It has support for virtualization. There is a two stage translation where the first stage handles guest operating system and second stage handles the hypervisor mappings. Both stages have nested page tables.
Also there is an IOMMU implementation for supporting virtualization for IO. For example, the IOMMU and CPU MMU page table mappings are synchronized such that a DMA controller would also adhere to page table mappings set up for the CPU.
A recent post revealed some security problems using firewire (and a few other technologies) related to DMA[1]. Would the IOMMU features you're talking about prevent that problem?
Right. DMA creates security holes because it does not sit behind an MMU. It can change the memory of any guest OS. That means any OS or code that can program the DMA controller can bypass security. IOMMU prevents that, because all IO devices sit behind this MMU.
You can have this protection, but then face programming issues if IOMMU and cpu MMU use different page tables. You have to update both. ARM IOMMU is designed so that it is automatically in sync with the CPU tables.
Also there is an IOMMU implementation for supporting virtualization for IO. For example, the IOMMU and CPU MMU page table mappings are synchronized such that a DMA controller would also adhere to page table mappings set up for the CPU.