From 848100bf527816af58e1d8056c5da152c8884b4f Mon Sep 17 00:00:00 2001 From: Aacer Daken <41165107+AaDake@users.noreply.github.com> Date: Wed, 10 Jun 2020 13:32:43 -0700 Subject: [PATCH 1/3] Update kernel-dma-protection-for-thunderbolt.md Updated document to be more generic and cover Kernel DMA protection for PCI, rather than Thunderbolt 3 specifically --- .../kernel-dma-protection-for-thunderbolt.md | 29 +++++++++---------- 1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index 5474e7faf1..8cdba0cc57 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -1,5 +1,5 @@ --- -title: Kernel DMA Protection for Thunderbolt™ 3 (Windows 10) +title: Kernel DMA Protection (Windows 10) description: Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports. ms.prod: w10 ms.mktglfcycl: deploy @@ -15,17 +15,18 @@ ms.date: 03/26/2019 ms.reviewer: --- -# Kernel DMA Protection for Thunderbolt™ 3 +# Kernel DMA Protection **Applies to** - Windows 10 -In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports. +In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to externally accessible PCIe ports (e.g. Thunderbolt™ 3 ports and CFexpress). In Windows 10 version 1903, Microsoft expanded the Kernel DMA Protection support to cover internal PCIe ports (e.g. M.2 slots) + Drive-by DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely. This feature does not protect against DMA attacks via 1394/FireWire, PCMCIA, CardBus, ExpressCard, and so on. -For Thunderbolt DMA protection on earlier Windows versions and other platforms that lack support for Kernel DMA Protection, please refer to [Intel Thunderbolt™ 3 Security documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf). +For Thunderbolt DMA protection on earlier Windows versions and platforms that lack support for Kernel DMA Protection, please refer to [Intel Thunderbolt™ 3 Security documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf). ## Background @@ -33,9 +34,9 @@ PCI devices are DMA-capable, which allows them to read and write to system memor The DMA capability is what makes PCI devices the highest performing devices available today. These devices have historically existed only inside the PC chassis, either connected as a card or soldered on the motherboard. Access to these devices required the user to turn off power to the system and disassemble the chassis. -Today, this is no longer the case with Thunderbolt™. +Today, this is no longer the case with hot plug PCIe ports (e.g. Thunderbolt™ and CFexpress). -Thunderbolt™ technology has provided modern PCs with extensibility that was not available before for PCs. +Hot plug PCIe ports such as Thunderbolt™ technology have provided modern PCs with extensibility that was not available before for PCs. It allows users to attach new classes of external peripherals, such as graphics cards or other PCI devices, to their PCs with a hot plug experience identical to USB. Having PCI hot plug ports externally and easily accessible makes PCs susceptible to drive-by DMA attacks. @@ -45,15 +46,14 @@ A simple example would be a PC owner leaves the PC for a quick coffee break, and ## How Windows protects against DMA drive-by attacks Windows leverages the system Input/Output Memory Management Unit (IOMMU) to block external peripherals from starting and performing DMA unless the drivers for these peripherals support memory isolation (such as DMA-remapping). -Peripherals with compatible drivers will be automatically enumerated, started and allowed to perform DMA to their assigned memory regions. -By default, peripherals with incompatible drivers will be blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen. +Peripherals with [DMA Remapping compatible drivers](https://docs.microsoft.com/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers) will be automatically enumerated, started and allowed to perform DMA to their assigned memory regions. +By default, peripherals with DMA Remapping incompatible drivers will be blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen. IT administrators can modify the default behavior applied to devices with DMA Remapping incompatible drivers using the [DmaGuard MDM policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies) ## User experience ![Kernel DMA protection user experience](images/kernel-dma-protection-user-experience.png) -A peripheral that is incompatible with DMA-remapping will be blocked from starting if the peripheral was plugged in before an authorized user logs in, or while the screen is locked. -Once the system is unlocked, the peripheral driver will be started by the OS, and the peripheral will continue to function normally until the system is rebooted, or the peripheral is unplugged. +By default, peripherals with DMA remapping compatible device drivers will be automatically enumerated and started. Peripherals with DMA Remapping incompatible drivers will be blocked from starting if the peripheral was plugged in before an authorized user logs in, or while the screen is locked. Once the system is unlocked, the peripheral driver will be started by the OS, and the peripheral will continue to function normally until the system is rebooted, or the peripheral is unplugged. The peripheral will continue to function normally if the user locks the screen or logs out of the system. ## System compatibility @@ -107,14 +107,13 @@ Please check the driver instance for the device you are testing. Some drivers ma ![Kernel DMA protection user experience](images/device-details-tab.png) -### What should I do if the drivers for my Thunderbolt™ 3 peripherals do not support DMA-remapping? -If the peripherals do have class drivers provided by Windows 10, please use these drivers on your systems. If there are no class drivers provided by Windows for your peripherals, please contact your peripheral vendor/driver vendor to update the driver to support this functionality. Details for driver compatibility requirements can be found at the [Microsoft Partner Center](https://partner.microsoft.com/dashboard/collaborate/packages/4142). - +### What should I do if the drivers for my PCI or Thunderbolt™ 3 peripherals do not support DMA-remapping? +If the peripherals do have class drivers provided by Windows 10, please use these drivers on your systems. If there are no class drivers provided by Windows for your peripherals, please contact your peripheral vendor/driver vendor to update the driver to support [DMA Remapping](https://docs.microsoft.com/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers) ### Do Microsoft drivers support DMA-remapping? -In Windows 10 1803 and beyond, the Microsoft inbox drivers for USB XHCI (3.x) Controllers, Storage AHCI/SATA Controllers and Storage NVMe Controllers support DMA-remapping. +In Windows 10 1803 and beyond, the Microsoft inbox drivers for