6

what does IOMMU actually do, does it manage memory access for devices like MMU does for processes or is it more simplified thing and doesn't provide virtualization/access control ?

So basically my question is: does IOMMU mitigate DMA attacks ?

sec
  • 65
  • 4

1 Answers1

3

Here's a low-level programmer's point of view: yes, an IOMMU can mitigate DMA attacks. The IOMMU determines which part of the RAM devices can access. If the IOMMU doesn't let a device map a particular part of the memory then that part of the memory is immune to direct attacks from or through this device.

In practice, effectively leveraging the IOMMU can be difficult. Depending on the machine architecture, the IOMMU may have less flexibility and a coarser granularity that the MMU, so that the OS can't always implement the optimal security policy. Devices may be multiplexed on the same bus in such a way that different devices with different requirements and different levels of trust have a common IOMMU configuration, requiring compromises.

So having an IOMMU helps, but it is not an automatic defense. And, in practical terms from a system administrator's point of view, having an IOMMU is not enough, what matters is how the OS configures it.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179