IOMMU
An I / O Memory Management Unit (I / O MMU, or shortly IOMMU ) expands the I / O interface a microprocessor to an address translation and access protection on Direct Memory Access (DMA).
Use of I / O MMUs was long only in high-end architectures usual, eg in a PCI interface, which the company Sun has designed for their UltraSPARC processors. As part of the expansion of the AMD64 architecture by AMD to processes for their virtualization I / O hub has been complemented it. This article refers mainly to the IOMMU for AMD64. AMD has announced first processors with IOMMU from 2009, together with HyperTransport 3.0 extradite.
The method is in principle similar to a Memory Management Unit (MMU ) in multitasking microprocessors. The difference is that the IOMMU not part of the memory interface is, but conceptually is in the Northbridge. In case of access via DMA by peripheral devices destination addresses in RAM are here translated with the help of a company controlled by system software, multi-level page table in alternate addresses.
The IOMMU enables the following functions in DMA:
- More effective use of 32- bit devices in 64 -bit environments, in particular access to memory areas above 4 GiB.
- Access protection when accessing applications on specific devices
- Access protection when accessing virtual machines on certain devices
Security means that no IOMMU not a complete isolation of processes or virtual machines can be guaranteed more if direct access to DMA -capable devices to be granted. Since DMA transfers can access the system on virtually any destination harmful program code can thus might read or write memory areas that are part of its own virtual address space are not (see also security issues with Firewire).
Similar functions as those of the IOMMU can be found in older types of processors. Until now exists in many machines a Graphics Aperture Remapping Table ( GART ) for address translation, particularly for graphics cards in the Accelerated Graphics Port (AGP). The Secure Virtual Machine Extensions ( SVM) in AMD processors deliver even without IOMMU rudimentary access protection via a Device Exclusion Vector ( DEV) to completely deny devices to access the RAM. With appropriate software support the IOMMU can replace both the functions of the GART and the DEV.
IOMMU is not integral part of AMD -V. However, if direct access to I / O resources should not be done by a VMM, but directly by the VM guest systems, it offers over a classic trap -and- Simulate process significant advantages in terms of safety and performance. In many applications, classical system virtualization is such a direct access but not required.