DMA Remapping (Hardware isolation of direct memory access)

DMA Remapping technology allows the hypervisor or operating system to restrict direct memory access by devices, assigning strictly defined regions to each. The processor input-output block translates the physical addresses requested by a device into guest or host memory addresses, preventing peripherals from reading or modifying foreign data.

The main application area is input-output virtualization, where several virtual machines are assigned their own PCI Express devices via SR-IOV technology or direct assignment. The technology also provides security in systems with trusted boot, isolating critical memory regions from network cards and solid-state drives capable of initiating DMA attacks through external ports. Additionally, it is used in automotive systems to separate real-time domains.

Typical problems

The most common difficulty is a significant increase in latency during frequent input-output context switches due to the need to flush and refill the translation lookaside buffer. The second problem is suboptimal bandwidth utilization when the page structure of translation tables creates overhead on small transfers. There are also compatibility conflicts with legacy devices that do not support ACS error codes, and the high complexity of debugging translation failures on production systems.

How it works

The mechanism functions at the PCI Express root complex level, where a specialized input-output memory management unit (IOMMU) intercepts every direct memory access request from a peripheral device. The request contains the target physical address the device intends to read or write; this address is not final and is treated as an identifier within the guest address space. The IOMMU processes the incoming request in several stages. First, the request source identifier, consisting of bus number, device number, and function number, is extracted from the transaction header and used to look up a pointer to the root context table. Each device has its own context structure storing the base address of a multi-level page table for translation, similar to classic processor page tables. Then the hardware block traverses the first, second, third, and fourth level tables, comparing offset bits with the entry at each level to obtain the host physical address.

Concurrently with translation, access rights are checked: whether the device is allowed to read, write, or execute at the requested address. If the address is missing from the tables or rights are violated, the IOMMU generates an interrupt and blocks the transaction, returning a Completion Abort error to the device. To accelerate repeated accesses, the block contains a translation lookaside buffer that caches recently used mappings between guest and host addresses.

When a request is received, the cache is first checked for an existing translation; only on a miss is a full table walk initiated. The operating system or hypervisor manages the tables via dedicated memory regions and cache invalidation commands, ensuring that when a virtual machine migrates or a buffer is freed, the device cannot access pages that no longer belong to the process. Thus, every data movement between a device and memory passes through a hardware filter, completely transparent to the peripheral itself, but providing strict isolation and data integrity in a multi-tenant environment.

