boots to a black screen, a NIC that vanishes under load, or a host that hard-freezes right when you demo it. Then everyone points at VFIO like it’s the villain in a Saturday morning cartoon.

Most of the time, VFIO is doing its job: refusing to do something unsafe or impossible. Your real enemy is usually one of twelve boring prerequisites—firmware toggles, IOMMU grouping, reset behavior, interrupt routing, or that “temporary” kernel parameter you forgot you added three months ago.

Fast diagnosis playbook

If you’re on-call, you don’t start with philosophy. You start with a triage loop that answers three questions: (1) did IOMMU actually come up, (2) is the device isolated, and (3) can it be reset cleanly between VM starts?

First: confirm the platform is capable and IOMMU is enabled

• BIOS/UEFI toggles: Intel VT-d or AMD-Vi, and ideally “Above 4G decoding” for modern GPUs and HBAs.
• Kernel sees IOMMU: check dmesg for DMAR/AMD-Vi lines.

Second: confirm IOMMU group isolation is sane

• List IOMMU groups and ensure the device isn’t glued to your SATA controller, USB controller, or chipset root port you can’t sacrifice.
• If you’re relying on ACS override, treat it as a last resort and a security trade-off, not a “fix”.

Third: confirm VFIO binding and reset behavior

• Ensure the device binds to vfio-pci on the host and not a vendor driver.
• Check for FLR support and reset quirks (especially GPUs).

Then: check the VM side (machine type, UEFI/OVMF, ROM quirks)

• Pick a stable QEMU machine type, and don’t mix SeaBIOS-era habits with OVMF-era devices.
• If it’s a GPU, decide early if you need a dumped VBIOS and whether you need to pass the audio function too.

That order sounds obvious until you’ve watched someone spend two hours tweaking QEMU args when the BIOS had VT-d disabled. Which brings me to the only law of passthrough: it punishes assumption with interest.

Quick facts and context (so you stop guessing)

• Fact 1: Intel’s IOMMU marketing name is VT-d; AMD’s is AMD-Vi. They solve the same class of problems: DMA isolation and remapping.
• Fact 2: VFIO wasn’t always the default approach. The older pci-stub method existed, but VFIO brought a cleaner, safer framework for device assignment in Linux.
• Fact 3: IOMMU groups aren’t “a Linux thing.” They’re a hardware/topology reality surfaced by ACPI and PCIe capabilities. Linux is just the messenger.
• Fact 4: ACS (Access Control Services) is a PCIe feature that can improve isolation. Many consumer boards implement it partially or creatively—often the kind of “creative” you don’t want in production.
• Fact 5: “Above 4G decoding” matters because large BARs (Base Address Registers) on GPUs and modern devices can’t fit cleanly in legacy 32-bit address space.
• Fact 6: GPU reset issues are not folklore. Some GPUs don’t fully reset without a Function Level Reset (FLR) or vendor-specific behavior, and the host may not be able to reinitialize them after a VM shutdown.
• Fact 7: SR-IOV didn’t show up to make your life simpler. It exists to split a physical PCIe function into virtual functions, but it multiplies the ways you can misconfigure firmware, drivers, and isolation.
• Fact 8: MSI/MSI-X interrupts were a big performance and stability upgrade over legacy line-based interrupts—and a source of pain when interrupt remapping isn’t enabled properly.
• Fact 9: Proxmox is “just Debian with opinions,” which is good news: most debugging is standard Linux debugging once you stop treating the UI as magic.

One quote I keep taped to my mental dashboard: paraphrased idea — W. Edwards Deming, about improving systems by improving the process, not shouting at outcomes. In passthrough land, your “process” is the verification loop below.

Checklist / step-by-step plan (12+ verifications with commands)

This is the part where you stop “trying stuff” and start collecting evidence. Each task includes: a command, what the output means, and the decision you make.

