No device may perform DMA outside of RMRR regions (Intel) or IVMD blocks (AMD) after ExitBootServices() until the devices’ respective OS drivers are loaded and started by PnP.At ExitBootServices(), the IOMMU must be restored by system firmware to power ON state.System firmware must disable the Bus Master Enable (BME) bit for all PCI root ports, that do not have children devices required to perform DMA between ExitBootServices() and the device driver being started by the OS.System firmware must protect against pre-boot DMA attacks by implementing DMA isolation of all DMA capable devices' IO buffers pre-ExitBootServices().The IOMMU is used block/unblock devices based on DMAGuard Device Enumeration Policy, and perform DMA remapping for devices with compatible drivers.Įnabling PCI Express Native Control using _OSC ACPI method is required for Kernel DMA Protection support. Kernel DMA Protection is only supported on 64-bit IA processors with virtualization extensions, including Intel VT-X and AMD-v.Īll I/O devices capable of DMA must be behind an enabled (by default) IOMMU. Against malicious DMA by devices connected to easily accessible internal/ external DMA-capable ports, such as M.2 PCIe slots and Thunderbolt™3, during OS runtime.With this feature, the OS and the system firmware protect the system against malicious and unintended Direct Memory Access (DMA) attacks for all DMA-capable devices: Kernel DMA Protection, (also known as Memory Access Protection, is a feature of a Windows 10 Secured-core PC that is supported on Intel and AMD platforms starting with Windows 10, version 1803 and Windows 10, version 1809.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |