About TPM 2.0 and Secure Boot constraints on Windows 11

[BurcakAsal]

Hi,

I want to ask about whether new TPM 2.0 and Secure Boot obligations on Windows 11 have ability to prevent or block DMA attacks on Windows 11 ?

Thanks In Advance

[ufrisk]

I'll be looking into this more in detail now that Windows 11 has been released.

TPM 2.0 and/or Secure Boot itself does not affect DMA.

The Virtualization Based Security (VBS) features and Core Isolations memory integrity does however). When this is enabled together with the VT-d virtualzation feature in BIOS/UEFI I suspect Windows 11 will become quite resilient against DMA attacks.

If the VT-d and/or VBS is disabled I suspect things will be the same as on Windows 10.

But I'll have to do some more checking out about these features though.

[BurcakAsal]

@ufrisk , Thank you very much for your answer

Regards

[Tony322]

I want to upgrade my windows 10 to 11, but I'm hesitant because I'm afraid my DMA hardware won't work anymore. If anyone or you Ulf, could verify, please let me/us know.

[ufrisk]

@Tony322 It's possible to do DMA on Windows 11 if you're the user and disable enough Anti-DMA blocking features, but I'm unsure how hard that will be on your system.

[Tony322]

@ufrisk I accidentally updated windows 10 21h2 to 22h2 and now I can't read the target machines memory anymore. God damnit.. tpm is off and vt-d is also off. Multiple cold boots, using a manual memory map which worked before the update. I have no clue on what to change in bios/windows in order to have it work again. You don't have any specific suggestions?

[ufrisk]

In BIOS, VT-d, IOMMU, AMD-Vi, Kernel DMA protection etc. Also "core isolation" in Windows. But you have to try your way around since this is different on different models and I can't possibly guide through everything. If it doesn't work a downgrade may work.

[ufrisk]

I'm closing this issue due to old age.