核心 DMA 保護Kernel DMA Protection

適用於Applies to

  • Windows 10Windows 10

在 Windows 10 版本1803中,Microsoft 推出了稱為「核心 DMA 保護」的新功能,以使用 PCI 熱插拔裝置連線至外部可存取 PCIe 埠 (例如,Thunderbolt™3埠和 CFexpress) ,來保護電腦不需要磁片) (磁碟機。In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to externally accessible PCIe ports (e.g., Thunderbolt™ 3 ports and CFexpress). 在 Windows 10 版本1903中,Microsoft 展開了內核 DMA 保護支援,以涵蓋內部 PCIe 埠 (例如,M. 2 槽) In Windows 10 version 1903, Microsoft expanded the Kernel DMA Protection support to cover internal PCIe ports (e.g., M.2 slots)

磁片磁碟機依 DMA 攻擊可能會造成電腦上的機密資訊洩露,或甚至是惡意程式碼的插入,讓攻擊者能在遠端略過鎖定畫面或控制電腦。Drive-by DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely.

此功能無法透過 1394/火線、PCMCIA、CardBus、ExpressCard 等來抵禦 DMA 攻擊。This feature does not protect against DMA attacks via 1394/FireWire, PCMCIA, CardBus, ExpressCard, and so on.

若要在舊版 Windows 版本及沒有核心 DMA 保護支援的平臺上 Thunderbolt DMA 保護,請參閱 英特爾 Thunderbolt™3安全性檔案For Thunderbolt DMA protection on earlier Windows versions and platforms that lack support for Kernel DMA Protection, please refer to Intel Thunderbolt™ 3 Security documentation.

背景Background

PCI 裝置具有 DMA 功能,可讓使用者在這些作業中讀取和寫入系統記憶體,而不需要在這些操作中與系統處理器進行互動。PCI devices are DMA-capable, which allows them to read and write to system memory at will, without having to engage the system processor in these operations. DMA 功能是使 PCI 裝置目前可以使用最高性能的裝置。The DMA capability is what makes PCI devices the highest performing devices available today. 這些裝置一直存在於電腦底盤內,或者以卡片或焊接在主機板上。These devices have historically existed only inside the PC chassis, either connected as a card or soldered on the motherboard. 您必須具備這些裝置的存取權,才能關閉系統電源並拆裝主機殼。Access to these devices required the user to turn off power to the system and disassemble the chassis.

目前,熱插拔 PCIe 埠已不再是 ((例如,Thunderbolt™與 CFexpress) )的情況。Today, this is no longer the case with hot plug PCIe ports (e.g., Thunderbolt™ and CFexpress).

熱插拔 PCIe 埠(例如 Thunderbolt™技術)已提供可擴充性在電腦上無法使用的新式電腦。Hot plug PCIe ports such as Thunderbolt™ technology have provided modern PCs with extensibility that was not available before for PCs. 它可讓使用者將外部週邊外設(例如圖形卡或其他 PCI 裝置)的新班級附加到其電腦上,其電腦的熱插拔體驗與 USB 相同。It allows users to attach new classes of external peripherals, such as graphics cards or other PCI devices, to their PCs with a hot plug experience identical to USB. 外部且易於存取的 PCI 熱插拔埠,使得電腦易受 DMA 式攻擊。Having PCI hot plug ports externally and easily accessible makes PCs susceptible to drive-by DMA attacks.

在系統擁有者不存在且通常需要不到10分鐘的情況下,會出現 [磁碟機(依 DMA)] 攻擊,這是一種簡單的中等攻擊工具 (經濟、現成的硬體和軟體) ,不需要進行電腦的拆卸。Drive-by DMA attacks are attacks that occur while the owner of the system is not present and usually take less than 10 minutes, with simple to moderate attacking tools (affordable, off-the-shelf hardware and software) that do not require the disassembly of the PC. 簡單的範例就是電腦擁有者離開電腦以進行快速咖啡,且在中斷和攻擊者中,插入 USB 喜歡的裝置,並將所有機密移到電腦上,或注入惡意程式碼,讓他們能夠遠端控制電腦。A simple example would be a PC owner leaves the PC for a quick coffee break, and within the break, and attacker steps in, plugs in a USB-like device and walks away with all the secrets on the machine, or injects a malware that allows them to have full control over the PC remotely.

Windows 如何防止 DMA 磁片磁碟機受到攻擊How Windows protects against DMA drive-by attacks

Windows 利用系統輸入/輸出記憶體管理單元 (IOMMU) 來封鎖外部週邊設備的啟動並執行 DMA,除非這些週邊設備的驅動程式支援記憶體隔離 (例如 DMA 重新映射) 。Windows leverages the system Input/Output Memory Management Unit (IOMMU) to block external peripherals from starting and performing DMA unless the drivers for these peripherals support memory isolation (such as DMA-remapping). 具有 DMA 重新映射相容驅動程式 的外設會自動列舉、啟動,並允許將 dma 執行至指派的記憶體區域。Peripherals with DMA Remapping compatible drivers will be automatically enumerated, started and allowed to perform DMA to their assigned memory regions.

