PC security is an arms race; for each advancement in security, there’s a new way to break in. As companies like Microsoft get better at protecting their software, hackers are starting to look at firmware as a way to attack computers. In hopes of protecting Windows and its user, Microsoft has a new program on the way called Secured-core PC that it hopes will help solve the problem.
Secured-core PC is an initiative that has Microsoft partnering with AMD, Intel, and Qualcomm to create a set of standards that apply best security practices to apply at the firmware layer. Microsoft says that the system is meant to prevent, rather than catch, intrusion attempts. In short, a secured-core PC only gives a processor minimal trust to boot up. Instead, it looks to Microsoft’s bootloader to complete the boot-up process.
Secured-core PCs are different from Windows’ Secure Boot function. Secure Boot trusts the firmware right-out, and thus cannot protect a computer if the firmware is compromised. Microsoft notes in its post on the initiative that firmware attacks have jumped five-fold in the last few years according to NIST’s National Vulnerability Database, so it seems like the sooner this is implemented, the better.
Secured-core PC protection is at the hardware level
Unfortunately, the chip you have plugged into your motherboard right now won’t be able to bring this to bear. This protection is implemented at the hardware level. The Surface Pro X will be one of the first devices to feature it.
Similar to Secure Boot, this seems like the kind of the most of us won’t bother to enable at the basic user level. Instead, it’s something that corporations–especially with sensitive data–will implement within their organizations. Even so, a corporation is a good vector for attack if you can get in; you can depend on a lot of users with very similar configurations and propagate something like a worm easily from there. That seems like a good place to start protecting first. This also seems like the kind of thing that could help improve general firmware security in a way that doesn’t require us to enable anything in the future.