Home

IOMMUs

IOMMUs, or input-output memory management units, are hardware components that provide address translation and protection for DMA operations performed by I/O devices. By isolating device memory accesses from the host memory, IOMMUs help prevent devices from interfering with each other or with the kernel, improving stability and security in systems with DMA-capable peripherals.

IOMMUs translate addresses used by devices (IO addresses) to physical host memory addresses, typically via a

Implementations include Intel VT-d (Virtualization Technology for Directed I/O), AMD-Vi (IOMMU), and ARM's SMMU. These units

Use cases include virtualization and device pass-through. By enabling DMA remapping and, if supported, PCIe device

Operationally, enabling IOMMUs typically requires enabling BIOS/firmware options and kernel support (e.g., VFIO on Linux). Misconfigurations

two-stage
translation:
an
IO
virtual
address
(IOVA)
space
and
a
set
of
translation
tables
managed
by
software.
They
enforce
access
rights,
bounds,
and
permissions,
and
may
use
memory
protection
keys
or
privilege
domains.
They
also
remap
interrupts
in
some
implementations
to
prevent
attackers
from
spoofing
interrupts.
are
key
to
PCIe
DMA
remapping
and,
in
many
architectures,
to
interrupt
remapping.
They
also
define
IOMMU
groups,
which
help
operating
systems
or
hypervisors
decide
which
devices
can
be
exposed
to
a
virtual
machine.
assignment,
a
VM
can
use
a
real
PCIe
device
directly
while
the
IOMMU
enforces
isolation
from
the
host
and
from
other
VMs.
This
capability
also
supports
safe
live
migration
of
VMs
with
devices.
can
reduce
performance
or
disable
device
access.
The
IOMMU
strategy
contributes
to
hardware-assisted
virtualization
and
robust
DMA
protection.