根據預設,具有 DMA 重新轉換不相容驅動程式的外設會封鎖啟動並執行 DMA,直到授權使用者登入系統或解除鎖定螢幕為止。By default, peripherals with DMA Remapping incompatible drivers will be blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen. IT 管理員可以使用 DMAGUARD MDM 原則,修改套用至 DMA 重新映射不相容驅動程式之裝置的預設行為。IT administrators can modify the default behavior applied to devices with DMA Remapping incompatible drivers using the DmaGuard MDM policies.

使用者體驗User experience

內核 DMA 保護使用者體驗

根據預設,具有 DMA 重新映射相容裝置驅動程式的外設會自動列舉及啟動。By default, peripherals with DMA remapping compatible device drivers will be automatically enumerated and started. 如果已在已授權的使用者登入,或畫面被鎖定時,系統會封鎖有 DMA 重新映射不相容驅動程式的外設,無法啟動。Peripherals with DMA Remapping incompatible drivers will be blocked from starting if the peripheral was plugged in before an authorized user logs in, or while the screen is locked. 系統解除鎖定之後,就會由作業系統啟動週邊裝置驅動程式,外設將繼續正常運作,直到重新開機系統,或者週邊設備已拔掉為止。Once the system is unlocked, the peripheral driver will be started by the OS, and the peripheral will continue to function normally until the system is rebooted, or the peripheral is unplugged. 如果使用者鎖定螢幕或登出系統,外設將會繼續正常運作。The peripheral will continue to function normally if the user locks the screen or logs out of the system.

系統相容性System compatibility

內核 DMA 保護需要新的 UEFI 固件支援。Kernel DMA Protection requires new UEFI firmware support. 這個支援只能在 Windows 10 版本1803的新推出的 Intel 系統隨附, (並非所有系統都) 。This support is anticipated only on newly-introduced, Intel-based systems shipping with Windows 10 version 1803 (not all systems). 不需要以虛擬化為基礎的安全性 (VBS) 。Virtualization-based Security (VBS) is not required.

若要查看系統是否支援內核 DMA 保護,請核取 [系統資訊] 桌面應用程式 (MSINFO32) 。To see if a system supports Kernel DMA Protection, check the System Information desktop app (MSINFO32). 在 Windows 10 版本1803之前發行的系統不支援內核 DMA 保護,但它們可以利用其他 DMA 進攻緩解措施,如 BitLocker 對策所述。Systems released prior to Windows 10 version 1803 do not support Kernel DMA Protection, but they can leverage other DMA attack mitigations as described in BitLocker countermeasures.

注意

內核 DMA 保護與其他 BitLocker DMA 攻擊的對策不相容。Kernel DMA Protection is not compatible with other BitLocker DMA attacks countermeasures. 如果系統支援內核 DMA 保護,建議您停用 BitLocker DMA 攻擊對策。It is recommended to disable the BitLocker DMA attacks countermeasures if the system supports Kernel DMA Protection. 內核 DMA 保護可為系統提供較高的安全性列,以進行 BitLocker DMA 攻擊的對策,同時維持外部週邊設備的可用性。Kernel DMA Protection provides higher security bar for the system over the BitLocker DMA attack countermeasures, while maintaining usability of external peripherals.

如何檢查是否已啟用內核 DMA 保護How to check if Kernel DMA Protection is enabled

執行支援內核 DMA 保護的 Windows 10 版本1803的系統,在沒有使用者或 IT 管理員設定的情況下,作業系統會自動啟用此安全性功能。Systems running Windows 10 version 1803 that do support Kernel DMA Protection do have this security feature enabled automatically by the OS with no user or IT admin configuration required.

使用安全中心Using Security Center

從 Windows 10 版本1809開始,您可以使用 [安全中心] 來檢查是否已啟用 [內核 DMA 保護]。Beginning with Windows 10 version 1809, you can use Security Center to check if Kernel DMA Protection is enabled. 按一下 [開始 > 設定] > & 安全性 > Windows 安全性 > 開啟 Windows 安全性 > 裝置安全性 > 核心隔離詳細資訊 > 記憶體存取保護Click Start > Settings > Update & Security > Windows Security > Open Windows Security > Device security > Core isolation details > Memory access protection.

安全中心中的內核 DMA 保護

使用系統資訊Using System information

  1. 在命令提示字元中,或在 Windows 搜尋列中啟動 MSINFO32.exe。Launch MSINFO32.exe in a command prompt, or in the Windows search bar.

