Direct memory access protections for Mac computers
To achieve high throughput on high-speed interfaces like PCIe, FireWire, Thunderbolt and USB, computers must support direct memory access (DMA) from peripherals. That is, they must be able to read and write to RAM without continuous involvement of the CPU. Since 2012, Mac computers have implemented numerous technologies to protect DMA, resulting in the best and most comprehensive set of DMA protections on any PC.
Direct memory access protections for a Mac with Apple silicon
Apple systems on chip contain an Input/Output Memory Management Unit (IOMMU) for each DMA agent in the system, including PCIe and Thunderbolt ports. Because each IOMMU has its own set of address translation tables to translate DMA requests, peripherals connected by PCIe or Thunderbolt can access only memory that has been explicitly mapped for their use. Peripherals can’t access memory belonging to other parts of the system — such as the kernel or firmware memory assigned to other peripherals. If an IOMMU detects an attempt by a peripheral to access memory that isn’t mapped for that peripheral’s use, it triggers a kernel panic.
Direct memory access protections for an Intel-based Mac
Intel-based Mac computers with Intel Virtualization Technology for Directed I/O (VT-d) initialise the IOMMU, enabling DMA remapping and interrupt remapping very early in the boot process to mitigate various classes of security vulnerabilities. The Apple IOMMU hardware begins operation with a default-deny policy, so the instant the system is powered on, it automatically begins blocking DMA requests from peripherals. After being initialised by software, the IOMMUs begin allowing DMA requests from peripherals to memory regions that have been explicitly mapped for their use.
Note: Interrupt remapping for PCIe isn’t necessary on a Mac with Apple silicon because each IOMMU handles MSIs for its own peripherals.
Starting in macOS 11, all Mac computers with an Apple T2 Security Chip run UEFI drivers that facilitate DMA in a restricted ring 3 environment when these drivers are pairing with external devices. This property helps mitigate security vulnerabilities that may occur when a malicious device interacts with a UEFI driver in an unexpected way at boot time. In particular, it reduces the impact of vulnerabilities in a driver’s handling of DMA buffers.