主权项 |
1. A method, comprising:
receiving, by a virtual I/O memory management unit (IOMMU) within a virtual machine (VM), a memory request by an input/output (I/O) device, wherein the memory request includes a guest virtual address and the I/O device is directly assigned to the VM; translating, by the virtual IOMMU, the guest virtual address to a guest physical address using a guest page table, the guest page table being maintained by a guest OS (operating system) and accessed based on an indexed entry associated with a virtual I/O device identification in a device table in the virtual IOMMU, wherein the guest page table is implemented in hardware form and the device table is virtualized using software; and translating, by the virtual IOMMU, the guest physical address to a system physical address using a host page table, the host page table being maintained by a hypervisor; validating, by the virtual IOMMU, the guest virtual address using the guest page table to determine whether the guest virtual address is within a valid range of addresses authorized by the guest OS for the I/O device; and if the guest virtual address is not within a valid range of addresses authorized by the guest OS for the I/O device, precluding the memory request from accessing the guest virtual address. |