DMA Remapping functionality

1. Basic principle of remapping DMA requests. The DMA Remapping function provides translation of memory addresses used by peripheral devices during direct access into host physical addresses. The IOMMU intercepts DMA requests, extracts the request source identifier, and uses multi-level page tables to convert the device virtual address into a valid system memory address.
2. Traffic source identification. Each DMA request is mapped to a unique identifier, typically formed from a combination of PCIe bus, device, and function numbers (BDF). This source tag allows the IOMMU to isolate translation contexts for different agents. The hardware logic uses this identifier to look up the root pointer to the device context structure in configuration registers, making traffic routing deterministic.
3. Isolation domains and device contexts. The device context is a fundamental data structure linking a specific peripheral agent to an isolation domain. The domain defines the private address space within which translation occurs. Loading the context table root pointer into the IOMMU register activates the remapping process, forcing all transactions to undergo access right checks and address translation.
4. Multi-level page table hierarchy. The translation process uses a four-level or five-level table structure, analogous to classic x86 paging. Page table entries (PTEs) contain read, write, and execute permission bits. The IOMMU hardware state machine sequentially descends through levels, using the device virtual address bits as indices, and calculates the final physical page number, forming the target system address.
5. Caching translations in the TLB. To reduce latency on repeated accesses, the IOMMU uses specialized translation lookaside buffers (IOTLB). On an IOTLB miss, the hardware initiates a page table walk in RAM. The virtualization subsystem must perform strobing and cache invalidation when mappings change, ensuring that devices do not use stale translation data.
6. Fixed-format incoming interrupt handling. The Remapping function remaps not only memory access but also MSI/MSI-X interrupt routing. When a device initiates an interrupt signal in message format, the IOMMU interrupt block intercepts the write to a special address range. It uses a separate interrupt remapping table to modify the vector identifier and target APIC ID, ensuring signal isolation.
7. Interrupt remapping table. This structure is indexed by the original request identifier and interrupt type. Each entry contains delivery attributes, handling mode, and a logical destination mask. The hardware atomically checks the agent’s right to generate an interrupt and substitutes the address and data portions of the MSI transaction. Invalid or unmasked entries are discarded, putting the device into a fault state.
8. Guest physical address translation. In a virtualization environment, the hypervisor provides the virtual machine with the illusion of a contiguous guest physical address space. DMA Remapping performs nested translation: the first level converts the address provided by the guest (GPA) into a host address (HPA), hiding real memory fragmentation from the virtual machine and providing isolation at the hardware level.
9. Configuration via the ACPI DMAR table. Platform firmware describes the capabilities of the remapping subsystem in an ACPI structure (DMAR). The table contains IOMMU discovery registers, control register area information, and interrupt handling block flags. The operating system parses the DMAR to create appropriate protection domains and initialize translation structures before assigning devices to drivers.
10. Pass-through mode. For high-performance operations without virtualization involvement, Identity Mapping (pass-through) mode is supported. In this mode, a one-to-one mapping is established in the page tables, and translation does not alter the incoming address. This approach minimizes table walk overhead while preserving the ability to filter requests by access rights via PTEs.
11. Memory page protection mechanism. The remapping function checks whether the DMA transaction type matches the permission bits in the corresponding PTE. If a device attempts to write to a region marked read-only, the IOMMU generates a fatal translation block error. The hardware response includes logging the fault address in a status register, suppressing the malicious transaction, and notifying the operating system via an interrupt.
12. Write ordering and coherency management. The IOMMU interacts with interconnect coherency protocols to maintain correct memory update ordering. When modifying context or page table entries, software must perform write barriers and atomic invalidation operations. The hardware respects the order of emptying queues of pending transactions, ensuring that no subsequent DMA request is serviced using a stale translation rule.
13. ATS support. Address Translation Services (ATS) allow a device to request and cache translations locally in its own ATC. The peripheral controller sends a translation request packet, to which the IOMMU responds with the translation result. When mappings change, the host initiates a translation recall via an ATS Invalidation Message, forcibly removing stale entries from the endpoint cache without driver intervention.
14. Error handling and logging. When a access violation is detected, the IOMMU records the violating source identifier, violation type, and fault address in a dedicated event buffer in system memory. The hardware write pointer updates cyclically, and the interrupt mechanism notifies the OS error handler. This allows the hypervisor to identify faulty hardware and isolate it, preventing damage to unrelated subsystems.
15. Command queue structure. Software interacts with the IOMMU asynchronously via a circular command buffer in memory. The driver places descriptors for cache invalidation operations, transaction completion waits, or context updates into the queue and updates the tail pointer. The hardware fetches commands via the head pointer, executes them in queue order, and updates status, minimizing CPU wait cycles.
16. Assigning devices to guest systems. VT-d technology allows direct assignment of a PCIe device to a virtual machine. DMA Remapping isolates the guest address space so that any attempt by the device to access memory belonging to another domain or the hypervisor is blocked in hardware. The platform translates guest physical addresses to machine addresses, allowing an unmodified driver inside the virtual machine to manage the hardware without compromising security.
17. Scalable interrupt virtualization. Hardware support for posted interrupts with remapping functions allows direct injection of interrupts into a virtual machine without exiting to the hypervisor. A posted interrupt table associates a virtual vector with a physical one. The IOMMU atomically modifies the entry in the virtual APIC and generates a delivery notification, respecting signal pass-through semantics and reducing real-time latency.
18. Mapping physical memory with PASID. Process Address Space Identifier (PASID) extends the DMA request tag, allowing a single device to use multiple translation contexts. Passing PASID in a TLP prefix enables a shared accelerator to perform operations on different user application virtual address spaces, providing per-process virtualization with hardware-enforced access boundaries.
19. Subpage protection granularity. In addition to standard 4 KB pages, large pages (2 MB, 1 GB) reduce TLB pressure but lower control granularity. The IOMMU implements a subpage locking mechanism, allowing the administrator to mark part of a large page as inaccessible. The hardware performs an additional offset check within the large block, offering a compromise between table walk performance and peripheral region security.
20. Large Pages (Memory Page enlargement)
21. Performance monitoring and counters. Modern IOMMU blocks include programmable performance monitors that count IOTLB miss events, context cache hits, and table walk latencies. Configuring event selection registers allows engineers to profile the memory subsystem load generated by high-speed NVMe drives or network adapters and identify translation configuration bottlenecks without stopping the data flow.

