cancel
Showing results for 
Search instead for 
Did you mean: 
cybrtitan
New member
2 1 0 0
Message 1 of 4
2,586
Flag Post

Kernel DMA, Device Encryption support, Unallowed DMA Device, and Bitlocker

HP Recommended
Elitebook 840 G5
Microsoft Windows 10 (64-bit)

Working on getting our G5's to encrypt automatically and resume after pause automatically when using bit-locker.

After reading the following two MS articles i'm looking at issues with DMA or Mitigations.

Also of note we are transitioning from the old HP slim docks to "HP USB-C Dock G4" as this becomes relevant.

https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-counter...

https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-t...

  IT tells me that i should want Kernel DMA protections on if available - but I can achieve "Device Encryption Support - Meets prerequisites" as long as i use the following BIOS settings Per the guide Below.

 

  • G5 – BIOS Guide page 38-39 (section 5.9)
  • http://h10032.www1.hp.com/ctg/Manual/c06114605
  • Advanced -> Port settings ->
  • Thunderbolt security level needs to be at user authorization or higher
  • Thunderbolt PCIe Hot Plug needs to be in legacy mode
  • When following this I can achieve the state below.

 

image.pngBut if i plug in the USB-C dock or don't have those BIOS settings configured this is what I get.image.png

So my question is: is there an update to the Driver or Firmware of the USB-C dock comming to make it not appear or need DMA or make it comparable with windows memory remapping or is there a BIOS update coming for the G5 to enable Kernal DMA Protection?

 

we are using the newest patches of both to my knowledge currently. 

G5 BIos -> 01.07.00 Rev.A

Dock -> SP88999 (the dock doesn't have a clear firmware version), dock drivers Windows handles and i don't see an HP download for.

 

Thanks.

 

 

3 REPLIES 3
TryToDoMybest
Level 8
829 820 81 166
Message 2 of 4
Flag Post
HP Recommended

Hello

 

at this page : https://support.hp.com/us-en/drivers/selfservice/hp-usb-c-docking-station/17032707/model/20092244

you find driver and firmware version F.37.

Drivers ar about audio and Ethernet card as the displays are driven by Graphics card integrated in the motherboard via DisplayPort channel available on the Thunderbolt port.

 

I have connected an USB-C Dock G4 to a 840 G5 (BIOS 1.07.00) were I use bitlocker. System information windows shows like your screenshot : Kernel DMA Protection Off (but I have no idea on how to enable it) and "Device Encryption Support" , same message "Reason for failed automatic device encryption: un-allowd DMA capable bus/device(s) detected.

 

So I got a 840 G6 brand new with HP Windows 10 Pro OEM factory image.

840 G6 BIOS Setting includes a setting called "DMA Protection" amd I see it enabled by default. In MSINFO32 I now see "Kernel DMA Protection" ON but the other parameter is the same:  "Device Encryption Support" ,  "Reason for failed automatic device encryption: un-allowd DMA capable bus/device(s) detected..

 

there is a new manual for BIOS setting June 2019 version : http://h10032.www1.hp.com/ctg/Manual/c06399361 

that should be even updated because I see somethings different than when I see on computer 840 G6.

 

What I don't know is the meaning of the message "Reason for failed automatic device encryption: un-allowd DMA capable bus/device(s) detected"

 

and even more USB-C Dock G4 is not a Thunderbolt device. it's just USB-C.

 

If I have time Il'' try with new USB-C Dock G5 , next week, with both 840 G5 and G6.

 

bye

 

0 Kudos
TryToDoMybest
Level 8
829 820 81 166
Message 3 of 4
Flag Post
HP Recommended

I read some document on MS site, where they say to modify the registry.

 

so I try to add the USB-C Dock G4 device as AllowedBuses HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DmaSecurity\AllowedBuses but I always get write error.

 

Bye

0 Kudos
cybrtitan
Author
New member
2 1 0 0
Message 4 of 4
Flag Post
HP Recommended

I do believe that is the firmware i have updated on the G4 Dock but i wish there was an easy way to tell the version it was running like the slimdocks had. 

I have a premium MSFT ticket open with someone from bitlocker support and they are looking into this as well. 

a few things we noticed when the dock (or any usb-c device) gets plugged in the Intel(R) USB 3.1 eXtensible Host Controller appears. that driver has the DMA remapping ability like mentioned here unlike the USB 3.0 controller that is always present. 

The HP Elite USB-C Dock G4 Driver does not support this ability either. Plugging in my Oneplus phone also triggers this condition. 

image.png

 

https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-t...

(EDIT: i noticed i had the wrong GUID on the 3.1 controller just trust that the correct GUID says 2 on that)

 

The support rep was mentioning some sort of list that gets downloaded and maybe thats the registry location for said list. 

 

I was also baffled by this as I thought this was a firewire, pci and thunderbolt only issue

0 Kudos
Warning Be alert for scammers posting fake support phone numbers and/or email addresses on the community. If you think you have received a fake HP Support message, please report it to us by clicking on "Flag Post".
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation