Microsoft introduces Secured-Core PCs with built-in firmware protection

Micrososft's Secured-Core PCs intended to put a stop to UEFI rootkit shenanigans

Microsoft has introduced a range of Secured-Core PCs with integrated firmware protection, intended for mission-critical users in data-sensitive industries.

Microsoft's Secured-Core PCs are based on a specification published by the software company, with the devices produced by third parties. Launch laptops and convertibles include devices from Lenovo, Dell, HP and Dynabook (formerly Toshiba), with Microsoft also throwing-in its own-branded Surface Pro X for Business device.

"These devices are designed specifically for industries like financial services, government, and healthcare, and for workers that handle highly-sensitive intellectual property, customer or personal data, including personally identifiable data as these are higher-value targets for nation-state attackers," says Microsoft.

However, the company adds in the small print: "Secured-Core PCs require specific configuration to fully enable the highest level of protection against attack."

Attacks on Windows PC firmware take advantage of the higher privileges it has over the Windows kernel and, hence, the ability to take control of a PC beyond the reach of PC security software.

The Secured-Core PC specification is based on Windows Defender System Guard. It is intended to protect and maintain system integrity from start-up, and to validate that system integrity has been maintained.

"With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system. This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege," explained the company in a paper published earlier this year.

It adds: "With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) a hardware-based root of trust helps ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader. This hardware-based root of trust comes from the device's Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI).

"This technique of measuring the static early boot UEFI components is called the Static Root of Trust for Measurement (SRTM)."

However, the huge number of PCs with different UEFI BIOS versions presents its own problems.

The paper continues: "Windows Defender System Guard Secure Launch, first introduced in Windows 10 version 1809, aims to alleviate these issues by leveraging a technology known as the Dynamic Root of Trust for Measurement (DRTM). DRTM lets the system freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path."

Secure Launch is intended to simplify the management of the SRTM measurements by making the launch code unrelated to specific hardware configurations.

The Secured-Core PCs are no budget-class models. The cheapest show-cased by Microsoft is a $799 Panasonic Toughbook 55, and the devices go all the way up to $2,169 for the Dell Latitude 7400 2-in-1, via the Microsoft Surface X for Business at $1,099.