Thunderbolt™ 3 的核心 DMA 保護Kernel DMA Protection for Thunderbolt™ 3

適用於Applies to

  • Windows10Windows10

在 Windows 10 版本1803中,Microsoft 推出了稱為「內核 DMA 保護」的新功能,以使用連接至 Thunderbolt™3埠的 PCI 熱插拔裝置,透過直接記憶體存取(DMA)攻擊來保護電腦。In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports. 磁片磁碟機依 DMA 攻擊可能會造成電腦上的機密資訊洩露,或甚至是惡意程式碼的插入,讓攻擊者能在遠端略過鎖定畫面或控制電腦。Drive-by DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely.

此功能無法透過 1394/火線、PCMCIA、CardBus、ExpressCard 等來抵禦 DMA 攻擊。This feature does not protect against DMA attacks via 1394/FireWire, PCMCIA, CardBus, ExpressCard, and so on.

若要在舊版 Windows 版本及其他缺少內核 DMA 保護支援的平臺上 Thunderbolt DMA 保護,請參閱英特爾 Thunderbolt™3安全性檔案For Thunderbolt DMA protection on earlier Windows versions and other platforms that lack support for Kernel DMA Protection, please refer to Intel Thunderbolt™ 3 Security documentation.

背景Background

PCI 裝置具有 DMA 功能,可讓使用者在這些作業中讀取和寫入系統記憶體,而不需要在這些操作中與系統處理器進行互動。PCI devices are DMA-capable, which allows them to read and write to system memory at will, without having to engage the system processor in these operations. DMA 功能是使 PCI 裝置目前可以使用最高性能的裝置。The DMA capability is what makes PCI devices the highest performing devices available today. 這些裝置一直存在於電腦底盤內,或者以卡片或焊接在主機板上。These devices have historically existed only inside the PC chassis, either connected as a card or soldered on the motherboard. 您必須具備這些裝置的存取權,才能關閉系統電源並拆裝主機殼。Access to these devices required the user to turn off power to the system and disassemble the chassis. 今天,Thunderbolt™已不會再發生這種情況。Today, this is no longer the case with Thunderbolt™.

Thunderbolt™技術為電腦提供了可擴充性的新式電腦。Thunderbolt™ technology has provided modern PCs with extensibility that was not available before for PCs. 它可讓使用者將外部週邊外設(例如圖形卡或其他 PCI 裝置)的新班級附加到其電腦上,其電腦的熱插拔體驗與 USB 相同。It allows users to attach new classes of external peripherals, such as graphics cards or other PCI devices, to their PCs with a hot plug experience identical to USB. 外部且易於存取的 PCI 熱插拔埠,使得電腦易受 DMA 式攻擊。Having PCI hot plug ports externally and easily accessible makes PCs susceptible to drive-by DMA attacks.

在系統擁有者不存在且通常需要不超過10分鐘的情況下,[磁碟機(依 DMA)] 攻擊是指不需要電腦拆卸的簡單到中等進攻工具(價格合理、現成的硬體和軟體)。Drive-by DMA attacks are attacks that occur while the owner of the system is not present and usually take less than 10 minutes, with simple to moderate attacking tools (affordable, off-the-shelf hardware and software) that do not require the disassembly of the PC. 簡單的範例就是電腦擁有者離開電腦以進行快速咖啡,且在中斷和攻擊者中,插入 USB 喜歡的裝置並移出電腦上的所有機密,或注入惡意程式碼,讓他們能夠完全控制電腦 remotely.A simple example would be a PC owner leaves the PC for a quick coffee break, and within the break, and attacker steps in, plugs in a USB-like device and walks away with all the secrets on the machine, or injects a malware that allows them to have full control over the PC remotely.

