Microsoft today announced a new initiative to combat threats specifically targeted at the firmware level and data stored in memory: Secured-core PCs. Microsoft partnered with chip and computer makers to apply “security best practices of isolation and minimal trust to the firmware layer, or the device core, that underpins the Windows operating system.” Secured-core PCs will be available from Dell, Dynabook, HP, Lenovo, Panasonic, and Surface. Microsoft hasn’t released a full list of Secured-core PCs, but two examples include HP’s Elite Dragonfly and Microsoft’s Surface Pro X.
Firmware is used to initialize the hardware and other software on the device. The firmware layer runs underneath the OS, where it has more access and privilege than the hypervisor and kernel. Firmware is thus emerging as a top target for attackers since the malicious code can be hard to detect and difficult to remove, persisting even with an OS reinstall or a hard drive replacement. Microsoft points to the National Vulnerability Database, which shows the number of discovered firmware vulnerabilities growing each year.
As such, Secured-core PCs are designed for industries like financial services, government, and healthcare. They are also meant for workers who handle highly sensitive IP, customer, or personal data that poses higher-value targets for nationstate attackers.
Secured-core PC requirements
Secured-core PCs feature another layer of security underneath the operating system to protect the boot process from firmware attacks. A key Secured-core PC device requirement is Windows Defender implementing System Guard Secure Launch using new hardware capabilities from AMD, Intel, and Qualcomm. System Guard leverages firmware to start the hardware and then shortly after reinitialize the system into a trusted state. Using the OS boot loader and processor capabilities, it sends the system down a well-known and verifiable code path.
Another requirement of Secured-core PCs is Trusted Platform Module (TPM) 2.0, which lets admins measure the components used to verify that a device booted securely. Additionally, Windows monitors and restricts the functionality of potentially dangerous firmware through System Management Mode (SMM).
Microsoft’s pitch here is a bit complicated. Windows 10 Pro already comes with a firewall, secure boot, and file-level information-loss protection on every device. But if your specific industry or team needs more, the company has partnered to usher in Secured-core PCs with Windows Defender System Guard capabilities. Secure-core PCs are supposed to boot securely, protect from firmware vulnerabilities, shield the OS from attacks, prevent unauthorized access to devices and data, and lock down identity and domain credentials.