The developers of the XCP-NG project, which develops a free platform for deploying and managing cloud infrastructure, presented project PV-IOMMUallowing guests to access limited functionality IOMMU, implemented using the Xen paravirtualization infrastructure. In practice, PV-IOMMU can be used to implement DMA protection in Dom0 or provide support for the Linux kernel subsystem VFIO. Previously, the Xen hypervisor used IOMMU to forward access to PCI devices and limit device access to memory, but for stability and security reasons, guests could not directly access the hardware-provided IOMMU block.
The IOMMU is a specialized memory management unit that translates virtual addresses seen by the hardware device into physical addresses, allowing DMA operations to be performed and filtered on virtual addresses, as well as limiting and isolating I/O operations. In the context of virtualization, IOMMU allows guests to directly access peripheral devices such as Ethernet adapters, graphics cards, and storage controllers. Intel's implementation of IOMMU is provided under the name VT-d (“Virtualization Technology for Directed I/O”), AMD – AMD-Vi (I/O Virtualization), and ARM – SMMU (System Memory Management Unit).
Advertisement
The proposed paravirtualized implementation (PV-IOMMU) allows guests to use the basic capabilities of IOMMU, but abstracts all the low-level hardware details. A new hypercall (analogous to a system call for hypervisors) HYPERVISOR_iommu_op has been proposed for inclusion in Xen, which can be used by guest systems to perform IOMMU operations. Among other things, guests can now create and modify IOMMU domains, referred to as IOMMU contexts in Xen to avoid confusion with the term “domain” in Xen. IOMMU contexts allow guest system access to device memory and specify memory translation operations that apply to one or more devices.
At the current stage of development, PV-IOMMU only supports Intel VT-d technology, but it is planned to add support for AMD-Vi and SMMUv3 soon
Thanks for reading: