For a long time, the use of I / O MMUs was only common in high-end architectures, e.g. B. in a PCI interface that Sun had designed for their UltraSPARC processors. As part of the expansion of the AMD64 architecture on the part of AMD to include processes for virtualization , its I / O hub was therefore added. This article primarily relates to the IOMMU for AMD64. AMD has been shipping processors with IOMMU since 2009, along with HyperTransport 3.0.
The process is basically comparable to a memory management unit (MMU) in multitasking microprocessors. The difference is that the IOMMU is not part of the storage connection, but is conceptually in the northbridge . In the case of access via DMA by peripheral devices, target addresses in the RAM are translated into alternative addresses with the help of a multi-level page table controlled by system software.
The IOMMU enables the following functions in DMA:
- More effective use of 32-bit devices in 64-bit environments, especially access to memory areas above 4 GiB.
- Access protection when applications access certain devices
- Access protection when virtual machines access certain devices
Access protection means that, without IOMMU, complete isolation of processes or virtual machines can no longer be guaranteed if direct access to DMA- enabled devices is to be granted. Since DMA transfers can access practically any destination address in the system, malicious program code can thus You may also read or overwrite memory areas that are not part of your own, virtual address space (see also security problems with Firewire ).
Functions similar to those of the IOMMU can also be found in processors of older designs. Up to now, many machines have had a Graphics Aperture Remapping Table (GART) for address translation especially for graphics cards in the Accelerated Graphics Port (AGP). The Secure Virtual Machine extensions (SVM) in AMD processors offer rudimentary access protection through a Device Exclusion Vector (DEV), even without IOMMU , in order to completely deny devices access to the RAM. With suitable software support, the IOMMU can replace both the functions of the GART and those of the DEV.
IOMMU is not an integral part of AMD-V . If direct access to I / O resources is not to be made by a VMM , but directly by guest systems on the VM , it offers considerable advantages over a classic trap-and-simulate method in terms of security and performance. In many applications of classic system virtualization , such direct access is not required.
- Intel's VT-d
- heise online: AMD: HyperTransport 3.0 for multiprocessor servers not until 2009. Accessed on October 4, 2018 (German).