With the release of the new Thunderbolt™ 4 devices and connections, many users are gearing up for improved connectivity and universal compatibility. One of the notices that came with the release of Thunderbolt™ 4 and could be flying under the radar is that it now comes with VT-d DMA protection standard. While this is also a major upgrade to the technology, not that many people might understand what VT-d DMA protection is and why it matters.
Understanding what VT-d means requires familiarity with virtualization technology. Intel’s chipsets, memory devices, and high-speed data connections enable multiple virtual environments running on a single device. VT-d is the access and management protocol that a virtual machine will use when accessing physical resources on the host machine. In this blog, we will cover everything you need to know about VT-d DMA protection and why it matters when it comes to Thunderbolt™ 4.
What is Virtualization and VT-d Technology?
For most general users, knowing what VT-d DMA goes beyond what is required when running a normal workstation. If you have not heard about virtualization, then let’s quickly recap how it works.
Virtualization allows a user to create a virtual machine and run it on the same computer by sharing its physical resources without changing the host environment. The host (the physical machine) creates an additional (virtual) box and grants access to the hardware systems on the device. The virtual machine can run a different operating system and simulate other devices like disk memory and RAM.
It’s common for users of virtual machines (VMs) to store their data on an external drive or in the cloud. In these cases, the high-speed data connection will have direct access to onboard components. This creates a vulnerability (like the one dubbed Thunderspy) that hackers can exploit and use to corrupt your system or change critical security settings.
At Intel, VT-d means virtualization for technology direct I/O access. If you have ever had to run a virtual machine in your environment, you will get a notice to turn on VT-d in your BIOS before it will work on your machine. DMA means direct memory access and VT-d DMA protection is the process of securing your virtualized access to your machine’s physical memory systems.
Thunderbolt™ 4 now includes VT-d DMA protection as part of the standard.
Why is Virtualization Important?
For most users, virtualization is not something you’ll deal with every day. However, the technology is how we run cloud infrastructure and how many software engineers do their daily work. For software companies, virtual capabilities are extremely valuable. You can recreate a customer’s environment to troubleshoot issues, test new software deployments, or optimize workstation performance before creating an image to use for the company’s computers.
Virtualization also extends legacy software usage as when one operating system’s support expires, you can host a virtual version of that system and still enjoy the protection of the modern operating system used on the host. One area where a company does face issues is that VMs share the host’s resources, which requires direct I/O access to the hardware. It’s this capability that creates a vulnerability that VT-d DMA protection aims to solve.
What is DMA Kernel Protection?
Direct Memory Access is a technology that grants certain devices privileges to interact with your computer’s physical systems. PCIe devices (like Thunderbolt™ 3 and Thunderbolt™ 4 ports) have access to your machine’s memory. While this improves performance, it does create the opportunity for an infected device to spread malicious code directly into your system memory.
Microsoft, Apple, and Intel provide advanced protection against the unauthorized access of device memory. With Thunderbolt™ 4, Intel VT-d DMA protection is now part of the specification, aiming to improve device safety going forward.
How Thunderbolt™ 4 Helps Improve VT-d DMA Protection
PCI devices have DMA capabilities, allowing them to read and write directly to your system memory. With the rise of connectivity solutions, we run the risk of having an infected or compromised device infect entire computer systems and make recovery next to impossible.
Traditionally, all PCI devices were internal and connected (either via card or soldered) directly to the motherboard of your computer. Newer technologies called hot-plug PCIe devices like Thunderbolt™ could open up a PC to a drive-by DMA attack. By installing malware on the device using a PCIe DMA-enabled port, hackers can take full control over the PC without the user ever knowing a hacker compromised the device.
Thunderbolt™ 4 will ensure that every manufacturer implements the latest DMA protection on their VT-d and PCIe devices. For maximum protection, both your Thunderbolt™ 4 dock and the laptop you are using should have VT-d DMA protection included and enabled. The onboard VT-d DMA protection combined with your dock’s capabilities can help thwart a drive-by DMA attack.
What Else is New in Thunderbolt™ 4 Technology?
Thunderbolt™ 4 does not just provide improved protection for PCIe connectivity but also comes with enhanced performance. With Thunderbolt™ 4, Intel upped the PCIe connection speed from 16Mbps to 32Mbps, giving you quicker access to onboard physical resources.
The data transfer speeds remain at 40Gbps, but you can now connect up to three Thunderbolt™ 4 devices directly to your rig (no daisy chaining required) using a compatible docking station. Thunderbolt™ 4 will also continue providing support for dual 4K video and single 8K video outputs. Finally, Thunderbolt™ 4 moves us closer to universal connection compatibility as it now forms part of the USB4 specification.
The Best Thunderbolt™ 4 Docking Stations from Kensington
Anyone who has already upgraded a device to a Thunderbolt™ 4 enabled PC or tablet will want to get a compatible docking station. Kensington’s SD5700T Thunderbolt™ 4 Dual 4K Docking Station with 90W Power Delivery gives you maximum connection capabilities while delivering enough power to keep all your devices charged.
Three additional Thunderbolt™ 4 ports allow you to connect all your devices and create a productive, efficient workstation using any Thunderbolt™ 4 enabled PC or tablet. You can connect multiple monitors, enjoy lightning-fast data transfer, and keep your workstation secure with the built-in VT-d DMA protection.
Keeping Up with Latest Thunderbolt™ 4 Technologies with Kensington
Our latest range of Thunderbolt™ 3 and Thunderbolt™ 4 docking solutions will help you extend your connectivity without cluttering up your desk with multiple adapters and wires. With the new capabilities that Thunderbolt™ 4 brings, ensuring you get a device with the required Intel VT-d DMA protection included is as simple as looking for the Thunderbolt™ 4 certification.
We have a range of Thunderbolt™ 3 and Thunderbolt™ 4 docking solutions available. To find one that is perfect for your desk setup, check out these docks from Kensington.
This is the fifth in a five-part series, view the other blogs below:
- Blog one: What is Thunderbolt™ 4
- Blog two: What are the Differences between Thunderbolt™ 3 and Thunderbolt™ 4?
- Blog three: Does a Thunderbolt™ 3 Dock Support Thunderbolt™ 4 Laptops?
- Blog four: Which Thunderbolt™ Dock is Right for Your Setup?
- Blog five: What is Intel VT-d DMA Protection?