Device and I/O Virtualization

Device Emulation

I/O operations are all privileged and trapped, e.g. PIO, MMIO, DMA etc, which makes it naturally virtualizable with trap-and-emulate technique. This approach requires many guest-host switches and has usually poor performance.

Paravirtualized I/O

In modern operating system environment, it is possible to install device drivers that communicate to hypervisor's emulation code directly. With this approach, the front-end driver in a guest VM forwards I/O request to back-end driver in host, which requests the forwarded I/O to HW via native driver. Paravirtualized I/O reduces number of context switches and results in major performance enhancements.

Direct Device Assignment

Device assignment allows guest OS to access underlying device directly. This approach is often used when a device is used by only one VM. However, even with device assignment,  host intercepts all interrupts so there is still performance cost.

IOMMU

Direct device assignment is vulnerable to DMA attack.  DMA is carried out with machine address which means one VM can access another VM's machine address. IOMMU secure direct I/O access by presenting a virtual address space to I/O device. Without IOMMU support, every DMA request must  be monitored by using memory protection to DMA descriptor region.

References

1. https://www.slideshare.net/HwanjuKim/5io-virtualization
2. https://compas.cs.stonybrook.edu/~nhonarmand/courses/sp17/cse506/slides/io_virtualization.pdf
3. Yassour, Ben-Ami & Ben-Yehuda, Muli & Wasserman, Orit. (2008). Direct device assignment for untrusted fully-virtualized virtual machines. 
4. https://queue.acm.org/detail.cfm?id=2071256