Comparisons

• DMA Remapping vs IOMMU. DMA Remapping is the functional block of the Intel IOMMU (VT-d) responsible specifically for translating direct memory access addresses. The IOMMU itself is a broader concept, also including interrupts and error handling. Essentially, Remapping is the mechanism that implements the IOMMU’s main protective function: isolating devices at the memory page level.
• DMA Remapping vs SMMU. ARM’s SMMU is architecturally identical to DMA Remapping, solving the same device address translation problem but for the ARM ecosystem. The key difference lies in page table implementation and integration with the system architecture. Intel uses command contexts and tables, whereas SMMU relies on Stream IDs, substreams, and a descriptor format specific to the ARM architecture.
• DMA Remapping vs GART. GART (Graphics Address Remapping Table) is a historical predecessor that provided a linear address space for GPUs via scattered physical pages. Unlike DMA Remapping, GART did not provide isolation or access protection – any device could use its window, and there was no access control, making the system vulnerable to peripheral attacks.
• DMA Remapping vs ATS. ATS (Address Translation Services) is not a competitor but a complement, allowing an endpoint device to cache address translations. DMA Remapping on the IOMMU side performs the translation itself on request, while ATS reduces latency by allowing the device to store ready IOVA to physical address mappings, which is critical for high-speed NVMe drives and network cards.
• DMA Remapping vs VFIO. VFIO is a Linux kernel framework for assigning devices to virtual machines, using DMA Remapping as the hardware foundation for isolation. Remapping itself guarantees that the device sees only the virtual machine’s permitted memory, while VFIO provides a software interface for configuring these hardware tables. Without DMA Remapping, VFIO loses its protective properties, relying only on a less secure translator.
• VFIO (Direct device Input-Output virtualization)

OS and driver support

The operating system discovers DMA Remapping components by parsing ACPI DMAR (DMA Remapping Reporting) tables during boot, where DRHD (DMA Remapping Hardware Unit Definition) structures describe hardware blocks and Device Scope declarations bind specific PCI devices to their IOMMU controllers; device drivers must use kernel DMA APIs (e.g., pci_map_*()) to generate correct IO Virtual Addresses (IOVA) instead of physical addresses, and the kernel manages isolation domains, allocating a unique address space for each device or group behind a P2P bridge.

Security

Hardware protection is implemented by creating isolated page table translation domains for each device context, preventing one peripheral from unauthorized access to another peripheral’s memory; in virtualization environments, Intel VT-d and AMD-Vi technologies enable direct passthrough of devices to virtual machines, ensuring that the guest OS can perform DMA only into permitted physical pages, blocking attempts to read or write foreign data at the hardware level.

Logging

When DMA errors occur (e.g., an attempt to write to a page without access rights), the DMA Remapping block generates an interrupt, and the driver logs incident details to the system console output, where a message like DMAR:[DMA Write] Request device [00:02.0] fault addr 6df084000 identifies the offending device by its BDF address, the target fault address, and the error reason (e.g., fault reason 05 indicates a missing write flag in the PTE).

Limitations

The main limitation is the exhaustion of the IOMMU virtual address space under intensive work with large memory volumes, forcing either an increase in table size via kernel parameters (e.g., iommu=memaper on AMD platforms) or complete disabling of DMA Remapping to prevent performance degradation or kernel panic; on 32-bit ARM systems, historically, remapping kernel mappings is an expensive operation because memory sections are shared between the MMU tables of all processes, so DMA pools for coherent allocations are forcibly fixed at boot time and limited in size.

History and development

Mass adoption of hardware support for DMA Remapping on x86 began in 2007–2008: Intel introduced VT-d technology in the Q35 chipset with DMA address translation and VM memory isolation, and around the same period, DMAR table parsers (dmar.c driver) were added to the Linux kernel for early discovery and initialization; subsequent development moved toward Shared Virtual Memory (SVM) support via PASID and PRI specifications, allowing devices to share process virtual address spaces, as well as integration of DMA Remapping functions directly into the processor die.