  2. 檢查 內核 DMA 保護的值。Check the value of Kernel DMA Protection.

    系統資訊中的內核 DMA 保護

  3. 如果 內核 DMA 保護 的目前狀態為 [關閉],且 固件中啟用的 hyper-v 虛擬化 為 [否]:If the current state of Kernel DMA Protection is OFF and Hyper-V - Virtualization Enabled in Firmware is NO:

    • 重新開機至 BIOS 設定Reboot into BIOS settings
    • 開啟英特爾虛擬化技術。Turn on Intel Virtualization Technology.
    • 開啟英特爾虛擬化技術, (VT-d) 。Turn on Intel Virtualization Technology for I/O (VT-d). 在 Windows 10 版本1803中,只支援 Intel VT-d。In Windows 10 version 1803, only Intel VT-d is supported. 其他平臺可以使用 BitLocker 對策中所述的 DMA 攻擊緩解措施。Other platforms can use DMA attack mitigations described in BitLocker countermeasures.
    • 重新開機系統至 Windows 10。Reboot system into Windows 10.

    注意

    在檢測到虛擬機器監控程式時,無法使用在固件中啟用虛擬化功能的 hyper-v 。不會顯示 Hyper-v 所需的功能。Hyper-V - Virtualization Enabled in Firmware is not available when A hypervisor has been detected. Features required for Hyper-V will not be displayed. 就會顯示。is displayed. 這表示 固件中啟用的 Hyper-v 虛擬化 已設定為 [是],且已啟用 hyper-v Windows 功能。This means that Hyper-V - Virtualization Enabled in Firmware is set to Yes and the Hyper-V Windows feature is enabled. 在固件 () IOMMU 中啟用 Hyper-v 虛擬化,就必須啟用 內核 Dma 保護,即使固件中有「ACPI 內核 Dma 保護指示器」的標誌, (在 Oem 的記憶體存取保護) 中也是如此。Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable Kernel DMA Protection, even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in Kernel DMA Protection (Memory Access Protection) for OEMs.

  4. 如果 內核 DMA 保護 狀態保持關閉,則系統不支援此功能。If the state of Kernel DMA Protection remains Off, then the system does not support this feature.

    針對不支援內核 DMA 保護的系統,請參閱Microsoft Windows®10作業系統上BitLocker 對策或 Thunderbolt™3及安全性,以取得其他 DMA 保護的方法。For systems that do not support Kernel DMA Protection, please refer to the BitLocker countermeasures or Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system for other means of DMA protection.

常見問題集Frequently asked questions

對於 Thunderbolt™3而言,市場系統是否支援內核 DMA 保護?Do in-market systems support Kernel DMA Protection for Thunderbolt™ 3?

以 Windows 10 版本1709或較舊版本發行的市場內系統在升級至 Windows 10 版本1803後,將不支援 Thunderbolt™3的內核 DMA 保護,因為此功能需要 BIOS/平臺固件變更,且無法 backported 先前發行的裝置。In-market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA Protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees that cannot be backported to previously released devices. 針對這些系統,請參閱Microsoft Windows®10作業系統上BitLocker 對策或 Thunderbolt™3及安全性,以取得其他 DMA 保護的方法。For these systems, please refer to the BitLocker countermeasures or Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system for other means of DMA protection.

在啟動期間,內核 DMA 保護會防止磁片磁碟機受到 DMA 攻擊嗎?Does Kernel DMA Protection prevent drive-by DMA attacks during Boot?

不行,在載入作業系統之後,內核 DMA 保護只會針對磁片磁碟機的 DMA 攻擊提供保護。No, Kernel DMA Protection only protects against drive-by DMA attacks after the OS is loaded. 系統固件/BIOS 負責在啟動期間透過 Thunderbolt™3個埠來防禦攻擊。It is the responsibility of the system firmware/BIOS to protect against attacks via the Thunderbolt™ 3 ports during boot.

我要如何檢查某個特定的驅動程式是否支援 DMA 重新映射?How can I check if a certain driver supports DMA-remapping?

特定裝置驅動程式支援 DMA 重新映射,且平臺上的所有裝置和驅動程式都不會受到通用支援。DMA-remapping is supported for specific device drivers, and is not universally supported by all devices and drivers on a platform. 若要檢查是否已將特定的驅動程式加入宣告 DMA,請在 [裝置管理器] 中的裝置的 [詳細資料] 索引標籤中,核取對應于 DMA 重新映射原則屬性的值。To check if a specific driver is opted into DMA-remapping, check the values corresponding to the DMA Remapping Policy property in the Details tab of a device in Device Manager*. 0或1的值表示裝置驅動程式不支援 DMA 重新映射。A value of 0 or 1 means that the device driver does not support DMA-remapping. 值為2表示裝置驅動程式支援 DMA 重新映射。A value of 2 means that the device driver supports DMA-remapping. 如果屬性無法使用,則裝置驅動程式不會設定原則 (亦即裝置驅動程式不支援 DMA 重新映射) 。If the property is not available, then the policy is not set by the device driver (i.e. the device driver does not support DMA-remapping). 請檢查您要測試之裝置的驅動程式實例。Please check the driver instance for the device you are testing. 某些驅動程式可能會根據裝置的位置 (內部與外部) 而有不同的值。Some drivers may have varying values depending on the location of the device (internal vs. external).

