Hi Folks,
I've been thinking about the coverage of physical address space in IOMMU. So IOMMU's DMAR (DMA remapping) table and INTR(Interrupt Remapping) provide each device their own address domain. But do these two cover all of the address in physical address space that a device can access?
For example, a malicious device could hit DMAR if it tries to write to RAM, and it hits the INTR if it tries to do interrupt. What if the device writes to addresses other than these two ranges? say it writes to physical address between 640K and 1M. Is IOMMU capable of detecting it or the memory controller will take care of this?
Thanks!
William Tu
IOMMU protection
Re: IOMMU protection
Hi,
a) A device can't access anything that isn't covered by the IOMMU, therefore the IOMMU covers everything a device can access.
b) The IOMMU's paging tables have a chipset defined physical address width that is as large as whatever the chipset supports (up to 52-bit physical addresses). Of course the device doesn't access physical addresses directly (the IOMMU translates the device's virtual addresses into physical addresses) so whether or not a device can access all physical addresses depends on how the IOMMU is configured.
c) The IOMMU's paging tables have a chipset defined "number of levels". This determines the virtual address width that the IOMMU can support. If a device tries to access something at a virtual address that is higher than the IOMMU supports, then the IOMMU generates an error. Basically, the IOMMU doesn't cover all virtual addresses that the device could generate.
Note: I should point out that I haven't actually done anything with IOMMUs yet (I've only read Intel's spec briefly). I may be wrong, and to be honest I'm not even sure if you're talking about Intel's IOMMU or AMD's.
Cheers,
Brendan
There's multiple ways of interpreting this question..u9012063 wrote:I've been thinking about the coverage of physical address space in IOMMU. So IOMMU's DMAR (DMA remapping) table and INTR(Interrupt Remapping) provide each device their own address domain. But do these two cover all of the address in physical address space that a device can access?
a) A device can't access anything that isn't covered by the IOMMU, therefore the IOMMU covers everything a device can access.
b) The IOMMU's paging tables have a chipset defined physical address width that is as large as whatever the chipset supports (up to 52-bit physical addresses). Of course the device doesn't access physical addresses directly (the IOMMU translates the device's virtual addresses into physical addresses) so whether or not a device can access all physical addresses depends on how the IOMMU is configured.
c) The IOMMU's paging tables have a chipset defined "number of levels". This determines the virtual address width that the IOMMU can support. If a device tries to access something at a virtual address that is higher than the IOMMU supports, then the IOMMU generates an error. Basically, the IOMMU doesn't cover all virtual addresses that the device could generate.
As far as I can tell, if the IOMMU is enabled then everything is denied by default (e.g. unless the IOMMU is configured to allow an access the access is denied).u9012063 wrote:For example, a malicious device could hit DMAR if it tries to write to RAM, and it hits the INTR if it tries to do interrupt. What if the device writes to addresses other than these two ranges? say it writes to physical address between 640K and 1M. Is IOMMU capable of detecting it or the memory controller will take care of this?
Note: I should point out that I haven't actually done anything with IOMMUs yet (I've only read Intel's spec briefly). I may be wrong, and to be honest I'm not even sure if you're talking about Intel's IOMMU or AMD's.
Cheers,
Brendan
For all things; perfection is, and will always remain, impossible to achieve in practice. However; by striving for perfection we create things that are as perfect as practically possible. Let the pursuit of perfection be our guide.
Re: IOMMU protection
Thank you Brendan ~