1) Identify the exact PCI devices and functions you want to pass through

cr0x@server:~$ lspci -nn
00:00.0 Host bridge [0600]: Intel Corporation Device [8086:3e0f]
01:00.0 VGA compatible controller [0300]: NVIDIA Corporation TU104 [GeForce RTX 2080] [10de:1e87]
01:00.1 Audio device [0403]: NVIDIA Corporation TU104 HD Audio Controller [10de:10f8]
03:00.0 Ethernet controller [0200]: Intel Corporation I350 Gigabit Network Connection [8086:1521]

What it means: You need the BDF (bus:device.function) and the vendor:device IDs. GPUs often have multiple functions (VGA + audio). NICs may have multiple ports/functions too.

Decision: Write down the full set of functions you must pass together. If you pass 01:00.0 but forget 01:00.1, you’ll get weirdness later and blame QEMU for your bookkeeping.

2) Verify CPU virtualization flags (don’t skip this because “it’s a server”)

cr0x@server:~$ lscpu | egrep -i 'Virtualization|Flags'
Virtualization:                  VT-x
Flags:                           fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb invpcid_single pti ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid

What it means: VT-x/AMD-V is for running VMs; it’s not VT-d/AMD-Vi. Still, if this is missing, you’re debugging the wrong feature set.

Decision: If virtualization is missing, stop. Fix BIOS/UEFI first. If this is a rented box, confirm you’re not on a virtualization-hostile SKU.

3) Confirm IOMMU is enabled in firmware and actually active in Linux

cr0x@server:~$ dmesg | egrep -i 'DMAR|IOMMU|AMD-Vi' | head -n 30
[    0.000000] DMAR: IOMMU enabled
[    0.000000] DMAR: Host address width 39
[    0.084123] DMAR: DRHD base: 0x000000fed90000 flags: 0x0
[    0.084129] DMAR: dmar0: reg_base_addr fed90000 ver 1:0 cap c90780106f0462 ecap f020de
[    0.251990] DMAR: Intel(R) Virtualization Technology for Directed I/O

What it means: You want “IOMMU enabled” and you want it early in boot. If you see errors about interrupt remapping or “no IOMMU found,” you’re not doing passthrough today.

Decision: If IOMMU isn’t enabled, verify BIOS toggles (VT-d/AMD-Vi) and check kernel cmdline parameters next.

4) Verify kernel command line parameters are correct (and not self-sabotaging)

cr0x@server:~$ cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-6.8.12-5-pve root=ZFS=rpool/ROOT/pve-1 ro quiet intel_iommu=on iommu=pt pcie_acs_override=downstream,multifunction

What it means: intel_iommu=on (or amd_iommu=on) enables IOMMU. iommu=pt uses passthrough mode for host devices for performance; it’s common and usually fine.

Decision: If you see intel_iommu=off or no IOMMU parameters and dmesg is quiet, fix GRUB/systemd-boot config and reboot. If you see pcie_acs_override, treat it as “we are bending the rules.”

5) Confirm interrupt remapping is enabled (stability under load lives here)

cr0x@server:~$ dmesg | egrep -i 'remapping|x2apic|irq' | head -n 50
[    0.000000] DMAR-IR: Enabled IRQ remapping in x2apic mode
[    0.000000] x2apic enabled

What it means: IRQ remapping is a safety and correctness feature. Without it, some devices and MSI interrupts can behave like a haunted house under load.

Decision: If IRQ remapping isn’t enabled, re-check BIOS for “Interrupt Remapping” or related virtualization features. On some platforms, outdated BIOS is the culprit.

