Microsoft will use ‘Secured-core PC’ to protect firmware

PC security is an arms race; for each advancement in security, there’s a new way to break in. As companies like Microsoft get better at protecting their software, hackers are starting to look at firmware as a way to attack computers. In hopes of protecting Windows and its user, Microsoft has a new program on the way called Secured-core PC that it hopes will help solve the problem.

Secured-core PC is an initiative that has Microsoft partnering with AMD, Intel, and Qualcomm to create a set of standards that apply best security practices to apply at the firmware layer. Microsoft says that the system is meant to prevent, rather than catch, intrusion attempts. In short, a secured-core PC only gives a processor minimal trust to boot up. Instead, it looks to Microsoft’s bootloader to complete the boot-up process.

Secured-core PCs are different from Windows’ Secure Boot function. Secure Boot trusts the firmware right-out, and thus cannot protect a computer if the firmware is compromised. Microsoft notes in its post on the initiative that firmware attacks have jumped five-fold in the last few years according to NIST’s National Vulnerability Database, so it seems like the sooner this is implemented, the better.

Secured-core PC protection is at the hardware level

Unfortunately, the chip you have plugged into your motherboard right now won’t be able to bring this to bear. This protection is implemented at the hardware level. The Surface Pro X will be one of the first devices to feature it.

Similar to Secure Boot, this seems like the kind of the most of us won’t bother to enable at the basic user level. Instead, it’s something that corporations–especially with sensitive data–will implement within their organizations. Even so, a corporation is a good vector for attack if you can get in; you can depend on a lot of users with very similar configurations and propagate something like a worm easily from there. That seems like a good place to start protecting first. This also seems like the kind of thing that could help improve general firmware security in a way that doesn’t require us to enable anything in the future.

avatar
4 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
4 Comment authors
ShouefrefpsuedonymousKlumpoblsz Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Shouefref
Guest

When will that fad of using light grey letter colours on the internet and for software stop? It’s more difficult to read something on your screen nowadasy then it was years ago, and noboby complains. Why? Did their balls fall off?

psuedonymous
Guest
psuedonymous

Similar to Secure Boot, this seems like the kind of the most of us won’t bother to enable at the basic user level.

As with Secure Boot, this will likely be enabled by default when devices are sold to end users.
It will be interesting to see how his changes the Widows hardware certification requirements. Currently, it is a requirement for an end user to be able to manually add keys to the Secure Boot keystore, and for the end user to be able to disable Secure Boot altogether.

Klumpo
Guest
Klumpo

Will this lock Linux out?

blsz
Guest
blsz

if it means i can’t install linux on it when it’s old then i’ll stick with a raspberry pi strapped to a 2×4 and costco flat screen

Pin It on Pinterest

Share This