XPS

Last reply by 06-20-2020 Solved
Start a Discussion
2 Bronze
2 Bronze
4765

Can't find Thunderbolt Security Level BIOS setting in XPS 13 7390 2-in-1

With the recent Thunderbolt security issues (https://thunderspy.io/) gaining attention, I thought I should check the Thunderbolt Security Level setting configured in my XPS 13 7390 2-in-1. I'm trying to set the Security Level (https://www.dell.com/community/Latitude/Demystifying-Thunderbolt-3-Security-Levels/td-p/7529712), but I can't seem to find this option in BIOS. The XPS 13 7390 2-in-1's manual (https://www.dell.com/support/manuals/us/en/04/xps-13-7390-2-in-1-laptop/xps-13-7390-2-in-1-servicema...) doesn't show such Thunderbolt setting existing either.

Plugging in a Belkin Thunderbolt 3 dock doesn't evoke any prompt in Windows 10. So it sounds like I have security level set at "none" at present.

How do I configure the Thunderbolt Security Level?

Solution (1)

Accepted Solutions
7 Plutonium
4759

@lzs0  The dock working without any prompt could also be explained by your security level being set to Kernel DMA Protection and the dock supporting that mechanism.  The 7390 2-in-1 definitely supports Kernel DMA Protection, and to my knowledge it's the default setting on systems where it's supported.  And I believe -- but am not completely certain -- that on systems that predate that capability, they are required to default to SL1 "User Authorization" as part of being certified by Intel as Thunderbolt devices.  That's how every Thunderbolt system I've seen has been configured out of the box if it doesn't support Kernel DMA Protection, in any case.

But if you want to check your security level, open the Thunderbolt Control Center app in Windows, click the menu icon in the upper-left corner, and click About.  As for how to change it, I would think it would be somewhere in the BIOS, but I don't have a 7390 2-in-1 to experiment with.


View solution in original post

Replies (7)
7 Plutonium
4760

@lzs0  The dock working without any prompt could also be explained by your security level being set to Kernel DMA Protection and the dock supporting that mechanism.  The 7390 2-in-1 definitely supports Kernel DMA Protection, and to my knowledge it's the default setting on systems where it's supported.  And I believe -- but am not completely certain -- that on systems that predate that capability, they are required to default to SL1 "User Authorization" as part of being certified by Intel as Thunderbolt devices.  That's how every Thunderbolt system I've seen has been configured out of the box if it doesn't support Kernel DMA Protection, in any case.

But if you want to check your security level, open the Thunderbolt Control Center app in Windows, click the menu icon in the upper-left corner, and click About.  As for how to change it, I would think it would be somewhere in the BIOS, but I don't have a 7390 2-in-1 to experiment with.


4752

Hi,

 

Tank you for reaching out to us.

 

As per my knowledge there is no such settings in your system model BIOS.

 

Do reach out to us if you have any other query. ^KR 


Social Media Support

#IWork4Dell
Find your Service Tag


If still under warranty, click the "Get help now" icon on the right to start a live chat session. Currently only available in the USA.

4741

Thanks @jphughan. Yeah, Kernel DMA Protection is on. I just thought the Security Level setting still ought to be somewhere, but I just don't see it anywhere, and I thought it is still relevant since connecting to an old device that did not support Kernel DMA protection would fall back to legacy behaviour.

Unfortunately, the Thunderbolt Control Center's About page doesn't reveal the Security Level either.

4731

@lzs0  I'm surprised to hear there are no Thunderbolt security settings in the BIOS either if that's the case, since yes that does immediately beg the question of what would happen if you tried to attach an older TB3 peripheral.  As for Thunderbolt Control Center not showing the security level in its About page, I checked some emails with a client of mine who has an XPS 13 7390 2-in-1 and he apparently had a "How to check" link in that area that described how to go to System Information and look.  Not sure why that's different from my own system where it directly displays as Kernel DMA Protection.


4720

Yes, the "How to check" link just brings to a local HTML file that explains where to find the information in MSINFO32.exe. Kernel DMA Protection is ON, but there's nothing about security levels, unfortunately. Thanks for sharing that your client's XPS 13 7390 2-in-1 is identical.

4716

@lzs0  Well Kernel DMA Protection actually is a Thunderbolt security level.  On my own system, I can choose between that or the "legacy" methods.  But actually I can't choose Kernel DMA Protection AND specify a particular "fallback" security method from the legacy list.  My understanding is that the fallback is SL1 "User Authorization" when Kernel DMA Protection isn't possible, but I'm not certain about that, and unfortunately the only TB3 device I have to test with is a dock that does support Kernel DMA Protection.


4702

I see. Thanks, that seems to be a reasonable fallback behaviour. Just wished that these were better documented.

Latest Solutions
Top Contributor