Windows 10 Device Guard, ACS and IOMMU groups

Windows 10 Device Guard

Device Guard needs IOMMU protection – Intel VT-d or AMD-VI

We also need true IOMMU isolation and to stop a device on 1 VM executing an io request to another device which is in another VM.

IOMMU Groups, inside and out

PCIe is needed

– “conventional PCI does not tag transactions with an ID of the requesting device (requester ID)”

– “PCI-X included some degree of a requester ID, but rules for interconnecting devices taking ownership of the transaction made the support incomplete for isolation.”

“An IOMMU does in a system, it allows mapping of an I/O virtual address (IOVA) to a physical memory address.”

” With PCIe, each device tags transactions with a requester ID unique to the device (the PCI bus/device/function number, BDF), which is used to reference a unique IOVA table for that device.”

“IOMMU groups try to describe the smallest sets of devices which can be considered isolated from the perspective of the IOMMU”

“The PCIe specification allows for transactions to be re-routed within the interconnect fabric.  A PCIe downstream port can re-route a transaction from one downstream device to another.  The downstream ports of a PCIe switch may be interconnected to allow re-routing from one port to another.  Even within a multifunction endpoint device, a transaction from one function may be delivered directly to another function.  These transactions from one device to another are called peer-to-peer transactions and can be bad news for devices operating in separate IOVA spaces.”

ACS (PCIe Access Control Services) “provides us with the ability to determine whether these redirects are possible as well as the ability to disable them.”

“Without ACS support at every step from the device to the IOMMU, we must assume that redirection is possible at the highest upstream device lacking ACS, thereby breaking isolation of all devices below that point in the topology.  IOMMU groups in a PCI environment take this isolation into account, grouping together devices which are capable of untranslated peer-to-peer DMA.”

” With the exception of bridges, root ports, and switches (ie. interconnect fabric), all devices within an IOMMU group must be bound to a VFIO device driver or known safe stub driver.  For PCI, these drivers are vfio-pci and pci-stub. ”

For true IOMMU isolation we need

– PCIe


– “each device must associate to a unique IOVA space.”

–  ACS Support at every step from the device to the IOMMU

– IOMMU Groups set us correctly

“IOMMU groups are visible to the user through sysfs” (/sys/kernel/iommu_groups)