Windows 如何防止 DMA 磁片磁碟機受到攻擊How Windows protects against DMA drive-by attacks

Windows 利用系統輸入/輸出記憶體管理單元(IOMMU)封鎖外部週邊設備的啟動並執行 DMA,除非這些週邊設備的驅動程式支援記憶體隔離(例如 DMA 重新映射)。Windows leverages the system Input/Output Memory Management Unit (IOMMU) to block external peripherals from starting and performing DMA unless the drivers for these peripherals support memory isolation (such as DMA-remapping). 具有相容驅動程式的外設會自動列舉、啟動,並允許將 DMA 執行至指派的記憶體區域。Peripherals with compatible drivers will be automatically enumerated, started and allowed to perform DMA to their assigned memory regions. 根據預設,具有不相容驅動程式的外設會封鎖啟動並執行 DMA,直到授權使用者登入系統或解除鎖定畫面為止。By default, peripherals with incompatible drivers will be blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen.

使用者體驗User experience

內核 DMA 保護使用者體驗

如果外設已在已授權的使用者登入,或畫面被鎖定時,系統將會封鎖與 DMA 重新映射不相容的外設的啟動。A peripheral that is incompatible with DMA-remapping will be blocked from starting if the peripheral was plugged in before an authorized user logs in, or while the screen is locked. 系統解除鎖定之後,就會由作業系統啟動週邊裝置驅動程式,外設將繼續正常運作,直到重新開機系統,或者週邊設備已拔掉為止。Once the system is unlocked, the peripheral driver will be started by the OS, and the peripheral will continue to function normally until the system is rebooted, or the peripheral is unplugged. 如果使用者鎖定螢幕或登出系統,外設將會繼續正常運作。The peripheral will continue to function normally if the user locks the screen or logs out of the system.

系統相容性System compatibility

內核 DMA 保護需要新的 UEFI 固件支援。Kernel DMA Protection requires new UEFI firmware support. 這個支援只能在 Windows 10 版本1803(並非所有系統)的新引入的 Intel 系統隨附。This support is anticipated only on newly-introduced, Intel-based systems shipping with Windows 10 version 1803 (not all systems). 不需要以虛擬化為基礎的安全性(VBS)。Virtualization-based Security (VBS) is not required.

若要查看系統是否支援內核 DMA 保護,請核取 [系統資訊] 桌面應用程式(MSINFO32)。To see if a system supports Kernel DMA Protection, check the System Information desktop app (MSINFO32). 在 Windows 10 版本1803之前發行的系統不支援內核 DMA 保護,但它們可以利用其他 DMA 進攻緩解措施,如BitLocker 對策所述。Systems released prior to Windows 10 version 1803 do not support Kernel DMA Protection, but they can leverage other DMA attack mitigations as described in BitLocker countermeasures.

注意

內核 DMA 保護與其他 BitLocker DMA 攻擊的對策不相容。Kernel DMA Protection is not compatible with other BitLocker DMA attacks countermeasures. 如果系統支援內核 DMA 保護,建議您停用 BitLocker DMA 攻擊對策。It is recommended to disable the BitLocker DMA attacks countermeasures if the system supports Kernel DMA Protection. 內核 DMA 保護可為系統提供較高的安全性列,以進行 BitLocker DMA 攻擊的對策,同時維持外部週邊設備的可用性。Kernel DMA Protection provides higher security bar for the system over the BitLocker DMA attack countermeasures, while maintaining usability of external peripherals.

如何檢查是否已啟用內核 DMA 保護How to check if Kernel DMA Protection is enabled

執行支援內核 DMA 保護的 Windows 10 版本1803的系統,在沒有使用者或 IT 管理員設定的情況下,作業系統會自動啟用此安全性功能。Systems running Windows 10 version 1803 that do support Kernel DMA Protection do have this security feature enabled automatically by the OS with no user or IT admin configuration required.

使用安全中心Using Security Center

從 Windows 10 版本1809開始,您可以使用 [安全中心] 來檢查是否已啟用 [內核 DMA 保護]。Beginning with Windows 10 version 1809, you can use Security Center to check if Kernel DMA Protection is enabled. 按一下 [開始 > 設定 > ]& 安全性 > Windows 安全性 > 開啟 Windows 安全性 > 裝置安全性 > 核心隔離詳細資訊 > 記憶體存取保護Click Start > Settings > Update & Security > Windows Security > Open Windows Security > Device security > Core isolation details > Memory access protection.

