Thunderspy 2 PoC demo: Patching Kernel DMA Protection onto unsupported machine

Thunderspy 2: Kernel DMA Protection for Unpatched Thunderbolt Systems

Kernel DMA Protection helps keep your computer secure by mediating all Thunderbolt Direct Memory Access operations through an IOMMU. Many systems produced after 2013 have an IOMMU, but their BIOS does not enable Kernel DMA Protection. In the absence of vendor BIOS updates retroactively adding this protection, this leaves about 9 years worth of systems fully vulnerable to Thunderspy forever. Thunderspy 2 aims to bring Kernel DMA Protection to systems that do not ship Kernel DMA Protection, but are in fact technically capable.

This video shows a Dell laptop from 2017, thus manufactured long before Kernel DMA Protection support became available, after applying the Thunderspy 2 patch. The operating system confirms that Kernel DMA Protection is enabled, and attaching a malicious device prompts the same response during DMA attacks as for systems that natively support Kernel DMA Protection.