/ˌɪnˌpʊt ˌaʊtˈpuː mɛməri ˈmænɪdʒmənt ˈjuːnɪt/
noun — "translates and protects device memory access."
IOMMU, short for Input-Output Memory Management Unit, is a specialized hardware component that manages memory access for peripheral devices, translating device-generated addresses into physical addresses in main memory and enforcing protection policies. By controlling and isolating the memory access of I/O devices, the IOMMU prevents devices from reading or writing outside their allocated memory regions, which is critical for security, system stability, and virtualization.
Technically, an IOMMU operates similarly to a CPU-side PMMU, but for devices rather than software processes. It maintains a set of page tables mapping device-visible addresses, sometimes called I/O virtual addresses, to physical memory addresses. When a device initiates a memory transaction, such as via DMA (Direct Memory Access), the IOMMU intercepts the request, performs the translation, and verifies permissions before granting access. If the transaction is invalid or exceeds assigned boundaries, the IOMMU raises a fault, protecting the system from accidental corruption or malicious behavior.
The IOMMU is essential in modern systems with virtualization. When multiple virtual machines share physical hardware, each virtual machine may have devices assigned through passthrough mechanisms. The IOMMU translates guest physical addresses into host physical addresses, ensuring that devices cannot access memory outside the guest’s allocated space. This capability is critical for technologies like Intel VT-d or AMD-Vi, which provide secure and isolated device access in virtualized environments.
Example operational scenario:
# conceptual device memory access
device_address = 0x1000 # device thinks it's writing here
physical_address = IOMMU.translate(device_address)
if IOMMU.check_permission(device, physical_address):
memory[physical_address] = data
else:
raise AccessViolation
In addition to protection and address translation, IOMMUs can optimize performance by remapping addresses to reduce memory fragmentation, enable page-level caching policies for devices, and provide hardware support for interrupt remapping. Many high-performance peripherals, including GPUs, network cards, and storage controllers, rely on the IOMMU to safely perform high-bandwidth DMA operations without risk to the host system.
Conceptually, an IOMMU is like a security checkpoint and translator for device memory requests. Devices operate under the assumption that they have direct memory access, but the IOMMU ensures that every request lands in the correct location and adheres to access rules, preventing collisions, corruption, or leaks between devices and the system.
See PMMU, DMA, Virtual Memory, Operating System.