6) Inspect IOMMU groups (this decides what you can safely pass)

cr0x@server:~$ for d in /sys/kernel/iommu_groups/*/devices/*; do echo "IOMMU Group ${d#*/iommu_groups/*}: $(lspci -nns ${d##*/})"; done | sort -V | sed -n '1,30p'
IOMMU Group 0: 00:00.0 Host bridge [0600]: Intel Corporation Device [8086:3e0f]
IOMMU Group 1: 00:01.0 PCI bridge [0604]: Intel Corporation Device [8086:1901]
IOMMU Group 12: 01:00.0 VGA compatible controller [0300]: NVIDIA Corporation TU104 [GeForce RTX 2080] [10de:1e87]
IOMMU Group 12: 01:00.1 Audio device [0403]: NVIDIA Corporation TU104 HD Audio Controller [10de:10f8]
IOMMU Group 13: 03:00.0 Ethernet controller [0200]: Intel Corporation I350 Gigabit Network Connection [8086:1521]

What it means: Devices in the same group can DMA into each other unless the platform provides proper isolation. If your GPU shares a group with a USB controller you need for the host, you’re stuck or you’re about to do something risky.

Decision: If grouping is clean, proceed. If grouping is messy, consider moving the device to another slot, changing bifurcation settings, updating BIOS, or—only if you accept the trade-off—using ACS override.

7) Verify the device supports reset (FLR) or note that it doesn’t

cr0x@server:~$ lspci -s 01:00.0 -vv | egrep -i 'Capabilities:.*Express|FLR|Reset' -n
12:Capabilities: [60] Express (v2) Endpoint, MSI 00
55:    DevCtl2: Completion Timeout: 50us to 50ms, TimeoutDis- FLR+

What it means: FLR+ suggests Function Level Reset support. It’s not a guarantee of happiness, but it’s a good sign. Some devices (especially older GPUs) will pass through once and then wedge until a host reboot.

Decision: If no FLR and you see recurring “device is in use” or “failed to reset” problems, plan operationally: host reboot between assignments, or choose different hardware.

Joke #1: PCI passthrough is like dating a printer—everything seems fine until you actually need it to work.

8) Ensure the host binds the device to vfio-pci (and not nouveau/nvidia/amdgpu)

cr0x@server:~$ lspci -k -s 01:00.0
01:00.0 VGA compatible controller: NVIDIA Corporation TU104 [GeForce RTX 2080]
Subsystem: Micro-Star International Co., Ltd. [MSI] TU104 [GeForce RTX 2080]
Kernel driver in use: vfio-pci
Kernel modules: nvidiafb, nouveau

What it means: “Kernel driver in use” must be vfio-pci. “Kernel modules” can list possible modules; that’s fine.

Decision: If a vendor driver is in use, fix binding: add device IDs to vfio-pci, blacklist conflicting drivers, rebuild initramfs, reboot, re-check.

9) Confirm vfio modules load and are present in initramfs

cr0x@server:~$ lsmod | egrep 'vfio|kvm'
vfio_pci               16384  0
vfio_pci_core          73728  1 vfio_pci
vfio_iommu_type1       45056  0
vfio                   45056  2 vfio_pci_core,vfio_iommu_type1
kvm_intel             401408  0
kvm                  1343488  1 kvm_intel

What it means: If VFIO core modules aren’t loaded, you’re not ready. If they only load after the host driver grabbed the device, you can still lose the race.

Decision: If module load order is wrong, add modules to /etc/modules, ensure correct vfio-pci IDs, and regenerate initramfs so vfio binds early.

10) Verify Proxmox/QEMU actually uses IOMMU in the VM configuration

cr0x@server:~$ qm config 101 | egrep -i 'hostpci|machine|bios|efidisk|args'
bios: ovmf
machine: q35
hostpci0: 01:00,pcie=1,x-vga=1
hostpci1: 01:00.1,pcie=1
efidisk0: local-lvm:vm-101-disk-0,efitype=4m,pre-enrolled-keys=1
args: -cpu host

What it means: For GPUs and many PCIe devices, q35 + pcie=1 is the sane default. Passing both GPU and its audio function avoids half-attached devices. OVMF is typical for modern Windows and UEFI Linux guests.

Decision: If you see legacy machine types and odd flags copied from an old forum post, simplify. Move to q35 + OVMF unless you have a specific reason not to.

