Kernel DMA Protection Patcher (kdmap-patcher)
Automated UEFI patching for pre-boot DMA protection
Direct Memory Access (DMA) attacks remain an often overlooked vector in many threat models, despite increasing attention in recent I/O interconnects. While Thunderbolt 4 introduces spec-mandated mitigations via Kernel DMA Protection, millions of systems using USB4, Thunderbolt 1–3, and similar modern DMA-capable interconnects remain vulnerable due to unpatched or misconfigured firmware.
Kernel DMA Protection Patcher (kdmap-patcher) is a Free Software, OS-agnostic UEFI (BIOS) extension designed to harden systems against DMA attacks from the pre-boot stage. It programmatically detects and remediates vendor-specific UEFI firmware bugs that disable or misconfigure DMA protection. Where protections are entirely absent, kdmap-patcher extends UEFI firmware with a device-tailored configuration enabling Kernel DMA Protection. Once mitigations are applied, kdmap-patcher seamlessly hands off control to the OS bootloader, enabling a significantly improved DMA security posture from the earliest stages of the boot process.
- The project's own website: https://thunderspy.io/kdmap-patcher
Why does this actually matter to end users?
Direct Memory Access (DMA) attacks remain an often overlooked vector in many threat models, despite increasing attention in recent I/O interconnects. While Thunderbolt 4 introduces spec-mandated mitigations via Kernel DMA Protection, millions of systems using USB4, Thunderbolt 1–3, and similar modern DMA-capable interconnects remain vulnerable due to unpatched or misconfigured firmware.
Kernel DMA Protection Patcher (kdmap-patcher) is a Free Software, OS-agnostic UEFI (BIOS) extension designed to harden systems against DMA attacks from the pre-boot stage. It programmatically detects and remediates vendor-specific UEFI firmware bugs that disable or misconfigure DMA protection. Where protections are entirely absent, kdmap-patcher extends UEFI firmware with a device-tailored configuration enabling Kernel DMA Protection. Once mitigations are applied, kdmap-patcher seamlessly hands off control to the OS bootloader, enabling a significantly improved DMA security posture from the earliest stages of the boot process.
This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI).
