Microsoft is teaming up with Windows device manufacturers to tighten firmware security in a new initiative called Secure-Core PCs, which are built to defend against firmware-level attacks.
These attacks, according to Microsoft, are becoming more common in recent years. This is largely due to the ever-improving security features built into operating systems and their “connected services.” Better security means more challenges for hackers to overcome, and reduced incentive for them to attempt to break into a system using software vulnerabilities; thus leading them to focus on firmware instead.
To address the growing threat that firmware-based attacks present, Microsoft has partnered up with various PC manufacturing and silicon partners to produce the secured-core PC defense. This defense’s primary component is “System Guard Secure Launch,” a device requirement that protects a PC’s boot process from firmware attacks.
Microsoft’s full explanation of how this concept works is quite technical in nature, but here’s a summary, in the company’s own words:
System Guard uses the Dynamic Root of Trust for Measurement (DRTM) capabilities that are built into the latest silicon from AMD, Intel, and Qualcomm to enable the system to leverage firmware to start the hardware and then shortly after re-initialize the system into a trusted state by using the OS boot loader and processor capabilities to send the system down a well-known and verifiable code path.
Put simply, Secure Launch acts as a sort of gatekeeper between system start-up or, more specifically, BIOS/UEFI initialization and actual Windows 10 operation. Using the power of newer CPUs, Secure Launch can ensure everything is running as planned, and no malicious code is attempting to latch itself onto your system before log-in.
As nice as Secure Launch and the secured-core PC initiative as a whole sounds for those who take system security seriously, it doesn’t seem like it’ll be easily accessible to everyone.
The extra layer of security will arrive in new Windows 10 devices, starting with the Surface Pro X. Other devices will follow from Dell, HP, Lenovo, Panasonic, and Dynabook. Most of the Secured-Core devices launching are laptops, says Weston, with the exception of Surface Pro X.
While anyone can buy a Secured-Core PC – a sticker will inform them whether it meets the security requirements – Weston notes these are specifically designed for people who work in verticals like government or financial services, where sensitive information is often targeted.
“If you think about who is likely to suffer a really advanced, targeted firmware attack, it’s going to be people in those highly targeted verticals,” he adds.