The present invention relates to a computer architecture and in particular an input-output memory management unit (IOMMU) for controlling mapping between an I/O device address space and physical computer memory reducing both the processor burden and the risks of memory corruption due to erroneous or malicious operation of I/O.
Current electronic computers may include a memory management unit (MMU) positioned between one or more processors and physical memory. The MMU, under the control of the operating system (OS), maps virtual addresses used by the processors to different addresses of physical memory. This mapping, for example, allows fragmented physical memory locations to be presented to a processor (or a particular process running on the processor) as a continuous block of virtual memory. Different processes can use the same address range of virtual memory mapped to different addresses of physical memory.
The MMU also provides for memory protection by isolating given processes to limited virtual memory (and hence a physical memory) regions preventing processes from corrupting memory used by other processes through overwriting of that memory. In this regard, the MMU may track and enforce read/write permissions, limiting reading or writing of a given process within the physical address range allocated to a process.
A similar input-output memory management unit (IOMMU) may be interposed between I/O devices such as disk drives and the physical memory. Like the MMU, the IOMMU provides the I/O devices with virtual addresses (IOVA) that are mapped to physical addresses of the physical memory. The IOMMU may further include permissions limiting the reading and writing within the physical address range allocated to the I/O device and thus may prevent an I/O device from corrupting the memory state of others (CPU, OS or other I/O) or accessing other I/O devices.
The mappings between the virtual addresses (IOVA) and the physical addresses are stored in a data structure called page table, typically resident in physical memory. The page table stores the mapping information at the granularity of one or a few fixed-size pages. Each of the individual entries of the page table is called a page table entry or PTE. A PTE thus stores the mapping of a given page in a virtual address to its corresponding physical address of physical memory. The PTE may also include one or more permission limiting reading and/or writing to the physical memory within the mapped address range.
In operation, an device is typically associated with a driver program that may run on the processor. Before an I/O device can read or write, from or to the physical memory, the corresponding driver program requests the OS to establish the needed mapping between the virtual address and the physical memory. The OS then may create the requested PTEs in the page table to establish the requested mapping.
After the OS establishes table entry on behalf of the driver, the driver invokes the necessary call to the I/O device which performs an I/O task.
When the I/O device needs to access memory as part of the I/O task, it provides a virtual address to the IOMMU. The IOMMU finds a PTE related to that virtual address in the page table to obtain the necessary physical address range and permissions. These mappings and permissions of the page table PTE may be duplicated in a cache structure of the IOMMU called IO Translation Lookaside Buffer (IOTLB). The IOMMU then accesses the physical memory according to that mapping and the permissions of the cached PTE. The IOMMU denies access to physical memory if the mapping or if enough permission for the operation is unavailable.
When the memory access by the I/O device is complete, the I/O device provides a completion signal to the operating system. The operating system executing on the processor then may perform a PTE deletion action, deleting the PTE from the page table, and sends a corresponding IOMMU cache deletion signal to the IOMMU cache causing deletion of the corresponding PTE from the IOMMU cache. This deletion process prevents extra erroneous memory accesses by an errant I/O device such as may corrupt previously written data. The operating system executing through the processor may periodically delete stale PTEs from the page table (even absent a completion signal from the IOMMU) after a predetermined period of time.
The benefits of the IOMMU in virtualization and reduction of memory corruption are offset in part by the additional time required to implement the above described protocol and the demands placed on a processor resources.