Impact for Business of Modern Devices in a Thunderbolt 3 Dock Environment

Dynabook Knowledge Base Article

ISSUE

CONTENTS

Background
Potential Problem
Cause
Mitigation / Correction
Conclusion

PRELIMINARY REMARKS

The detail described in this document only affects Thunderbolt(TM) technologies.
If you are using USB Type-C only connectivity then the information and procedures that follow will have little impact on your environment

APPLICABLE MODELS

Notebooks using Thunderbolt(TM) 3 or Thunderbolt(TM) 4 technology on WhiskeyLake platform or newer, such as Portege / Tecra X30-F, X30-G, X30W-J, X40-F, X40-G , X50-F or X50-G series.

AFFECTED CUSTOMERS

Only those wishing to use Thunderbolt(TM) LAN in either a PXE Boot environment or domain login by Thunderbolt(TM) LAN in a hot-desk environment

RESOLUTION | Short

For details, please check Resolution | Detailed section.

RESOLUTION | Detailed

BACKGROUND

With the introduction of Thunderbolt(TM) technology modern PCs now benefit from a level of extensibility that was not available to the previous generations. Such benefits include,
but are not limited to, a new class of external peripherals such as LAN connections, graphics cards and other PCI devices, all of which can be hot-plugged and accessed
in the same way as traditional USB devices we are all familiar with.
Historically the PCI bus was always internal to the system, i.e. a connector on a system board, but with the advent of Thunderbolt(TM) technology this PCI interface is effectively
available as an external connection. This instant benefit of usability and speed brings with it a concern over security: the PCI bus provides and requires Direct memory Addressing (DMA)
and with ports on the outside that are easily available the host PC becomes susceptible to "drive-by" DMA attacks.

As the Thunderbolt(TM) controller is a PCIe device and has Direct Memory Access (DMA) IO (via PCIe), this exposes the PCIe protocol externally through USB-C ports for a range of usages.
This can potentially allow access to system memory from a physical IO device that is being connected and utilising the PCIe protocol. In order to mitigate potential malicious access
to system memory from an external PCIe device, there is security protection employed with Thunderbolt(TM) 3 that prevents unauthorized Thunderbolt(TM) PCIe-based devices from
connecting without user authorization. For instance, this will prevent unauthorized access when the system is locked.
Microsoft and Intel collaboratively developed the hardware security solution , which offers Kernel DMA protection in line with specifications for Thunderbolt(TM) that offers protection against drive-by DMA attacks.

"A peripheral that is incompatible with DMA-remapping will be blocked from starting if the peripheral was plugged in before an authorised user logs in, or while the screen is locked.
Once the system is unlocked, the peripheral driver will be started by the OS and the peripheral will continue to perform normally until the system is rebooted, or the peripheral is unplugged.
The peripheral will continue to function normally if the user locks the screen or logs out of the system."

More details on this can be found via the Microsoft documentation site at https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt

POTENTIAL PROBLEM

Thunderbolt(TM) technology provides a connectivity port that offers PCI bus access and with it DMA access. The security procedures implemented by Intel and Microsoft, while securing the system,
have some "knock-on" effects to usability:

PXE Boot: PXE, or network, booting may not be possible with the BIOS defaults recommended by Intel and Microsoft. This is because at the early stage of booting the LAN connectivity via
Thunderbolt(TM) may not be available. This can have an impact during OS deployment.
Thunderbolt(TM) device load/access: When in use booting to the OS sees no available LAN connection at the Windows Login screen when connected to a new or different Thunderbolt(TM) dock.
The LAN connection only becomes available once the user has provided their Windows credentials and logged into the OS itself.

CAUSE

ISSUE 1: PXE Boot
Devices exceeding the requirements for enhanced hardware security [ = PC's classified as Secured Core PC's ], which include Kernel DMA protection in line with specifications for Thunderbolt(TM) 3 for protection
against drive-by DMA attacks brings with it the following behaviour:

"A peripheral that is incompatible with DMA-remapping will be blocked from starting if the peripheral was plugged in before an authorised user logs in, or while the screen is locked.
Once the system is unlocked, the peripheral driver will be started by the OS and the peripheral will continue to perform normally until the system is rebooted, or the peripheral is unplugged.
The peripheral will continue to function normally if the user locks the screen or logs out of the system."