內核 DMA 保護使用者體驗

* 如果您使用的是 Windows 10 版本1803和1809,則 [裝置管理器] 中的屬性欄位會使用 GUID,如下圖所示。*For Windows 10 versions 1803 and 1809, the property field in Device Manager uses a GUID, as highlighted in the following image.

內核 DMA 保護使用者體驗

如果我的 PCI 或 Thunderbolt™3週邊設備的驅動程式不支援 DMA 重新映射,該怎麼辦?What should I do if the drivers for my PCI or Thunderbolt™ 3 peripherals do not support DMA-remapping?

如果週邊設備有 Windows 10 提供的課程驅動程式,請在您的系統上使用這些驅動程式。If the peripherals do have class drivers provided by Windows 10, please use these drivers on your systems. 如果 Windows 沒有為您的外設提供任何課程驅動程式,請聯絡您的外設轉銷商/驅動程式廠商來更新驅動程式,以支援 DMA 重新映射If there are no class drivers provided by Windows for your peripherals, please contact your peripheral vendor/driver vendor to update the driver to support DMA Remapping.

我系統的 [內核 DMA 保護] 已關閉。My system's Kernel DMA Protection is off. 您可以在特定裝置上開啟 DMA 重新映射嗎?Can DMA-remapping for a specific device be turned on?

是。Yes. 特定裝置的 DMA 重新映射可獨立于內核 DMA 保護開啟。DMA remapping for a specific device can be turned on independent from Kernel DMA Protection. 例如,如果驅動程式會進入和 VT (已開啟指示 i/o) 的虛擬化技術,則會針對裝置驅動程式啟用 DMA 重新映射,即使已關閉內核 DMA 保護也一樣。For example, if the driver opts in and VT-d (Virtualization Technology for Directed I/O) is turned on, then DMA remapping will be enabled for the devices driver even if Kernel DMA Protection is turned off.

[內核 DMA 保護] 是一種原則,可讓或封鎖裝置根據其重新映射狀態與功能來執行 DMA。Kernel DMA Protection is a policy that allows or blocks devices to perform DMA, based on their remapping state and capabilities.

Microsoft 驅動程式支援 DMA 重新映射嗎?Do Microsoft drivers support DMA-remapping?

在 Windows 10 1803 和更新版本中,USB XHCI 的 Microsoft 收件匣驅動程式 (3. x) 控制器、Storage AHCI/SATA 控制器和儲存 NVMe 控制器都支援 DMA 重新映射。In Windows 10 1803 and beyond, the Microsoft inbox drivers for USB XHCI (3.x) Controllers, Storage AHCI/SATA Controllers and Storage NVMe Controllers support DMA Remapping.

非 PCI 裝置的驅動程式必須與 DMA 重新映射相容?Do drivers for non-PCI devices need to be compatible with DMA-remapping?

不。No. 非 PCI 外設(例如 USB 裝置)的裝置,請勿執行 DMA,因此不需要驅動程式與 DMA 重新映射相容。Devices for non-PCI peripherals, such as USB devices, do not perform DMA, thus no need for the driver to be compatible with DMA Remapping.

企業如何啟用外部裝置列舉原則?How can an enterprise enable the External device enumeration policy?

外部裝置列舉原則可控制是否要列舉與 DMA 重新映射不相容的外部週邊設備。The External device enumeration policy controls whether to enumerate external peripherals that are not compatible with DMA-remapping. 與 DMA 重新映射相容的外設,都會進行列舉。Peripherals that are compatible with DMA-remapping are always enumerated. 只有在使用者登入 (預設) 之後,才能封鎖、允許或允許的外設。Peripherals that don't can be blocked, allowed, or allowed only after the user signs in (default).

您可以使用下列方式啟用原則:The policy can be enabled by using:

  • 群組原則:針對外部裝置的管理 Templates\System\Kernel DMA Protection\Enumeration 原則與內核 DMA 保護不相容Group Policy: Administrative Templates\System\Kernel DMA Protection\Enumeration policy for external devices incompatible with Kernel DMA Protection
  • 行動裝置管理 (MDM) : DmaGuard 原則Mobile Device Management (MDM): DmaGuard policies

相關主題Related topics