Kernel DMA Protection (Memory Access Protection) for OEMs

Kernel DMA Protection, (also known as Memory Access Protection, is a feature of a Windows 10 Secured-core PC that is supported on Intel and AMD platforms starting with Windows 10, version 1803 and Windows 10, version 1809.

With this feature, the OS and the system firmware protect the system against malicious and unintended Direct Memory Access (DMA) attacks for all DMA-capable devices:

  • During the boot process.
  • Against malicious DMA by devices connected to easily accessible internal/external DMA-capable ports, such as M.2 PCIe slots and Thunderbolt™3, during OS runtime.
Platform requirement Details
64-bit CPU Kernel DMA Protection is only supported on 64-bit IA processors with virtualization extensions, including Intel VT-X and AMD-v.
IOMMU (Intel VT-D, AMD-Vi) All I/O devices capable of DMA must be behind an enabled (by default) IOMMU. The IOMMU is used block/unblock devices based on DMAGuard Device Enumeration Policy, and perform DMA remapping for devices with compatible drivers.
PCI Express Native Control Support Enabling PCI Express Native Control using _OSC ACPI method is required for Kernel DMA Protection support.
Pre-boot DMA Protection
  • System firmware must protect against pre-boot DMA attacks by implementing DMA isolation of all DMA capable devices' IO buffers pre-ExitBootServices().
  • System firmware must disable the Bus Master Enable (BME) bit for all PCI root ports, that do not have children devices required to perform DMA between ExitBootServices() and the device driver being started by the OS.
  • At ExitBootServices(), the IOMMU must be restored by system firmware to power ON state.
  • No device may perform DMA outside of RMRR regions (Intel) or IVMD blocks (AMD) after ExitBootServices() until the devices’ respective OS drivers are loaded and started by PnP.
    • Performing DMA outside of RMRR regions or IVMD blocks after ExitBootServices() and prior to the device driver start by the OS will result in an IOMMU fault and potentially a system bug check (0xE6).
ACPI Kernel DMA Protection Indicators
Trusted Platform Module (TPM) 2.0 TPMs, either discrete or firmware, will suffice. For more information, see Trusted Platform Module (TPM) 2.0.
  • On every boot where the IOMMU (VT-D or AMD-Vi) or Kernel DMA Protection are disabled, will be disabled, or configured to a lower security state, the platform MUST extend an EV_EFI_ACTION event into PCR[7] before enabling DMA.
  • The event string SHALL be “DMA Protection Disabled”. The platform firmware MUST log this measurement in the event log using the string “DMA Protection Disabled” for the Event Data.

Verifying Kernel DMA Protection state on a Windows 10 system

The state of Kernel DMA Protection can be verified on a given system using either of the following methods

  1. Using System Information application:

    • Launch MSINFO32.exe.
    • Check "Kernel DMA Protection" field in the "System Summary" page.
  2. Using Windows Security application:

    • Launch Windows Security application from the Windows Start menu.

    • Click on the “Device Security” icon.

    • Click on “Core isolation details”.

    • “Memory Access Protection” will be listed as an available Security Feature, if enabled.

      • If “Memory Access Protection” is not listed, then the feature is not enabled on the system.

Kernel DMA Protection overview

Enabling DMA Remapping for device drivers

DMAGuard Policy