Tag Archives: Secured-core PC

How AMD CPUs Work In A Secured-core PC Device!

Microsoft just announced their partnership with AMD, Intel and Qualcomm to protect the PC’s firmware and operating system through the Secured-core PC initiative.

With help from Akash Malhotra, AMD Director of Security Product Management, here is everything you need to know about how AMD CPUs work in a Secured-core PC device!

 

What Is A Secured-core PC Device?

Secured-core PC is a new Microsoft initiative that they just announced. In partnership with their hardware partners, they aim to create a specific set of requirements for devices that are meant for secure use.

These requirements will apply the best practices in data security – isolation and minimal trust in the firmware layer and the device core that underpins the Windows operating system.

Secured-core PC devices are targeted at industries like financial services, government and healthcare, and anyone who work with valuable IP, customer or personal data. They would also be useful for persons of interest, who would be high-value targets for hackers and nation-state attackers.

Recommended : The Microsoft Secured-core PC Initiative Explained!

 

What Security Features Are Already In AMD CPUs?

Before we look at how AMD CPUs work in a Secured-core PC device, let’s take a look at what security features they ship with :

SKINIT: The SKINIT instruction helps create a “root of trust” starting with an initially untrusted operating mode. SKINIT reinitializes the processor to establish a secure execution environment for a software component called the secure loader (SL) and starts execution of the SL in a way to help prevent tampering SKINIT extends the hardware-based root of trust to the secure loader.

Secure Loader (SL): The AMD Secure Loader (SL) is responsible for validating the platform configuration by interrogating the hardware and requesting configuration information from the DRTM Service.

AMD Secure Processor (ASP): AMD Secure Processor is dedicated hardware available in each SOC which helps enable secure boot up from BIOS level into the Trusted Execution Environment (TEE). Trusted applications can leverage industry-standard APIs to take advantage of the TEE’s secure execution environment.

AMD-V with GMET: AMD-V is set of hardware extensions to enable virtualization on AMD platforms. Guest Mode Execute Trap (GMET) is a silicon performance acceleration feature added in next gen Ryzen which enables hypervisor to efficiently handle code integrity check and help protect against malware.

 

How AMD CPUs Work In A Secured-core PC Device

In a Secured-core PC powered by an AMD CPU, the firmware and bootloader will initialise, and shortly after, the system will transition into a trusted state with the hardware forcing the firmware down a well-known and measured code path.

That means the firmware is authenticated and measured by the security block in the AMD CPU, and that measurement is stored securely in TPM for verification and attestation by the operating system.

At any point after that, the operating system can request that the AMD security block remeasure and compare the firmware against the old values, before executing further operations. This way, the operating system can help verify the integrity of the system over time.

In AMD processors, the firmware protection is handled by the AMD Dynamic Root of Trust Measurement (DRTM) Service Block that is made up of SKINIT CPU instruction, ASP and the AMD Secure Loader (SL).

This block is responsible for creating and maintain a chain of trust between components by performing these functions:

  • Measure and authenticate firmware and bootloader
  • Gather the following system configuration for the OS, which will in turn validate them against its security requirements and store information for future verification.
    • Physical memory map
    • PCI configuration space location
    • Local APIC configuration
    • I/O APIC configuration
    • IOMMU configuration / TMR Configuration
    • Power management configuration

 

AMD SMM Supervisor

Although the method above protects the firmware, AMD points out that the System Management Mode (SMM) also needs to be protected.

SMM is a special-purpose x86 CPU mode that handles power management, hardware configuration, thermal monitoring, etc. Because SMM code executes in the highest privilege level and is invisible to the operating system, it is an attractive target for attackers.

To help isolate SMM, AMD introduced a security module called AMD SMM Supervisor that will :

  • Block SMM from being able to modify Hypervisor or OS memory. An exception is a small coordinate communication buffer between the two.
  • Prevent SMM from introducing new SMM code at run time
  • Block SMM from accessing DMA, I/O, or registers that can compromise the Hypervisor or OS

 

Recommended Reading

Go Back To > Cybersecurity | ComputerHome

 

Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!


The Microsoft Secured-core PC Initiative Explained!

Microsoft and their hardware partners just announced the Secured-core PC initiative to combat threats that target the PC’s firmware and operating system.

With help from David Weston, Partner Director of Microsoft OS Security, here is everything you need to know about the Secured-core PC initiative!

 

What Is The Secured-core PC Initiative?

Secured-core PC is a new Microsoft initiative that they just announced. In partnership with their hardware partners, they aim to create a specific set of requirements for devices that are meant for secure use.

These requirements will apply the best practices in data security – isolation and minimal trust in the firmware layer and the device core that underpins the Windows operating system.

Secured-core PC devices will be targeted at industries like financial services, government and healthcare, and anyone who work with valuable IP, customer or personal data. They would also be useful for persons of interest, who would be high-value targets for hackers and nation-state attackers.

 

Is There A Need For Secured-core PC?

As more protection is built into the operating system and connected services, attackers are exploring other methods with firmware emerging as a top target.

The NIST’s National Vulnerability Database shows a near 5X increase in the number of firmware vulnerabilities in the last 3 years :

In late 2018, security researchers discovered that the hacking group Strontium targeted systems in the wild with malware that made use of firmware vulnerabilities.

Because it targeted firmware, the malicious code was hard to detect, and difficult to remove. It even persists after the operating system is reinstalled, or the storage drive replaced!

 

Why Is Firmware The New Target?

Firmware is used to initialise the hardware and software when a device is started up. It therefore has a higher level of access and privileges than the hypervisor and operating system kernel.

This means firmware attacks that succeed can undermine protective mechanisms like Secure Boot that the hypervisor or operating system use to protect against malware.

Firmware attacks can more easily evade endpoint protection and detection solutions, because the latter run under the operating system layer, and therefore have limited visibility of the firmware layer.

 

What Is A Secured-core PC Made Up Of?

Secured-core PCs will combine multiple layers of protection – identity, virtualisation, operating system, hardware and firmware – to prevent attacks, rather than simply detecting them.

They all ensure that the device will boot securely and is protected against firmware vulnerabilities, shielding the operating system from attacks and preventing unauthorised access to the device and data.

Recommended : How AMD CPUs Work In A Secured-core PC Device

System Guard Secure Launch

Microsoft is now implementing System Guard Secure Launch in Windows 10 as a key Secured-core PC requirement.

System Guard uses the Dynamic Root of Trust for Measurement (DRTM) capabilities built into the latest processors from AMD, Intel and Qualcomm, to protect the boot process from firmware attacks.

The firmware is used to start the hardware, and then shortly after, re-initialise the system into a trusted state. This helps to limit the trust assigned to the firmware, greatly mitigating against firmware attacks.

This method also helps protect the integrity of the Virtualisation-Based Security (VBS) feature in the hypervisor against firmware vulnerabilities. This is critical because VBS is used for important OS security functions like Windows Defender Credential Guard and Hypervisor-protected Code Integrity (HVCI).

Trusted Platform Module 2.0

Microsoft is also implementing Trusted Platform Module 2.0 (TPM) as a device requirement for Secured-core PCs.

It is used to measure the components that are used during the secure launch process, allowing for zero trust networks using System Guard runtime attestation.

 

Secured-core PC Availability

Secured-core PC devices are available from Dell, Dynabook, HP, Lenovo, Panasonic and Microsoft’s own Surface brand.

 

Recommended Reading

Go Back To > Cybersecurity | ComputerHome

 

Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!