11) Check for host resource contention: I/O latency and CPU steal can look like “passthrough flakiness”

cr0x@server:~$ pveperf
CPU BOGOMIPS:      71999.84
REGEX/SECOND:      6068330
HD SIZE:           76.80 GB (rpool/ROOT/pve-1)
FSYNCS/SECOND:     1098.55
DNS EXT:           55.76 ms

What it means: FSYNCS/SECOND is a crude but useful smell test for storage latency. If it’s terrible, your “GPU passthrough stutter” might be the guest blocking on disk.

Decision: If storage is slow, stop tuning VFIO and start tuning storage: check ZFS sync settings, SLOG health, controller firmware, and queue depth. Or move the VM disks off the struggling pool.

12) Verify hugepages/IOMMU mapping pressure and memory availability

cr0x@server:~$ grep -E 'HugePages|AnonHugePages|MemAvailable' /proc/meminfo | head
MemAvailable:   58723452 kB
AnonHugePages:  10240000 kB
HugePages_Total:       0
HugePages_Free:        0
HugePages_Rsvd:        0
HugePages_Surp:        0

What it means: If you’ve pinned hugepages or starved the host, device assignment can fail in ways that look unrelated. Some setups use hugepages deliberately; that’s fine. But you should know you did it.

Decision: If memory is tight, reduce VM memory, stop overcommitting, or add RAM. If you need hugepages, configure them intentionally and document it like an adult.

13) Check for ACS override usage and understand the blast radius

cr0x@server:~$ grep -R "pcie_acs_override" -n /etc/default/grub /etc/kernel/cmdline 2>/dev/null
/etc/default/grub:6:GRUB_CMDLINE_LINUX_DEFAULT="quiet intel_iommu=on iommu=pt pcie_acs_override=downstream,multifunction"

What it means: ACS override can split groups artificially. It can make passthrough possible on consumer platforms that otherwise won’t isolate devices properly.

Decision: If this is a homelab, you might accept it. If this is production with hostile multi-tenancy or strict compliance, avoid it. Better hardware is cheaper than explaining a DMA isolation incident.

14) Validate GPU VBIOS needs (especially when the GPU is primary)

cr0x@server:~$ dmesg | egrep -i 'vfio|rom|bar|vga' | tail -n 30
[   12.912345] vfio-pci 0000:01:00.0: enabling device (0000 -> 0003)
[   12.934567] vfio-pci 0000:01:00.0: BAR 0: assigned [mem 0xf6000000-0xf6ffffff 64bit]
[   12.945678] vfio-pci 0000:01:00.0: BAR 2: assigned [mem 0xd0000000-0xdfffffff 64bit pref]
[   13.012345] vfio-pci 0000:01:00.0: vfio_ecap_init: hiding ecap 0x19@0x900

What it means: BAR assignment is normal. If you’re missing output in the guest, the GPU might need a ROM file, especially if it was used as the host boot display (the firmware may not expose a clean option ROM).

Decision: If the guest never initializes the GPU and you’ve confirmed everything else, try providing a clean VBIOS ROM and ensure you’re not fighting a host console driver.

15) Check for NVIDIA Code 43 / driver refusal patterns (Windows guests)

cr0x@server:~$ qm showcmd 101 --pretty | egrep -i 'kvm=|hidden|vendor|cpu host' | head -n 50
-cpu host,hv_time,hv_relaxed,hv_vapic,hv_spinlocks=0x1fff
-machine type=q35,accel=kvm
-smbios type=1,uuid=2b4b9a2a-4a1a-4c3c-9f28-8ed0f843b2c1

What it means: Modern NVIDIA consumer drivers used to detect virtualization and refuse to run well in some cases. The landscape has changed over time, but “driver refuses in VM” still happens depending on GPU, driver branch, and guest config.

Decision: If you hit Code 43-like symptoms, confirm you’re using KVM acceleration, CPU host passthrough, and reasonable Hyper-V enlightenments. Don’t start with random “hide KVM” hacks unless you have a specific regression you’re reproducing.

