Some Basics about Computer Memory
RAM (random access memory) is hardware that your computer uses to load the operating system, run programs, and store and access data. MMU, which stands for memory management unit, is the hardware that manages the memory system of your computer. The operating system uses MMU to create and maintain memory and translate CPU virtual addresses to physical addresses.
Some Basics about Virtual Machines
A virtual machine makes it possible for different operating systems (or several versions of one operating system) to run on the same server. This increases the capacity of the hardware by dividing it into individual servers that are each allocated with their own processors and memory. Virtual machines are used for such things as running different operating systems on one computer, testing applications, or trialling new software or other features.
Virtual machines provide the same functionality as standard computers. Memory in a virtual machine is called virtual memory (VM). It is based on physical RAM plus extra memory for virtualization. VM increases the available memory of your computer by temporarily transferring data from RAM to disk storage. Increasing RAM in this way is particularly important for gaming, media editing or running other complex programs, often simultaneously.
Multiple virtual machines can run off of one physical server with a hypervisor - a kind of emulator that creates and runs virtual machines. A hypervisor allows one host computer to support multiple guest VMs by virtually sharing its resources, such as memory and processing. Examples of hypervisors include VirtualBox, VMware, and Hyper-V.
What is IOMMU?
When an operating system is running inside a virtual machine, it does not usually know the physical addresses of the memory that it accesses. It is therefore difficult to access the computer hardware. A virtual operating system using physical addresses trying to access memory directly could corrupt the memory.
An IOMMU solves this problem by re-mapping the addresses accessed by the hardware. The IOMMU translates another virtual address, called IOVA (IO virtual address), to a physical address. The use of IOVAs prevents a device from overwriting memory.
IOMMU connects direct memory access (DMA) to the main memory, extending the system by adding support for the virtualization of memory addresses used by peripheral devices.
When the manufacturers of computer chips realised the advantages of IOMMU, they added it to the chipsets and motherboards of all servers and more powerful PCs. Often, although it is included in the IOMMU BIOS (basic input/output system), it needs to be enabled.
What does IOMMU do?
● Translation - mapping virtual device addresses to physical addresses and helping to filter and remap interrupts from peripheral devices.
● Memory and device isolation - via permissions (allowing/disallowing access to memory regions or granting/denying map requests).
● Protection - by enabling system software to control which areas of physical memory an I/O (input/output) device may access.
● I/O Virtualization extends the system architecture by adding support for the virtualization of memory addresses used by peripheral devices.
Different Names For IOMMU
IOMMU is the generic name. In an Intel CPU, the IOMMU technology is called "Virtualization Technology for Directed I/O," abbreviated to "Intel VT-d". Intel’s virtualization technology is also available as VT-x for x86 processors and VT-i for Itanium processors. AMD CPUs I/O virtualization technology is called "AMD-V" or "SVM" (Secure Virtual Machine). It is called TCE by IBM and SMMU by ARM.
Enabling IOMMU
Although processors have these features built in, they almost always have them disabled by default. This means that in order to take advantage of these features, you need to enable IOMMU.
On systems with an Intel processor, the Intel VT-x feature can be disabled or enabled through the BIOS firmware settings. AMD-V is usually enabled on an AMD processor, requiring no changes to BIOS or UEFI (unified extensible firmware interface) settings.
Unfortunately, not all laptops and motherboards include an option in their BIOS or UEFI settings for enabling IOMMU.
If you get an error message, such as “this computer doesn't have VT-x/AMD-V enabled” or “VT-x/AMD-V hardware acceleration is not available on your system,” you will need to check that you have a machine that includes this feature and then manually enable it from the BIOS/UEFI.
Examples of machines or software that require enabling IOMMU are the AMD Ryzen processors and the software Proxmox Backup Server.
PCI Passthrough
IOMMU allows VMs to directly use peripheral devices through direct memory access (DMA). This is called Peripheral Component Interconnect (PCI) passthrough. PCI passthrough provides the means to use those resources efficiently.
To enable PCI passthrough, IOMMU is required. IOMMU translates virtual IO addresses, as seen by the VM and the PCI device, to physical addresses. PCI passthrough allows guests to have exclusive access to PCI devices for a range of tasks. It also allows devices to appear and behave as if they were physically attached to the guest operating system.
With the help of the IOMMU, it is possible to remap all DMA accesses and interrupts of a device to a guest virtual machine operating system address space. If you "PCI passthrough" a device, the device is not available to the host anymore. This has many advantages over virtualized hardware, such as reduced latency.
Advantages of IOMMU
● It allows multiple workloads to share a common set of resources.
● It can make a non-contiguous memory region appear contiguous to a device that provides better speeds.
● It optimizes streaming DMA performance for the I/O device.
● Memory isolation and protection: a device can only access memory regions that are mapped for it. Hence, faulty and/or malicious devices can't corrupt memory.
● Memory isolation allows safe device assignment to a virtual machine without compromising host and other guest operating systems.
● It improves security by preventing direct access to physical memory, enhancing security of the various devices.
● It protects the system from DMA attacks. Malicious peripherals access memory embedded in other peripherals through DMA requests. IOMMU blocks access by using PCI passthrough.
Disadvantages of IOMMU
● Slower processing speeds
● Latency of DMA transfers due to the need to check mapping and permission saved in main memory. (This can be alleviated by caching that information inside IOMMU.)
● IOTLB (input/output translation lookaside buffer) bottleneck - IOTLB cache-misses cause degradation of performance and an increase in DMA latency.