IOMMU

This article provides a very brief introduction to IOMMU: what it is, the pros and cons.

According to Wikipedia, Input–Output Memory Management Unit (IOMMU) is a memory management unit (MMU) that connects a direct-memory-access–capable (DMA-capable) I/O bus to the main memory. Like a traditional MMU, which translates CPU-visible virtual addresses to physical addresses, the IOMMU maps device-visible virtual addresses (also called device addresses or I/O addresses in this context) to physical addresses. Some units also provide memory protection from faulty or malicious devices.

Here comes a diagram that was broadly borrowed over the internet for illustrating the functionality of IOMMU. It explains the nature of IOMMU well: MMU and IOMMU all translate virtual address to physical address; MMU is for CPU, while IOMMU is for device.

What problems can IOMMU resolve for you?

1. Usually devices request contiguous DMA memory. But DMA memory resource is always limited in a system. IOMMU can help to reduce the requirement. It maps contiguous virtual addresses to the fragmented physical addresses. You can offer large regions of memory to devices without consuming any physical DMA memory.
2. Some devices were designed to use 32-bit addresses, they cannot access the memory in the space higher than 4GiB. IOMMU can map any region of the entire memory space to the device. Without the help of IOMMU, software have to copy the content somehow from the device to the target memory, that can badly impact the performance.
3. If physical address is used directly, a malicious device can access the DMA memory that doesn’t belong to it, because there is not border between the regions of different devices. With IOMMU, what a device can accesses is a virtual address region. A malicious device doesn’t know where is other DMA memory regions are. If it tries to access some address beyond the region, failure will be triggered because that address is not mapped.
4. In virtualization, when a device is passthrough to a virtual machine. The driver program in the VM will initialize the device with the memory addresses in the guest space. When the device use such addresses to access physical memory (which is to the host machine), it will definitely fail. An IOMMU device on host system handles this case, it helps the assigned device to find the correct address it should access.

Is there any price you need to pay for these advantages? Yes:

1. To find the correct physical DMA address from a virtual address, IOMMU need to go through mapping tables. That will take some time.
2. The mapping tables take additional memory.

For now, some specifications have been published for IOMMU:

• Virtualization Technology for Directed I/O (VT-d) is the spec from Intel
• System Memory Management Unit (SMMU) is the work of Arm
• I/O Virtualization Technology (AMD-Vi) is the spec of AMD

Reference

• https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit
• https://lenovopress.com/lp1467.pdf
• https://developer.ibm.com/tutorials/l-pci-passthrough/
• https://wiki.qemu.org/Features/VT-d