16) Verify the device isn’t being used by the host (open file handles, services, or bridges)

cr0x@server:~$ lsof /dev/vfio/* 2>/dev/null | head
COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
qemu-sys 4212 root   25u   CHR  246,0      0t0  123 /dev/vfio/12

What it means: If a previous QEMU process still holds the VFIO group, your next start will fail. This also catches “the VM is still running somewhere” moments.

Decision: If you see a stale process, stop it cleanly. If it won’t die, collect logs first, then terminate. Reboots are sometimes the least-worst option when dealing with wedged PCIe devices.

17) Confirm SR-IOV state (if you’re passing VFs)

cr0x@server:~$ lspci -s 03:00.0 -vv | egrep -i 'SR-IOV|Virtual Function' -n
210:Capabilities: [160] Single Root I/O Virtualization (SR-IOV)
220:    Total VFs: 8, Initial VFs: 0, Number of VFs: 4, Function Dependency Link: 00

What it means: SR-IOV is present and configured for 4 VFs. If your expected VFs don’t appear, firmware, driver, or sysfs configuration is missing.

Decision: If VFs aren’t created, enable SR-IOV in BIOS (if applicable), ensure host driver supports it, and configure VF creation explicitly. If you’re mixing VFs and PF passthrough, be very sure you understand the device’s constraints.

Three corporate mini-stories from the trenches

Mini-story 1: the incident caused by a wrong assumption

The team inherited a Proxmox cluster that “already did GPU passthrough.” The previous owner had left a note: “works, don’t touch.” That note aged like milk.

A minor upgrade rolled through: new kernel, new firmware, same hardware. Monday morning: the render VMs started but the GPUs didn’t attach. The dashboard looked normal. The users got black screens and loud opinions.

The first engineer chased QEMU args. Then someone chased Windows drivers. The third person did the only useful thing: checked IOMMU groups and noticed they’d changed. The GPU was now grouped with a PCIe bridge that also included a USB controller the host needed. It had “worked” before because the old BIOS had different PCIe enumeration and grouping behavior.

The wrong assumption was subtle: “IOMMU groups are stable across updates.” They are not. Firmware updates, kernel changes, and even different slot population can reshuffle the topology. That’s not Linux being capricious; it’s the platform exposing new information or routing.

The fix was boring: move the GPU to a different slot, disable an unused onboard controller to simplify the tree, and update the runbook to re-validate groups after firmware changes. The incident didn’t end with heroics. It ended with a checklist.

Mini-story 2: the optimization that backfired

A different org wanted “maximum performance” for a latency-sensitive VM that used passthrough NICs. Someone enabled every performance knob they’d ever heard of: hugepages, CPU pinning, isolcpus, irqbalance tweaks, aggressive power settings. It looked impressive. It also made the system fragile.

It ran beautifully for a week. Then a host reboot happened during maintenance, and the VM started dropping packets. The NIC passthrough still attached, but traffic had jitter and occasional stalls. On the host, the interrupt distribution looked uneven; one core was drowning.

The culprit wasn’t VFIO at all. The “optimized” CPU isolation pinned too much, and interrupts got stuck on a non-optimal CPU set after boot. The host was doing extra work shuffling interrupts and handling timer noise in a weird corner of the scheduler.

They rolled back half the “tuning,” kept only what they could measure, and reintroduced irqbalance with explicit affinity rules. Performance dropped slightly in the synthetic benchmark. Real-world latency improved, and the system stopped being a glass sculpture.

Joke #2: Every time you “optimize” a system without measurements, an interrupt lands on the worst possible core out of spite.

Mini-story 3: the boring but correct practice that saved the day

One team ran a small fleet of Proxmox nodes for mixed workloads: storage-heavy VMs and a couple of GPU passthrough desktops. Nothing fancy. What they did have was discipline.

They kept a simple artifact per host: a text file with firmware versions, kernel cmdline, IOMMU group listing, and the intended passthrough devices. After any BIOS update or hardware change, they re-ran the artifact collection. It took ten minutes. People complained. They did it anyway.

