How IOMMU Safeguards Systems: From DMA Attacks to Virtualization Security

In low‑level computer architecture, Direct Memory Access (DMA) allows hardware devices to bypass the CPU and transfer data directly to memory, greatly improving throughput for tasks such as disk access and image processing.

Malicious hardware can exploit DMA to break system security, reading sensitive data or modifying kernel code. The Input/Output Memory Management Unit (IOMMU) acts as a “traffic controller”, remapping device addresses and restricting the memory regions they may access, thereby preventing DMA‑based attacks.

Part1 IOMMU是什么？

1.1 IOMMU概述

IOMMU (Input/Output Memory Management Unit) is a memory‑management unit for devices with DMA capability. It translates device‑visible virtual addresses (IOVA) to physical addresses, similar to how the CPU MMU translates virtual to physical addresses, and can also provide memory protection.

1.2 IOMMU的由来

Early computers used direct physical addressing, which limited address space and lacked protection, leading to security risks. IOMMU was introduced to translate addresses, expand accessible memory, and protect memory from erroneous or malicious device accesses.

In virtualized environments, IOMMU isolates each VM’s memory, ensuring that a device assigned to one VM cannot read or write another VM’s memory, thus enabling safe device passthrough.

Part2 IOMMU的底层原理

IOMMU divides physical memory into regions with unique IDs and translates IOVA to physical addresses using an I/O page table, allowing devices to communicate with memory without CPU intervention.

IOMMU的主要组成部分

MMU – maps virtual to physical addresses and provides protection.

IOMMU software module – creates and manages memory domains and handles OS requests.

Hardware support – CPU and device drivers that recognize IOMMU.

2.1 DMA 重映射原理

IOMMU uses an I/O page table to translate IOVA to physical addresses, similar to CPU paging.

设备看到的地址空间（连续）:
[0x1000] [0x2000] [0x3000] [0x4000]
    ↓       ↓       ↓       ↓
实际物理内存（分散）:
[0xA000] [0xF000] [0xB000] [0xD000]

When a device issues a DMA request, its Source Identifier is used to locate a Context Entry that points to the appropriate I/O page table, enabling safe address translation and access control.

2.2 中断重映射原理

Modern devices generate MSI/MSIX interrupts via DMA writes. IOMMU identifies these writes, looks up the Interrupt Remapping Table, and routes the interrupt to the correct virtual CPU or VM, ensuring proper isolation.

2.3 IOMMU的主要实现

(1) Intel VT‑d – DMA and interrupt remapping, device isolation, hot‑plug support.

// Intel VT-d features
- DMA remapping
- Interrupt remapping
- Device isolation
- Hot‑plug support

(2) AMD‑Vi – I/O virtualization, device table management, command handling, event logging.

// AMD-Vi features
- I/O virtualization
- Device table management
- Command processing
- Event logging

(3) ARM SMMU – stream tables, context descriptors, page‑table walks, fault handling.

// ARM SMMU features
- Stream Table
- Context descriptors
- Page‑table walk
- Fault handling

Part3 IOMMU的应用场景

In cloud data centers, IOMMU guarantees isolation between tenants’ VMs, preventing a compromised VM from using DMA to access another VM’s memory.

3.1 虚拟化环境

# KVM VM configuration example
<hostdev mode='subsystem' type='pci' managed='yes'>
  <driver name='vfio'/>
  <source>
    <address domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
  </source>
</hostdev>

VFIO uses IOMMU to bind devices to VMs securely.

// VFIO usage
struct vfio_group *group;
struct vfio_device *device;
echo 0000:01:00.0 > /sys/bus/pci/drivers/nvidia/unbind
echo 0000:01:00.0 > /sys/bus/pci/drivers/vfio-pci/bind
qemu-kvm -device vfio-pci,host=01:00.0 ...

3.2 容器化和微服务

# Docker container using GPU
docker run --gpus all \
  --device=/dev/dri \
  --security-opt apparmor:unconfined \
  nvidia/cuda:11.0-base

3.3 安全隔离

// Prevent malicious DMA
Bad Device ─── DMA Request ──→ IOMMU ──→ Access Denied

Part4 IOMMU配置和管理

4.1 系统启动配置

# Enable IOMMU in GRUB
# Intel
GRUB_CMDLINE_LINUX="intel_iommu=on iommu=pt"
# AMD
GRUB_CMDLINE_LINUX="amd_iommu=on iommu=pt"
sudo update-grub
sudo reboot

4.2 检查 IOMMU 状态

# Check if IOMMU is enabled
dmesg | grep -i iommu
dmesg | grep -i dmar   # Intel VT‑d
dmesg | grep -i amd_iommu   # AMD‑Vi
# List IOMMU groups
find /sys/kernel/iommu_groups/ -type l
ls -la /sys/bus/pci/devices/0000:01:00.0/iommu_group

4.3 IOMMU 组管理

#!/bin/bash
# Show all IOMMU groups and devices
for g in /sys/kernel/iommu_groups/*; do
    echo "IOMMU Group ${g##*/}:"
    for d in $g/devices/*; do
        echo -e "\t$(lspci -nns ${d##*/})"
    done
done

Part5 IOMMU编程接口

5.1 内核 IOMMU API

#include <linux/iommu.h>
struct iommu_domain *domain = iommu_domain_alloc(&pci_bus_type);
iommu_attach_device(domain, &pdev->dev);
iommu_map(domain, iova, paddr, size, IOMMU_READ | IOMMU_WRITE);
iommu_unmap(domain, iova, size);
iommu_detach_device(domain, &pdev->dev);

5.2 用户空间 VFIO API

#include <linux/vfio.h>
int container = open("/dev/vfio/vfio", O_RDWR);
int group = open("/dev/vfio/1", O_RDWR);
ioctl(container, VFIO_SET_IOMMU, VFIO_TYPE1_IOMMU);
struct vfio_iommu_type1_dma_map dma_map = {
    .argsz = sizeof(dma_map),
    .flags = VFIO_DMA_MAP_FLAG_READ | VFIO_DMA_MAP_FLAG_WRITE,
    .vaddr = (uintptr_t)buffer,
    .iova = device_address,
    .size = buffer_size,
};
ioctl(container, VFIO_IOMMU_MAP_DMA, &dma_map);

Part6 IOMMU硬核拦截原理剖析

6.1 地址翻译：识破 “伪装”

IOMMU looks up the I/O page table to translate an IOVA (e.g., 0x1000) to a physical address (e.g., 0x20000). If the IOVA is invalid, the request is rejected.

6.2 访问控制：严守 “关卡”

After translation, IOMMU checks the device’s permission bits (read/write/execute). Unauthorized accesses are blocked, protecting memory integrity.

6.3 多级页表与缓存机制：高效运作的秘诀

IOMMU uses a multilevel page‑table hierarchy similar to CPU paging. An IOTLB caches recent IOVA‑to‑PA translations; a miss triggers a full page‑table walk, ensuring both speed and scalability.