USB XHCI (3.x) Controllers, Storage AHCI/SATA Controllers and Storage NVMe Controllers support DMA Remapping. ### Do drivers for non-PCI devices need to be compatible with DMA-remapping? -No. Devices for non-PCI peripherals, such as USB devices, do not perform DMA, thus no need for the driver to be compatible with DMA-remapping. +No. Devices for non-PCI peripherals, such as USB devices, do not perform DMA, thus no need for the driver to be compatible with DMA Remapping. ### How can an enterprise enable the External device enumeration policy? The External device enumeration policy controls whether to enumerate external peripherals that are not compatible with DMA-remapping. Peripherals that are compatible with DMA-remapping are always enumerated. Peripherals that don't can be blocked, allowed, or allowed only after the user signs in (default). From 0519e9264e18abbb1bd4c50807475b09ed546da3 Mon Sep 17 00:00:00 2001 From: Aacer Daken <41165107+AaDake@users.noreply.github.com> Date: Wed, 10 Jun 2020 13:41:59 -0700 Subject: [PATCH 2/3] Update kernel-dma-protection-for-thunderbolt.md Updated document with new snapshot of device manager --- .../kernel-dma-protection-for-thunderbolt.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index 8cdba0cc57..eeca0b68d5 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -103,6 +103,8 @@ No, Kernel DMA Protection only protects against drive-by DMA attacks after the O DMA-remapping is supported for specific device drivers, and is not universally supported by all devices and drivers on a platform. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the DMA Remapping Policy property in the Details tab of a device in Device Manager*. A value of 0 or 1 means that the device driver does not support DMA-remapping. A value of 2 means that the device driver supports DMA-remapping. If the property is not available, then the policy is not set by the device driver (i.e. the device driver does not support DMA-remapping). Please check the driver instance for the device you are testing. Some drivers may have varying values depending on the location of the device (internal vs. external). +![Kernel DMA protection user experience](images/device_details_tab_1903.png) + *For Windows 10 versions 1803 and 1809, the property field in Device Manager uses a GUID, as highlighted in the following image. ![Kernel DMA protection user experience](images/device-details-tab.png) From d7f5ce5d1c2fe983c36120d99113edd9c4c060be Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 10 Jun 2020 16:07:30 -0700 Subject: [PATCH 3/3] Punctuation corrections --- .../kernel-dma-protection-for-thunderbolt.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index eeca0b68d5..a68fc44c18 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -20,7 +20,7 @@ ms.reviewer: **Applies to** - Windows 10 -In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to externally accessible PCIe ports (e.g. Thunderbolt™ 3 ports and CFexpress). In Windows 10 version 1903, Microsoft expanded the Kernel DMA Protection support to cover internal PCIe ports (e.g. M.2 slots) +In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to externally accessible PCIe ports (e.g., Thunderbolt™ 3 ports and CFexpress). In Windows 10 version 1903, Microsoft expanded the Kernel DMA Protection support to cover internal PCIe ports (e.g., M.2 slots) Drive-by DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely. @@ -34,7 +34,7 @@ PCI devices are DMA-capable, which allows them to read and write to system memor The DMA capability is what makes PCI devices the highest performing devices available today. These devices have historically existed only inside the PC chassis, either connected as a card or soldered on the motherboard. Access to these devices required the user to turn off power to the system and disassemble the chassis. -Today, this is no longer the case with hot plug PCIe ports (e.g. Thunderbolt™ and CFexpress). +Today, this is no longer the case with hot plug PCIe ports (e.g., Thunderbolt™ and CFexpress). Hot plug PCIe ports such as Thunderbolt™ technology have provided modern PCs with extensibility that was not available before for PCs. It allows users to attach new classes of external peripherals, such as graphics cards or other PCI devices, to their PCs with a hot plug experience identical to USB. @@ -47,7 +47,7 @@ A simple example would be a PC owner leaves the PC for a quick coffee break, and Windows leverages the system Input/Output Memory Management Unit (IOMMU) to block external peripherals from starting and performing DMA unless the drivers for these peripherals support memory isolation (such as DMA-remapping). Peripherals with [DMA Remapping compatible drivers](https://docs.microsoft.com/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers) will be automatically enumerated, started and allowed to perform DMA to their assigned memory regions. -By default, peripherals with DMA Remapping incompatible drivers will be blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen. IT administrators can modify the default behavior applied to devices with DMA Remapping incompatible drivers using the [DmaGuard MDM policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies) +By default, peripherals with DMA Remapping incompatible drivers will be blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen. IT administrators can modify the default behavior applied to devices with DMA Remapping incompatible drivers using the [DmaGuard MDM policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies). ## User experience @@ -110,7 +110,7 @@ Please check the driver instance for the device you are testing. Some drivers ma ![Kernel DMA protection user experience](images/device-details-tab.png) ### What should I do if the drivers for my PCI or Thunderbolt™ 3 peripherals do not support DMA-remapping? -If the peripherals do have class drivers provided by Windows 10, please use these drivers on your systems. If there are no class drivers provided by Windows for your peripherals, please contact your peripheral vendor/driver vendor to update the driver to support [DMA Remapping](https://docs.microsoft.com/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers) +If the peripherals do have class drivers provided by Windows 10, please use these drivers on your systems. If there are no class drivers provided by Windows for your peripherals, please contact your peripheral vendor/driver vendor to update the driver to support [DMA Remapping](https://docs.microsoft.com/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers). ### Do Microsoft drivers support DMA-remapping? In Windows 10 1803 and beyond, the Microsoft inbox drivers for USB XHCI (3.x) Controllers, Storage AHCI/SATA Controllers and Storage NVMe Controllers support DMA Remapping.