Kernel DMA Protection (Memory Access Protection) for OEMs
Kernel DMA Protection, (also known as Memory Access Protection, is a feature of a Windows 10 Secured-core PC that is supported on Intel and AMD platforms starting with Windows 10, version 1803 and Windows 10, version 1809.
With this feature, the OS and the system firmware protect the system against malicious and unintended Direct Memory Access (DMA) attacks for all DMA-capable devices:
- During the boot process.
- Against malicious DMA by devices connected to easily accessible internal/external DMA-capable ports, such as M.2 PCIe slots and Thunderbolt™3, during OS runtime.
|64-bit CPU||Kernel DMA Protection is only supported on 64-bit IA processors with virtualization extensions, including Intel VT-X and AMD-v.|
|IOMMU (Intel VT-D, AMD-Vi)||All I/O devices capable of DMA must be behind an enabled (by default) IOMMU. The IOMMU is used block/unblock devices based on DMAGuard Device Enumeration Policy, and perform DMA remapping for devices with compatible drivers.|
|PCI Express Native Control Support||Enabling PCI Express Native Control using _OSC ACPI method is required for Kernel DMA Protection support.|
|Pre-boot DMA Protection||
|ACPI Kernel DMA Protection Indicators||
|Trusted Platform Module (TPM) 2.0||TPMs, either discrete or firmware, will suffice. For more information, see Trusted Platform Module (TPM) 2.0.
Verifying Kernel DMA Protection state on a Windows 10 system
The state of Kernel DMA Protection can be verified on a given system using either of the following methods
Using System Information application:
- Launch MSINFO32.exe.
- Check "Kernel DMA Protection" field in the "System Summary" page.
Using Windows Security application:
Launch Windows Security application from the Windows Start menu.
Click on the “Device Security” icon.
Click on “Core isolation details”.
“Memory Access Protection” will be listed as an available Security Feature, if enabled.
- If “Memory Access Protection” is not listed, then the feature is not enabled on the system.