One afternoon a node rebooted unexpectedly after a power event. When it came back, one GPU VM failed to start with a VFIO group error. The on-call engineer compared today’s IOMMU groups with the last known-good artifact. The GPU was now sharing a group with a SATA controller because a firmware setting had reverted.

The fix was immediate: restore the BIOS settings, validate IOMMU groups, and restart the VM. No guessing, no tribal knowledge, no “try a different kernel.” The boring practice didn’t make anyone famous, which is the point.

Common mistakes: symptom → root cause → fix

This section exists because we all repeat the same failures, just with different hostnames.

1) VM won’t start: “failed to set iommu for container” / “no IOMMU detected”

Symptom: QEMU refuses to start with an IOMMU/VFIO error.

Root cause: VT-d/AMD-Vi disabled in BIOS, wrong kernel cmdline, or booted into a kernel missing IOMMU enablement.

Fix: Enable VT-d/AMD-Vi in firmware, add intel_iommu=on or amd_iommu=on, reboot, confirm via dmesg.

2) VM starts but device doesn’t show up inside guest

Symptom: Guest OS boots, but no GPU/NIC appears, or it appears with errors.

Root cause: Wrong BDF, missing multifunction device (GPU audio), device not bound to vfio-pci, or guest driver issue.

Fix: Re-check lspci -nn, pass all needed functions, confirm Kernel driver in use: vfio-pci, and validate guest drivers.

3) Works once after boot, then fails until host reboot

Symptom: First VM start after host boot works; subsequent starts fail or GPU stays black.

Root cause: Device lacks reliable reset (no FLR), or vendor reset quirk (common with some GPUs).

Fix: Choose hardware with FLR support, try kernel/vendor-specific reset modules where appropriate, or accept that you need host reboots as an operational workaround.

4) Random host freezes under load

Symptom: Host locks up during heavy VM I/O or GPU load, sometimes requiring power cycle.

Root cause: Broken interrupt remapping, buggy BIOS, unstable overclocks, or marginal PSU/PCIe power delivery (yes, even in “server” builds).

Fix: Confirm DMAR-IR: Enabled IRQ remapping, update BIOS, disable overclocks, check power. If the platform is consumer-grade, treat it like consumer-grade.

5) Performance is terrible even though passthrough “works”

Symptom: Low FPS, stutter, latency spikes, packet loss, or intermittent stalls.

Root cause: Storage latency, CPU contention, wrong CPU model, or misrouted interrupts. Passthrough doesn’t immunize you from the rest of the host.

Fix: Measure: pveperf, iostat, top, interrupt distribution. Fix bottlenecks before tweaking VFIO flags.

6) Device stuck in an IOMMU group with “everything”

Symptom: GPU shares group with USB/SATA/chipset devices.

Root cause: Motherboard topology lacks ACS isolation; device behind same root complex; slot wiring.

Fix: Move slots, change BIOS PCIe settings, update firmware, or accept ACS override risk. If it’s for production isolation, pick a board that behaves like it means it.

Checklists / step-by-step plan

If you want something you can paste into a ticket, use this sequence. It’s intentionally repetitive; repetition is what makes outages shorter.

Baseline host verification (do this once per node, then after any BIOS update)

1. Confirm virtualization flags: lscpu and record output.
2. Confirm IOMMU active: dmesg | egrep -i 'DMAR|AMD-Vi|IOMMU'.
3. Confirm IRQ remapping: dmesg | egrep -i 'DMAR-IR|remapping'.
4. Capture kernel cmdline: cat /proc/cmdline and store it.
5. Dump IOMMU groups and store them as an artifact.

Per-device verification (every time you add a passthrough device)

1. Record device IDs and functions: lspci -nn.
2. Check group membership: group dump and confirm isolation.
3. Check reset capability: lspci -vv and note FLR.
4. Bind to vfio-pci and confirm with lspci -k.

