Create an account on the HP Community to personalize your profile and ask a question
07-24-2019 12:40 PM
Working on getting our G5's to encrypt automatically and resume after pause automatically when using bit-locker.
After reading the following two MS articles i'm looking at issues with DMA or Mitigations.
Also of note we are transitioning from the old HP slim docks to "HP USB-C Dock G4" as this becomes relevant.
IT tells me that i should want Kernel DMA protections on if available - but I can achieve "Device Encryption Support - Meets prerequisites" as long as i use the following BIOS settings Per the guide Below.
- G5 – BIOS Guide page 38-39 (section 5.9)
- Advanced -> Port settings ->
- Thunderbolt security level needs to be at user authorization or higher
- Thunderbolt PCIe Hot Plug needs to be in legacy mode
- When following this I can achieve the state below.
But if i plug in the USB-C dock or don't have those BIOS settings configured this is what I get.
So my question is: is there an update to the Driver or Firmware of the USB-C dock comming to make it not appear or need DMA or make it comparable with windows memory remapping or is there a BIOS update coming for the G5 to enable Kernal DMA Protection?
we are using the newest patches of both to my knowledge currently.
G5 BIos -> 01.07.00 Rev.A
Dock -> SP88999 (the dock doesn't have a clear firmware version), dock drivers Windows handles and i don't see an HP download for.
07-26-2019 11:04 AM
you find driver and firmware version F.37.
Drivers ar about audio and Ethernet card as the displays are driven by Graphics card integrated in the motherboard via DisplayPort channel available on the Thunderbolt port.
I have connected an USB-C Dock G4 to a 840 G5 (BIOS 1.07.00) were I use bitlocker. System information windows shows like your screenshot : Kernel DMA Protection Off (but I have no idea on how to enable it) and "Device Encryption Support" , same message "Reason for failed automatic device encryption: un-allowd DMA capable bus/device(s) detected.
So I got a 840 G6 brand new with HP Windows 10 Pro OEM factory image.
840 G6 BIOS Setting includes a setting called "DMA Protection" amd I see it enabled by default. In MSINFO32 I now see "Kernel DMA Protection" ON but the other parameter is the same: "Device Encryption Support" , "Reason for failed automatic device encryption: un-allowd DMA capable bus/device(s) detected..
there is a new manual for BIOS setting June 2019 version : http://h10032.www1.hp.com/ctg/Manual/c06399361
that should be even updated because I see somethings different than when I see on computer 840 G6.
What I don't know is the meaning of the message "Reason for failed automatic device encryption: un-allowd DMA capable bus/device(s) detected"
and even more USB-C Dock G4 is not a Thunderbolt device. it's just USB-C.
If I have time Il'' try with new USB-C Dock G5 , next week, with both 840 G5 and G6.
07-26-2019 11:31 AM
I read some document on MS site, where they say to modify the registry.
so I try to add the USB-C Dock G4 device as AllowedBuses HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DmaSecurity\AllowedBuses but I always get write error.
07-26-2019 01:15 PM - edited 07-26-2019 02:44 PM
I do believe that is the firmware i have updated on the G4 Dock but i wish there was an easy way to tell the version it was running like the slimdocks had.
I have a premium MSFT ticket open with someone from bitlocker support and they are looking into this as well.
a few things we noticed when the dock (or any usb-c device) gets plugged in the Intel(R) USB 3.1 eXtensible Host Controller appears. that driver has the DMA remapping ability like mentioned here unlike the USB 3.0 controller that is always present.
The HP Elite USB-C Dock G4 Driver does not support this ability either. Plugging in my Oneplus phone also triggers this condition.
(EDIT: i noticed i had the wrong GUID on the 3.1 controller just trust that the correct GUID says 2 on that)
The support rep was mentioning some sort of list that gets downloaded and maybe thats the registry location for said list.
I was also baffled by this as I thought this was a firewire, pci and thunderbolt only issue