安全中心中的內核 DMA 保護

使用系統資訊Using System information

  1. 在命令提示字元中,或在 Windows 搜尋列中啟動 MSINFO32。Launch MSINFO32.exe in a command prompt, or in the Windows search bar.
  2. 檢查內核 DMA 保護的值。Check the value of Kernel DMA Protection. 系統資訊中的內核 DMA 保護
  3. 如果內核 DMA 保護的目前狀態為 [關閉],且固件中的虛擬化技術為 [否]:If the current state of Kernel DMA Protection is OFF and Virtualization Technology in Firmware is NO:
    • 重新開機至 BIOS 設定Reboot into BIOS settings
    • 開啟英特爾虛擬化技術。Turn on Intel Virtualization Technology.
    • 開啟英特爾虛擬化技術以進行 i/o (VT-d)。Turn on Intel Virtualization Technology for I/O (VT-d). 在 Windows 10 版本1803中,只支援 Intel VT-d。In Windows 10 version 1803, only Intel VT-d is supported. 其他平臺可以使用BitLocker 對策中所述的 DMA 攻擊緩解措施。Other platforms can use DMA attack mitigations described in BitLocker countermeasures.
    • 重新開機系統至 Windows 10。Reboot system into Windows 10.
  4. 如果內核 DMA 保護狀態保持關閉,則系統不支援此功能。If the state of Kernel DMA Protection remains Off, then the system does not support this feature.

針對不支援內核 DMA 保護的系統,請參閱Microsoft Windows®10作業系統上BitLocker 對策或 Thunderbolt™3及安全性,以取得其他 DMA 保護的方法。For systems that do not support Kernel DMA Protection, please refer to the BitLocker countermeasures or Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system for other means of DMA protection.

常見問題集Frequently asked questions

對於 Thunderbolt™3而言,市場系統是否支援內核 DMA 保護?Do in-market systems support Kernel DMA Protection for Thunderbolt™ 3?

以 Windows 10 版本1709或較舊版本發行的市場內系統在升級至 Windows 10 版本1803後,將不支援 Thunderbolt™3的內核 DMA 保護,因為此功能需要 BIOS/平臺固件變更,且無法 backported 先前發行的裝置。In-market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA Protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees that cannot be backported to previously released devices. 針對這些系統,請參閱Microsoft Windows®10作業系統上BitLocker 對策或 Thunderbolt™3及安全性,以取得其他 DMA 保護的方法。For these systems, please refer to the BitLocker countermeasures or Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system for other means of DMA protection.

在啟動期間,內核 DMA 保護會防止磁片磁碟機受到 DMA 攻擊嗎?Does Kernel DMA Protection prevent drive-by DMA attacks during Boot?

不行,在載入作業系統之後,內核 DMA 保護只會針對磁片磁碟機的 DMA 攻擊提供保護。No, Kernel DMA Protection only protects against drive-by DMA attacks after the OS is loaded. 系統固件/BIOS 負責在啟動期間透過 Thunderbolt™3個埠來防禦攻擊。It is the responsibility of the system firmware/BIOS to protect against attacks via the Thunderbolt™ 3 ports during boot.

我要如何檢查某個特定的驅動程式是否支援 DMA 重新映射?How can I check if a certain driver supports DMA-remapping?

特定裝置驅動程式支援 DMA 重新映射,且平臺上的所有裝置和驅動程式都不會受到通用支援。DMA-remapping is supported for specific device drivers, and is not universally supported by all devices and drivers on a platform. 若要檢查是否已將特定的驅動程式加入宣告 DMA,請在 [裝置管理器] 中的裝置的 [詳細資料] 索引標籤中,核取對應于 DMA 重新映射原則屬性的值。To check if a specific driver is opted into DMA-remapping, check the values corresponding to the DMA Remapping Policy property in the Details tab of a device in Device Manager*. 0或1的值表示裝置驅動程式不支援 DMA 重新映射。A value of 0 or 1 means that the device driver does not support DMA-remapping. 值為2表示裝置驅動程式支援 DMA 重新映射。A value of 2 means that the device driver supports DMA-remapping. 如果屬性無法使用,則裝置驅動程式不會設定原則(亦即裝置驅動程式不支援 DMA 重新映射)。If the property is not available, then the policy is not set by the device driver (i.e. the device driver does not support DMA-remapping). 請檢查您要測試之裝置的驅動程式實例。Please check the driver instance for the device you are testing. 根據裝置的位置(內部與外部),某些驅動程式可能會有不同的值。Some drivers may have varying values depending on the location of the device (internal vs. external).

* 如果您使用的是 Windows 10 版本1803和1809,則 [裝置管理器] 中的屬性欄位會使用 GUID,如下圖所示。*For Windows 10 versions 1803 and 1809, the property field in Device Manager uses a GUID, as highlighted in the following image.

內核 DMA 保護使用者體驗

如果我的 Thunderbolt™3週邊設備的驅動程式不支援 DMA 重新映射,該怎麼辦?What should I do if the drivers for my Thunderbolt™ 3 peripherals do not support DMA-remapping?

如果週邊設備有 Windows 10 提供的課程驅動程式,請在您的系統上使用這些驅動程式。If the peripherals do have class drivers provided by Windows 10, please use these drivers on your systems. 如果 Windows 沒有為您的外設提供任何課程驅動程式,請與您的外設轉銷商/驅動程式廠商聯繫,以更新驅動程式來支援此功能。If there are no class drivers provided by Windows for your peripherals, please contact your peripheral vendor/driver vendor to update the driver to support this functionality. 您可以在Microsoft 合作夥伴中心找到驅動程式相容性需求的詳細資料。Details for driver compatibility requirements can be found at the Microsoft Partner Center.

Microsoft 驅動程式支援 DMA 重新映射嗎?Do Microsoft drivers support DMA-remapping?

在 Windows 10 1803 和更新版本中,USB XHCI (3. x)控制器的 Microsoft 收件匣驅動程式,儲存 AHCI/SATA 控制器和儲存 NVMe 控制器支援 DMA 重新映射。In Windows 10 1803 and beyond, the Microsoft inbox drivers for USB XHCI (3.x) Controllers, Storage AHCI/SATA Controllers and Storage NVMe Controllers support DMA-remapping.

非 PCI 裝置的驅動程式必須與 DMA 重新映射相容?Do drivers for non-PCI devices need to be compatible with DMA-remapping?

否。No. 非 PCI 外設(例如 USB 裝置)的裝置,請勿執行 DMA,因此不需要驅動程式與 DMA 重新映射相容。Devices for non-PCI peripherals, such as USB devices, do not perform DMA, thus no need for the driver to be compatible with DMA-remapping.

企業如何啟用外部裝置列舉原則?How can an enterprise enable the External device enumeration policy?

外部裝置列舉原則可控制是否要列舉與 DMA 重新映射不相容的外部週邊設備。The External device enumeration policy controls whether to enumerate external peripherals that are not compatible with DMA-remapping. 與 DMA 重新映射相容的外設,都會進行列舉。Peripherals that are compatible with DMA-remapping are always enumerated. 在使用者登入時不能封鎖、允許或允許的外設(預設)。Peripherals that don't can be blocked, allowed, or allowed only after the user signs in (default).

您可以使用下列方式啟用原則:The policy can be enabled by using:

  • 群組原則:針對外部裝置的管理 Templates\System\Kernel DMA Protection\Enumeration 原則與內核 DMA 保護不相容Group Policy: Administrative Templates\System\Kernel DMA Protection\Enumeration policy for external devices incompatible with Kernel DMA Protection
  • 行動裝置管理(MDM): DmaGuard 原則Mobile Device Management (MDM): DmaGuard policies

相關主題Related topics