检测到不允许的 DMA 总线/设备
我的问题是如何找出笔记本电脑上的哪个设备具有不允许的 DMA 功能。我尝试禁用 USB 设备并将笔记本电脑从扩展坞上拔下。我的同事有相同的笔记本电脑型号,但他没有遇到与我相同的问题。
系统信息
OS Name Microsoft Windows 10 Enterprise
Version 10.0.16299 Build 16299
Other OS Description Not Available
OS Manufacturer Microsoft Corporation
System Name NB-SOKRE
System Manufacturer LENOVO
System Model 20L7S02M00
System Type x64-based PC
System SKU LENOVO_MT_20L7_BU_Think_FM_ThinkPad T480s
Processor Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz, 2112 Mhz, 4 Core(s), 8 Logical Processor(s)
BIOS Version/Date LENOVO N22ET37W (1.14 ), 22.5.2018.
SMBIOS Version 3.0
Embedded Controller Version 1.08
BIOS Mode UEFI
BaseBoard Manufacturer LENOVO
BaseBoard Model Not Available
BaseBoard Name Base Board
Platform Role Mobile
Secure Boot State On
PCR7 Configuration Bound
Windows Directory C:\Windows
System Directory C:\Windows\system32
Boot Device \Device\HarddiskVolume1
Locale United States
Hardware Abstraction Layer Version = "10.0.16299.371"
User Name 3PRO\kkljucaric
Time Zone Central European Daylight Time
Installed Physical Memory (RAM) 16,0 GB
Total Physical Memory 15,8 GB
Available Physical Memory 7,02 GB
Total Virtual Memory 18,2 GB
Available Virtual Memory 5,31 GB
Page File Space 2,38 GB
Page File C:\pagefile.sys
Virtualization-based security Running
Virtualization-based security Required Security Properties Base Virtualization Support, Secure Boot, DMA Protection
Virtualization-based security Available Security Properties Base Virtualization Support, Secure Boot, DMA Protection, Secure Memory Overwrite, UEFI Code Readonly, SMM Security Mitigations 1.0
Virtualization-based security Services Configured Credential Guard
Virtualization-based security Services Running Credential Guard
Windows Defender Device Guard Code Integrity Policy Audit
Windows Defender Device Guard user mode Code Integrity Audit
Device Encryption Support Reasons for failed automatic device encryption: Un-allowed DMA capable bus/device(s) detected
A hypervisor has been detected. Features required for Hyper-V will not be displayed.
Ryl*_*lik 11
事实证明,您不必使用排除过程来找出要添加到批准列表中的总线,它位于事件查看器消息中。
- 打开事件查看器。
- 选择“应用程序和服务日志”->“Microsoft”->“Windows”->“BitLocker-API”->“管理”。
- 查找事件 4122 的“信息”项:它将包含类似以下内容的文本:
The following DMA (Direct Memory Access) capable devices are not declared as protected from external access, which can block security features such as BitLocker automatic device encryption:
ISA Bridge:
PCI\VEN_8086&DEV_A30D (Intel(R) 300 Series Chipset Family LPC Controller (HM370) - A30D)
PCI-to-PCI Bridge:
PCI\VEN_8086&DEV_A334 (Intel(R) PCI Express Root Port #13 - A334)
PCI\VEN_8086&DEV_A337 (Intel(R) PCI Express Root Port #16 - A337)
PCI\VEN_8086&DEV_A343 (Intel(R) PCI Express Root Port #20 - A343)
PCI\VEN_8086&DEV_A330 (Intel(R) PCI Express Root Port #9 - A330)
PCI\VEN_8086&DEV_1901 (Intel(R) Xeon(R) E3 - 1200/1500 v5/6th Gen Intel(R) Core(TM) PCIe Controller (x16) - 1901)
PCI\VEN_8086&DEV_A336 (Intel(R) PCI Express Root Port #15 - A336)
如果这些项目不会造成安全漏洞,则您需要添加到“已批准”中(例如,我认为它们不可从外部访问?)
如果有更多的人试图解决这个问题..我很懒,所以我创建了一个小的 PS 脚本,它在 tmp 目录中生成 .reg 文件(包含所有找到的 PCI 设备),然后静默导入它。
$tmpfile = "$($env:TEMP)\AllowBuses.reg"
'Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DmaSecurity\AllowedBuses]'`
| Out-File $tmpfile
(Get-PnPDevice -InstanceId PCI* `
| Format-Table -Property FriendlyName,InstanceId -HideTableHeaders -AutoSize `
| Out-String -Width 300).trim() `
-split "`r`n" `
-replace '&SUBSYS.*', '' `
-replace '\s+PCI\\', '"="PCI\\' `
| Foreach-Object{ "{0}{1}{2}" -f '"',$_,'"' } `
| Out-File $tmpfile -Append
regedit /s $tmpfile
从那里你可以开始通过注册表一项一项删除添加的条目,同时刷新系统信息页面并检查哪个条目再次使其不兼容。它比手动添加条目更快:)对我来说,它缺少“PCI Express下游交换机端口”的条目”
不过,您可能需要更改此密钥的权限(将您的用户或组添加为密钥的所有者),因为 Microsoft 也在其指南中提供了它:
https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlocker
Microsoft 提供了有关此消息的文档。
\n\n黑名单和白名单都位于您的注册表中,网址为HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DmaSecurity。我\xe2\x80\x99m 不知道检查这一点的自动化过程,尽管创建一个应该非常容易。
大多数系统上存在的典型候选者是 \xe2\x80\x9cPCI-to-PCI Bridge\xe2\x80\x9d。奇怪的是, \xe2\x80\x9cPCI Express Root Complex\xe2\x80\x9d 都在AllowedBuses和中UnallowedBuses。
| 归档时间: |
|
| 查看次数: |
41487 次 |
| 最近记录: |