Per-VM verification (every time the VM config changes)

1. Confirm machine type and BIOS: qm config VMID.
2. Confirm hostpci entries include all required functions.
3. Confirm CPU mode: prefer -cpu host unless you have a compatibility reason.
4. On failure, check who holds VFIO group: lsof /dev/vfio/*.

Two “stop digging” rules

• If IOMMU is not enabled in dmesg, stop adjusting QEMU args. Fix firmware/cmdline first.
• If your IOMMU group is dirty and you’re considering ACS override, stop and decide whether you’re okay with the risk. Don’t sleepwalk into it.

FAQ

1) Do I need both VT-x and VT-d (or AMD-V and AMD-Vi)?

VT-x/AMD-V is for CPU virtualization. VT-d/AMD-Vi is for IOMMU (DMA remapping) and is the one PCI passthrough depends on. You typically want both.

2) Is iommu=pt safe?

Common and usually safe for performance on hosts where you’re not trying to force translation overhead on non-passthrough devices. It doesn’t replace proper isolation; it just changes how the host uses the IOMMU.

3) Should I use ACS override?

Only if you understand the security and correctness implications. It can make consumer hardware usable for homelabs. It can also create isolation that looks real but isn’t as strong as native hardware ACS behavior.

4) Why does my GPU need its audio function passed through?

Many GPUs expose an HDMI/DP audio controller as a separate PCI function. Guests may behave better when both functions are assigned, and it prevents the host from binding to the leftover function.

5) SeaBIOS or OVMF?

OVMF (UEFI) is the modern default, especially for Windows 11 and newer GPUs. SeaBIOS can work for some older guests, but mixing old assumptions with new GPUs is how you end up in “black screen” land.

6) My device is in the same IOMMU group as a PCI bridge. Is that always bad?

Not automatically. Bridges can be part of the topology. What matters is whether the group includes devices you cannot or should not pass through together. If the group includes a chipset USB controller you need for the host, you have a practical problem.

7) Why does passthrough break after a kernel update?

Kernel updates can change driver behavior, initialization order, and even how quirks are applied. Firmware updates can also change PCIe enumeration. That’s why you keep artifacts (cmdline, groups, binding) and re-validate after upgrades.

8) Can ZFS performance issues look like VFIO issues?

Yes. If guest storage stalls, you’ll see hitching, input lag, and “random” timeouts that people misattribute to GPUs or NICs. Measure storage latency before you rewrite VM configs.

9) Do I need to dump and pass a VBIOS ROM file?

Sometimes. It’s more common when the GPU is initialized by host firmware as the primary display, or when the platform doesn’t expose a clean option ROM to the guest. If everything else checks out and you still get a black screen, it’s a reasonable next experiment.

10) Why does the host sometimes need a reboot after stopping a passthrough VM?

Because not all devices reset reliably. If the device can’t return to a clean state, the next assignment fails. That’s not Proxmox being dramatic; it’s the hardware refusing to forget what happened.

Conclusion: next steps that actually work

When passthrough breaks, your job isn’t to outsmart VFIO. Your job is to prove the platform is providing the prerequisites VFIO requires: IOMMU enabled, clean group isolation, proper driver binding, and a device that resets like it respects boundaries.

Do these next:

1. Capture and save three artifacts per host: /proc/cmdline, IOMMU group listing, and lspci -k for passthrough devices.
2. If you’re using ACS override, write it down as a risk decision, not a tweak. Decide if the hardware should be replaced.
3. Before changing VM args, verify IOMMU and IRQ remapping in dmesg. If they’re wrong, stop and fix firmware/cmdline.
4. For flaky devices, test reset behavior explicitly: start VM, stop VM, start again—without rebooting the host. If it fails, treat reset as the root problem until proven otherwise.

Once you can reproduce the failure with evidence, VFIO stops being a scapegoat and becomes what it is: a strict bouncer enforcing the rules your platform promised it could follow.