ufrisk
About TPM 2.0 and Secure Boot constraints on Windows 11
Hi,
I want to ask about whether new TPM 2.0 and Secure Boot obligations on Windows 11 have ability to prevent or block DMA attacks on Windows 11 ?
Thanks In Advance
I'll be looking into this more in detail now that Windows 11 has been released.
TPM 2.0 and/or Secure Boot itself does not affect DMA.
The Virtualization Based Security (VBS) features and Core Isolations memory integrity does however). When this is enabled together with the VT-d virtualzation feature in BIOS/UEFI I suspect Windows 11 will become quite resilient against DMA attacks.
If the VT-d and/or VBS is disabled I suspect things will be the same as on Windows 10.
But I'll have to do some more checking out about these features though.
I want to upgrade my windows 10 to 11, but I'm hesitant because I'm afraid my DMA hardware won't work anymore. If anyone or you Ulf, could verify, please let me/us know.
@Tony322 It's possible to do DMA on Windows 11 if you're the user and disable enough Anti-DMA blocking features, but I'm unsure how hard that will be on your system.
@ufrisk I accidentally updated windows 10 21h2 to 22h2 and now I can't read the target machines memory anymore. God damnit.. tpm is off and vt-d is also off. Multiple cold boots, using a manual memory map which worked before the update. I have no clue on what to change in bios/windows in order to have it work again. You don't have any specific suggestions?
In BIOS, VT-d, IOMMU, AMD-Vi, Kernel DMA protection etc. Also "core isolation" in Windows. But you have to try your way around since this is different on different models and I can't possibly guide through everything. If it doesn't work a downgrade may work.