[vfio-users] DMA restriction in VM's?
Alex Williamson
alex.williamson at redhat.com
Fri Apr 14 00:18:49 UTC 2017
On Thu, 13 Apr 2017 19:58:05 -0400
"Taiidan at gmx.com" <Taiidan at gmx.com> wrote:
> Do VM's receive IOMMU protection or is that only for the VMM? to prevent
> unauthorized peer>peer DMA and of course device>host DMA.
The VM itself is isolated with the IOMMU by default, devices within the
VM can only DMA to guest memory. We do configure translations to allow
peer-to-peer for devices assigned to the same VM, but whether this
actually works depends on the hardware support. There is emulated VT-d
support for vfio under development which will probably enter QEMU after
the 2.9 release. This will isolate individual devices within the VM,
but there's a pretty significant performance cost in the DMA mapping
and unmapping path for dynamic DMA mapping within the VM.
More information about the vfio-users
mailing list