Why VT-d Direct memory access (DMA) is a method that allows an input/output (I/O) device to send or receive data directly to or from the main memory, bypassing the CPU to speed up memory operations. The process is managed by a chip known as a DMA controller (DMAC). Performance vs Security DMA Attack : An attacker exploits the presence of high-speed expansion ports that permit direct memory access to penetrate a system. Ex : Firewire device - No hardware / operating system mediation - Wide availability of devices with ports to transfer data at high speed. - Manifest as social engineering attack, offering a device as gift. Solution Installation of signed device drivers and restricted access to devices, IOMMU technology 1

Virtualization Technology for directed IO - Overview Intel VT-d : Hardware support for isolation of devices and restriction of device accesses to the owner of the device. Capabilities of VT-d IO device assignment - Assignment of devices to VMs DMA remapping - Address translation for device DMA transfers Interrupt remapping - Isolation and routing of device interrupts 2 2

DMA remapping Domain – Abstract isolated environment to which a subset of physical memory is allotted. DMA remapping hardware Assigns a device to a domain through a set of paging structures Any access by a device to system memory is intercepted and determined whether access is permitted [ RVM ]. 3 3

Different models of IO virtualization Emulation of device functionality in software Direct assignment of devices to VM Sharing of devices A device itself has multiple functional interfaces and each of which may be assigned to individual VMs 4

OS usage of DMA remapping OS protection : An OS may define a domain with its critical code and data structures, restricting its access from all IO devices DMA isolation : An OS could define multiple domains and assign one or more IO devices to each domain. Shared virtual memory : It is possible to share virtual address space of applications with IO devices, enabling sharing of data with devices. 5 5

VMM usage of DMA remapping Direct assignment of devices : Driver for an assigned device runs in the partition to which it is assigned Guest software interacts with hardware directly, with no or minimal VMM involvement. VMM is invoked only when guest software performs configuration access, interrupt management 6

DMA address translation A domain has a view of the address space, that is different from host physical address space, similar to that of virtual machine address space. A DMA request would have information such as Device identity originating the request Type of access Target address Remapping hardware translates the address in DMA request to HPA before forwarding to memory controllers. 7

Address translation structures Source Identifier : For PCI express devices, the device identifier is composed of bus/device/function Top level structure is called root-table (4k bytes) and consists of 256 entries. Each entry in root table consist of fields such as ‘present flag’ and ‘context table pointer’ Second level structures is called context table and each entry consist of Translation type – which type of requests are allowed Domain identifier – software assigned field that identifies a domain 8

How does a device is assigned to a VM How does a device is assigned to a VM ? - Assign the same memory range exported to VM to a domain ‘d’. - Mark domain identifier in the context table entry for the device. 9