HP is making BIOS mitigations available for Intel-based Business PCs that support Microsoft Windows 10 Kernel DMA protection, extending the industry standard pre-boot DMA protection against Thunderbolt-port based attacks to protections against attacks mounted through internal PCI Express slots inside the computer. See the list below for mitigated platforms and available BIOS SoftPaq updates.
After performing the BIOS update, the 'Pre-boot DMA Protection' BIOS setting must be configured to enable the protection.
For customers concerned about open-chassis attacks where the attacker has physical access inside the computer, HP recommends customers use adequate physical security controls to ensure an attacker cannot obtain access to, disassemble, or modify their devices. Although HP is releasing a BIOS update to add a mitigation for this specific open-chassis attack for those platforms that support modern IOMMU based protection from DMA attacks, be aware that an attacker with physical access and the ability to modify the hardware has a very large attack surface to work with that extends beyond this specific DMA attack possibility. For that reason, physical security for the device is recommended even in situations where the BIOS mitigation is deployed.
HP has identified the affected platforms and the corresponding SoftPaq updated versions. See the affected platforms listed below.