Microsoft just announced their partnership with AMD, Intel and Qualcomm to protect the PC’s firmware and operating system through the Secured-core PC initiative.
With help from Akash Malhotra, AMD Director of Security Product Management, here is everything you need to know about how AMD CPUs work in a Secured-core PC device!
What Is A Secured-core PC Device?
Secured-core PC is a new Microsoft initiative that they just announced. In partnership with their hardware partners, they aim to create a specific set of requirements for devices that are meant for secure use.
These requirements will apply the best practices in data security – isolation and minimal trust in the firmware layer and the device core that underpins the Windows operating system.
Secured-core PC devices are targeted at industries like financial services, government and healthcare, and anyone who work with valuable IP, customer or personal data. They would also be useful for persons of interest, who would be high-value targets for hackers and nation-state attackers.
Recommended : The Microsoft Secured-core PC Initiative Explained!
What Security Features Are Already In AMD CPUs?
Before we look at how AMD CPUs work in a Secured-core PC device, let’s take a look at what security features they ship with :
SKINIT: The SKINIT instruction helps create a “root of trust” starting with an initially untrusted operating mode. SKINIT reinitializes the processor to establish a secure execution environment for a software component called the secure loader (SL) and starts execution of the SL in a way to help prevent tampering SKINIT extends the hardware-based root of trust to the secure loader.
Secure Loader (SL): The AMD Secure Loader (SL) is responsible for validating the platform configuration by interrogating the hardware and requesting configuration information from the DRTM Service.
AMD Secure Processor (ASP): AMD Secure Processor is dedicated hardware available in each SOC which helps enable secure boot up from BIOS level into the Trusted Execution Environment (TEE). Trusted applications can leverage industry-standard APIs to take advantage of the TEE’s secure execution environment.
AMD-V with GMET: AMD-V is set of hardware extensions to enable virtualization on AMD platforms. Guest Mode Execute Trap (GMET) is a silicon performance acceleration feature added in next gen Ryzen which enables hypervisor to efficiently handle code integrity check and help protect against malware.
How AMD CPUs Work In A Secured-core PC Device
In a Secured-core PC powered by an AMD CPU, the firmware and bootloader will initialise, and shortly after, the system will transition into a trusted state with the hardware forcing the firmware down a well-known and measured code path.
That means the firmware is authenticated and measured by the security block in the AMD CPU, and that measurement is stored securely in TPM for verification and attestation by the operating system.
At any point after that, the operating system can request that the AMD security block remeasure and compare the firmware against the old values, before executing further operations. This way, the operating system can help verify the integrity of the system over time.
In AMD processors, the firmware protection is handled by the AMD Dynamic Root of Trust Measurement (DRTM) Service Block that is made up of SKINIT CPU instruction, ASP and the AMD Secure Loader (SL).
This block is responsible for creating and maintain a chain of trust between components by performing these functions:
- Measure and authenticate firmware and bootloader
- Gather the following system configuration for the OS, which will in turn validate them against its security requirements and store information for future verification.
- Physical memory map
- PCI configuration space location
- Local APIC configuration
- I/O APIC configuration
- IOMMU configuration / TMR Configuration
- Power management configuration
AMD SMM Supervisor
Although the method above protects the firmware, AMD points out that the System Management Mode (SMM) also needs to be protected.
SMM is a special-purpose x86 CPU mode that handles power management, hardware configuration, thermal monitoring, etc. Because SMM code executes in the highest privilege level and is invisible to the operating system, it is an attractive target for attackers.
To help isolate SMM, AMD introduced a security module called AMD SMM Supervisor that will :
- Block SMM from being able to modify Hypervisor or OS memory. An exception is a small coordinate communication buffer between the two.
- Prevent SMM from introducing new SMM code at run time
- Block SMM from accessing DMA, I/O, or registers that can compromise the Hypervisor or OS
- The Microsoft Secured-core PC Initiative Explained!
- Key NVIDIA EGX Announcements @ MWC Los Angeles 2019!
- Yahoo Groups To Delete All User Content! Download ‘Em Now!
- Kingston DC500 SSDs Are Now Certified VMware Ready!
- Dell EMC PowerProtect DD for Multi-Cloud Data Protection
- NTT Mega Merger Continues In Malaysia, ASEAN + APAC!
- Red Hat Partners Are Driving APAC Hybrid Cloud Adoption!
- The 4G Belongs To Four US Telcos Hoax Debunked!
- The Alibaba Hanguang 800 (含光 800) AI NPU Explained!
- 3rd Gen X-Dragon Architecture by Alibaba Cloud Explained!
- Dell OptiPlex 7070 Ultra, A Flexible Modular Zero-Footprint PC!
- YES + TPG Launch VoLTE Roaming In Southeast Asia!
- Kambyan ManUsIA + AleX Laser Cutting Drone Technology!
- Yes, Yahoo Mail Is Still Alive… And They Have A New App!
- Microsoft + IDC : APAC Higher Education Can Double Innovation With AI!
- Acronis Cyber Penthouse with Williams F1 Racing Team!
- The NVIDIA ACE Design For Creator Laptops Explained!
- SAP Experience 2019 – An Intelligent Enterprise Conference
Go Back To > Cybersecurity | Computer | Home
Support Tech ARP!