Developers of the XCP-NG project have introduced a new feature called PV-IOMMU that allows guest systems to access limited Immu functionality within the Xen PARARADIAM infrastructure. This feature can be utilized for implementing DMA protection in DOM0 or supporting the Linux kernel subsystem vfio. Previously, Xen hypervisor utilized Immu for passing access to PCIs and restrictions on device memory access, but guest systems were unable to directly interact with the IMMU unit for stability and safety reasons.
Immu, a specialized memory control unit, translates virtual addresses visible to hardware into physical addresses, enabling DMA operations at virtual addresses and limiting input-output operations. With Immu virtualization, guest systems can directly interact with peripherals like Ethernet adapters, graphic cards, and storage controllers. Intel’s Immu implementation is known as VT-D (Virtualization Technology for Directed I/O), AMD’s as AMD-VI (I/O Virtualization), and ARM’s as SMMU (System Memory Management Unit).
PV-IOMMU abstracts the low-level hardware aspects while enabling guest systems to utilize Immu capabilities. A new hypercall, Hypervisor_iommu_op, has been proposed for Xen to allow guest systems to perform Immu operations. Guest systems can now create and modify Immu domains, referred to as Immu contexts in Xen, to manage device access and memory operations for one or multiple devices. Currently, PV-IOMMU only supports Intel VT-D technology, but future plans include adding support for AMD-VI and SMMUV3.