Microsoft in partnership with Intel, Qualcomm and AMD mobile systems with hardware protection against attacks through the firmware. The company was forced to create such computing platforms by the increasing attacks on users by the so-called "white hackers" - groups of hacking specialists subordinate to government structures. In particular, ESET security experts attribute such actions to a group of Russian hackers APT28 (Fancy Bear). The APT28 group allegedly tested software that ran malicious code while loading firmware from the BIOS.
Together, Microsoft cybersecurity experts and processor developers presented a kind of silicon solution in the form of a hardware root of trust. The company called such PCs Secured-core PC (PC with a secure core). Secured-core PCs currently include a range of laptops from Dell, Lenovo and Panasonic and the Microsoft Surface Pro X tablet. These and future secure-core PCs should give users full confidence that all computing will be trusted and will not lead to data compromise. .
Until now, the problem with rugged PCs has been that the firmware microcode was created by motherboard and system OEMs. In fact, it was the weakest link in Microsoft's supply chain. The Xbox game console, for example, has been operating as a Secured-core platform for years, since the security of the platform at all levels - from hardware to software - is monitored by Microsoft itself. Until now, this has not been possible with a PC.
Microsoft made a simple decision to drop the firmware from the list of records during the initial verification of power of attorney. More precisely, they gave the verification process to the processor and a special chip. It looks like it uses a hardware key that is written to the processor at the production stage. At the time of downloading the firmware to the PC, the processor checks it for safety, whether it can be trusted. If the processor did not prevent the firmware from loading (took it for a trusted one), control over the PC is transferred to the operating system. The system begins to consider the platform trusted, and only then, through the Windows Hello process, allows the user to access it, also providing a secure login, but at the highest level.
In addition to the processor, the System Guard Secure Launch chip and the operating system loader are involved in the hardware protection of the root of trust (and the integrity of the firmware). Also included in the process is virtualization technology, which isolates memory in the operating system to prevent attacks on the OS kernel and applications. All this complexity is designed to protect, first of all, the corporate user, but sooner or later something similar will surely appear in consumer PCs.
Source: 3dnews.ru