Microsoft has announced a new 'Secured-core PC' initiative that aims to harden the security in Windows PCs at the firmware level. According to Microsoft this is a necessary step, as hackers increasingly turn their attention away from software vulnerabilities and towards "other avenues of exploitation with firmware emerging as a top target."
The firmware in a PC is what's commonly referred to as the BIOS. Today's systems rely on Unified Extensible Firmware Interface (UEFI) firmware, which is technically different than a BIOS, though the general function is the same. It's essentially a low-level software routine to configure settings before booting the operating system.
Firmware level attacks are especially troublesome because they are difficult to detect and remove (they can survive a clean wipe of the OS), and give hackers deep access to a system. They're also becoming more common. Microsoft points out that firmware attacks have increased five-fold in the last three years, based on information in NIST's National Vulnerability Database.
The Secured-core PC initiative is Microsoft's answer to this, and it is working with AMD, Intel, Qualcomm, and OEM partners to ensure it's widely adopted. A certified Secured-core PC combines identity, virtualization, OS, hardware, and firmware protection as an added layer of protection.
"Using new hardware capabilities from AMD, Intel, and Qualcomm, Windows 10 now implements System Guard Secure Launch as a key Secured-core PC device requirement to protect the boot process from firmware attacks. System Guard uses the Dynamic Root of Trust for Measurement (DRTM) capabilities that are built into the latest silicon from AMD, Intel, and Qualcomm to enable the system to leverage firmware to start the hardware and then shortly after re-initialize the system into a trusted state by using the OS boot loader and processor capabilities to send the system down a well-known and verifiable code path," Microsoft explains.
If reading that explanation makes your head spin, so will the rest of Microsoft's blog post on the topic. For further reading, AMD posted a related blog post of its own discusses how it's enabling Secured-core PC functions in its next-gen Ryzen processors.
There's a lot of technobabble to wade through. What it boils down to, however, is better cooperation between the hardware and software. As explained by Wired, new processors are being built to run integrity checks during the boot process, with only chip makers holding the necessary encryption keys for these checks.
"It's rooted in the CPU and no longer in the firmware, because it still boots early," says David Weston, director of operating system security at Microsoft. "But if there's anything tampered with, the system code would identify this and shut everything down. So we're taking firmware and any potential compromise out of the circle of trust."
Microsoft already employs a similar strategy on its Xbox consoles, which are locked down even tighter than PCs.
"Xbox has a very advanced threat model because we don't trust the user even in physical possession of the device," Weston told ZDNet. "We don't want the user to be able to hack the console to run their own games."
"Also, when you take it out of the game domain and you put into the real-world physical domain, you want the same guarantee that an attacker cannot access your code and data. We took our own learnings and worked with silicon vendors to develop a strategy to deal with advanced threats," Weston added.
Certified Secured-core PCs are already available from Dell, Dynabook, HP, Lenovo, and Panasonic, along with Microsoft's latest Surface products (there's a full list here). It's not clear if or when this initiative will extend specifically to gaming PCs.