Hardware Security - Kernel DMA Protection

Question

I have a Server 2022 Standard Hyper-V host with all of the standard hardware security settings enabled as outlined here. However, I cannot seem to enable all of the same settings in the Windows VMs that run on the Hyper-V host. Specifically, I can't enable

• Memory Access Protection (aka "Kernel DMA Protection")
• Secure MOR (Memory Overwrite Request Control)
• System Management Mode (SMM) Protections

Everything I've read says that Windows automatically enables these settings if available. My question is, if all of these settings are available / enabled on the Hyper-V host, shouldn't those same settings be available on the VMs that run on the host? Are these security settings not available in Hyper-V virtual machines?

Answer 1

Hi Shaunm001,

Thanks for your reply. Based on my research, when you enable DMA in the host, it will not cascade to virtual machine. Kernel DMA Protection protects against external peripherals from gaining unauthorized access to memory. Physical threats such as drive-by Direct Memory Access (DMA) attacks typically happen quickly while the system owner isn't present. PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot plug ports are external and easily accessible, devices are susceptible to drive-by DMA attacks.Kernel DMA Protection (Memory Access Protection) for OEMs | Microsoft Learn

Best Regards,

Ian Xue

---

If the Answer is helpful, please click "Accept Answer" and upvote it.