More details on this can be found via the Microsoft documentation site at https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt

ISSUE 2: Thunderbolt Device Load/access
Within the Thunderbolt application within Windows there are four security levels as detailed below. Note that SL1 is the default mode that the software installs with.
This means that each device when connected for the first time will require permission to open the DMA controlled ports.
DisplayPort will always connect as it has no DMA capability. Full details can be found in the document maintained at https://thunderbolttechnology.net/

SL 0: No limitations, everything enumerates and connects (2011 and newer)
SL 1: Ask for permission to connect device (2013 and newer) - the default mode
The Thunderbolt(TM) software on the PC maintains a list of the Unique IDs for every Thunderbolt(TM) peripheral that has received user permission to "always connect." (Access Control List).
If the Unique ID of the Thunderbolt(TM) peripheral is not on the ACL, the PCIe connection is not allowed until the user responds to a connection prompt, typically with the
following options: (1) Connect one time, (2) Always connect, (3) Do not connect.
Connection permissions are managed per PC, and not per user login.
SL 2: Only devices with HW cryptographic authentication are added (2014 and newer)
Utilises a HW based challenge / response to verify a connection encryption key which is setup the first time a Thunderbolt(TM) peripheral's Unique ID
is granted "always connect" As well as utilising the ACL a security challenge / response of the encryption key must pass verification.
Beyond the new hardware cryptographic authentication the user experience is the same as SL1
SL 3: TBT mode is set to "Display Port only and will not tunnel or transmit PCIe data. (2013 and newer)

SL1 is linked to the BIOS setting "Native Thunderbolt Support" with Run Time D3 (RTD3) which all PCIe device controller must support to achieve Modern Standby
classification and the power savings and associated response times that apply to such categorised devices.

SL0 can only be reached with the Legacy Thunderbolt(TM) mode however, this would mean disabling "Native Thunderbolt Mode with RTD3", which in turn is not supported
by Intel since the introduction of Windows10 RS4. Native Security (Preboot DMAr + Kernel DMA Protection) is strongly recommended for all Corporate Designs launching 2019 onward (with the exception of Kabylake-R).

MITIGATION / CORRECTION

ISSUE 1: PXE Boot

Devices exceeding the requirements for enhanced hardware security will need to be degraded to standard / enhanced hardware security level.
If you find PXE booting to not function then this may require the disabling of DMAr protection. The process to achieve this is as follows:

Recommend process:

Please download and use the Intel LAN driver for Toshiba Thunderbolt(TM) 3 Dock, which support DMAr function [ download location: https://emea.dynabook.com/support/drivers/laptops/ ]

Alternative process:

Speak with your Dynabook representative and request a special BIOS.
Once obtained install the special BIOS to each device.
Make the necessary BIOS settings changes as recommended by your Dynabook representative.

ISSUE 2: Thunderbolt Device Load/access

   On the newer platforms that attain Modern Standby and SL3 support it has been found that disabling "Native Thunderbolt support with RTD3" causes the notebook to fail
   to enter Modern Standby and power consumption to always remain adversely high. Compatibility and stability issues can also be seen with
   Thunderbolt(TM) devices resulting in a yellow bang error in Device Manager.

   This leaves the only mitigation steps to be either:

   a.) At each new connected Thunderbolt(TM) device or dock respond to the prompt in the OS regarding allowing the device to connect.
          This connection setting (if set to "always connect") will be remembered for each and every subsequent boot, with the host PC building up its own whitelist of accepted devices, or:
   b.) For device domain logon utilise either WiFi solutions, a USB LAN, or a LAN via a USB Type-C dock.

CONCLUSION

   As more Modern Devices are deployed the need to balance usability and security becomes ever more important and apparent. At the same time mobility is becoming more
   of a requirement and therefore more and more institutions and workplaces are utilising WiFi/WLAN topologies for the corporate environment. As a result the only users impacted
   by these new changes are those that require a cabled LAN connection available when logging into Windows when using a new Thunderbolt(TM) LAN device and,
   as the notebook whitelist builds this impact will be seen less and less for the user.

DOCUMENT DETAILS

Document ID:

-

Doc Type:

Docking Device

Online Date:

2020-03-24 00:00:00

Date Modified:

2025-03-12

Category:

Operation

Company:

Dynabook Inc.

Product Category:

Mobile Devices

Product Group:

Tecra, Portege, Satellite Pro

Product Series:

Tecra X Series, Portege X Series, Tecra A Series, Satellite Pro A Series

Product:

Tecra X40-F, Portege X30-F, Tecra X50-F, Portege X30L-G, Portege X50-G, Portege X40-G, Portege X30-G, Portege X30W-J, Portege X40-J, Tecra A40-J, Tecra A50-J, Satellite Pro A50-J, Portege X30L-J

Model Number:

PMR31E, PUR33E, PUR31E, PMR33E, PLR31E, PLR33E, PUR30E, PUZ20E, PLR41E, PLR43E, PMR41E, PMR43E, PUR41E, PUR43E, PDA11E, PPH11E, PPH13E, PDA13E, PMM10E, PML12E, PML10E, PMM12E, PCR12E

Operating System:

Windows 10 - 32 Bit, Windows 10 - 64 Bit, Windows 11 - 64 Bit, WinPE - 32 Bit, WinPE - 64 Bit

Keywords:

BIOS, Docking Device, LAN, Network, Thunderbolt, USB