Forum Discussion

Mehdi_Sellami's avatar
Mehdi_Sellami
Copper Contributor
Feb 24, 2021
Solved

Kernal DMA Protection in dell inspiron 14 5405

AMD Ryzen 7 4700U

 

I have upgraded the OS from home to pro to Enterprise version 20H2


Then I checked the Hyper-V using the systeminfo.exe command from cmd

The output was compatible:

64-bit processor with second-level address translation (SLAT) is enable

Virtual Machine Monitor Mode Extensions is enable

Virtualization Enabled In Firmware (These require enabling from bios)

Data Execution Prevention is enable

I entered the bios by pressing F2

For Hyper-V the BIOS has one line which is: Virtualization Technology

I have enabling it.

Now I have verified Hyper-V requires using the system info command

The result was Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.

Meaning, Hyper-V is detected but!!!!!

 

I check for kernel dma protection in system information

 

What does it require?

 

The rule says that when you enabling Virtualization Technology on bios , kernel Dma protection is enabling Automatically.

 

Why kernel dma protection is off?


I tried Coreinfo64.exe


When disable Virtualization Technology on bios

 

coreinfo Output:


HYPERVISOR - Hypervisor is present

SVM * Supports AMD hardware-assisted virtualization
NP * Supports AMD nested page tables (SLAT)


- : not enable 
* : SVM and slat mode is enable

 

Again check kernel dma protection - kernel dma protection is off !!!

And when I enabling Virtualization Technology from the bios:

 

coreinfo Output:

 

HYPERVISOR * Hypervisor is present

SVM - Supports AMD hardware-assisted virtualization
NP - Supports AMD nested page tables (SLAT)


SVM and slat mode is disable and Virtualization  is enable

 

WHAT!!!!

Therefore, I cannot use Device Guard and Credential Guard.

 

Why kernel dma protection is off?

 

The reason...

 

I have to check several things, and they are:

 

Secure boot enabled

TPM v2.0

Ensure boot is configured to use (UEFI)

 

OK All steps are available

 

There are requirements to look out for and they are :

 

IOMMU i/o Memory Management Unit

Enabling Secure Virtual Machine Mode (Svm)

Or I looked for something called AMD-V

 

All of these steps require checking bios settings

 

In the bios configured insydeh20 on this device, these settings do not exist

 

Why I'm enabling Virtualization Technology from the bios

 

(Svm) disable

(SLAT) is disable

 

And when I disable Virtualization Technology from the bios

 

Svm and slat is enable

 

Is there an overlap (Virtual enable on exe windows) or what

 

I need to use Device Guard and Credential Guard

Device Guard
  • dretzer's avatar
    dretzer
    Feb 25, 2021

    You don't need Kernel DMA Protection for Device Guard.

    What you need is:

    • 64-bit CPU
    • SLAT
    • IOMMU (Intel-VT-D or AMD-Vi)
    • TPM 2.0
    • SMM Protection (Firmware)
    • UEFI Memory Reporting
    • MOR2
    • HVCI compatible drivers

    That said, I'm not sure if your AMD CPU even supports Device Guard. It should support virtualization, and I'm not firm with AMD CPUs for enterprise usage. According to AMD they support all Secure-Core-PC features (among those Device Guard) with their AMD Pro series of processort:

    https://www.amd.com/en/technologies/pro-security

     

    Also Credential Guard needs Windows 10 Enterprise. You cannot use it with Windows 10 Pro. You can still use Device Guard (though you may have to do some pre-configuration on a different Windows 10 Enterprise installation) and you can use VBS with or without HVCI.

     

    To answer your other questions more directly:

    • kernel DMA protection is an additional hardware feature and protects especially from DMA-device security issues (PCIe, Thunderbolt,...). It needs support from your hardware (CPU, Mainboard, Firmware) to work and is not tied to device guard or credential guard. It needs VBS to work correctly, but it is not needed for VBS.
    • coreinfo gives you wrong information because when you run a hypervisor some queries are not returned correctly from the CPU. Make sure you run coreinfo in and administrative prompt, but even then, all the virtualization informations are not reliable when virtualization is running.
    • I'm not sure if you really want device guard (a collection of features that prevents code from running on your machine) or if you just want VBS.

    Mehdi_Sellami 

9 Replies

  • dretzer's avatar
    dretzer
    Iron Contributor
    Feb 25, 2021

    You don't need Kernel DMA Protection for Device Guard.

    What you need is:

    • 64-bit CPU
    • SLAT
    • IOMMU (Intel-VT-D or AMD-Vi)
    • TPM 2.0
    • SMM Protection (Firmware)
    • UEFI Memory Reporting
    • MOR2
    • HVCI compatible drivers

    That said, I'm not sure if your AMD CPU even supports Device Guard. It should support virtualization, and I'm not firm with AMD CPUs for enterprise usage. According to AMD they support all Secure-Core-PC features (among those Device Guard) with their AMD Pro series of processort:

    https://www.amd.com/en/technologies/pro-security

     

    Also Credential Guard needs Windows 10 Enterprise. You cannot use it with Windows 10 Pro. You can still use Device Guard (though you may have to do some pre-configuration on a different Windows 10 Enterprise installation) and you can use VBS with or without HVCI.

     

    To answer your other questions more directly:

    • kernel DMA protection is an additional hardware feature and protects especially from DMA-device security issues (PCIe, Thunderbolt,...). It needs support from your hardware (CPU, Mainboard, Firmware) to work and is not tied to device guard or credential guard. It needs VBS to work correctly, but it is not needed for VBS.
    • coreinfo gives you wrong information because when you run a hypervisor some queries are not returned correctly from the CPU. Make sure you run coreinfo in and administrative prompt, but even then, all the virtualization informations are not reliable when virtualization is running.
    • I'm not sure if you really want device guard (a collection of features that prevents code from running on your machine) or if you just want VBS.

    Mehdi_Sellami 

    • Mehdi_Sellami's avatar
      Mehdi_Sellami
      Copper Contributor
      Feb 25, 2021

      I need Advanced protection with VBS to create isolation or virtual secure mode for user and kernel operations.

       

      dretzer 

      • dretzer's avatar
        dretzer
        Iron Contributor
        Feb 25, 2021

        If you want to check if VBS is running use the following command in an administrative PowerShell console:

         

         

        $dgstatus = Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard
$dgstatus.VirtualizationBasedSecurityStatus

         

        This will return a number from 0 to 2.

        • 0 = VBS not available
        • 1 = VBS available but not running
        • 2 = VBS available and running

        You can also type $dgstatus to see all information about device guard. You can find a description of all the values on this site:

        https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity

         

        Mehdi_Sellami 

Resources