  An IOMMU allows various devices to work with virtual memory, and for security policy to be enforced upon device-originated (bus-mastered) DMA. A virtual machine can work via a similar (or the same) table, allowing it to map guest physical addresses to host physical addresses.