This week, Microsoft said something about PCs it has never clearly said before: it spelled out a hardware specification it thinks PC makers should adopt to ensure their Windows computers are “highly secure”.
That might not sound terribly dramatic, but in the understated Microsoft way it signals an important change.
Up to now, and for as long as anyone can remember, the only aspect of hardware Microsoft (and almost everyone else in the industry) cared about was how fast the components inside a PC were.
Under this model, securing the PC was a job done by the OS itself and dedicated applications running on top of it, which was largely independent of how the computer was made.
No longer – increasingly security is being baked in at a lower level and that means doing it in a mixture of hardware tightly integrated with secure firmware.
Reading the specs, you notice that performance isn’t off the menu completely.
A secure PC should run 64-bit Intel or AMD 7th-generation processors (Skylake or A-Series/Athlon onwards) on 8GB of RAM. At first it looks as if this might be something to do with hardware virtualisation (also in the spec) but is really more tied up with the code and memory-protection mechanisms built into these chips as Virtualisation Based Security (VBS).
And it doesn’t stop with the processor as the system’s other chipsets must support specific types of memory and virtualisation management too.
Unsurprisingly, systems must ship with a TCG v2.0 Trusted Platform Module (TPM) and implement verified boot using something like Intel’s Boot Guard.
Critically, what used to be called BIOS firmware must meet the latest standards from UEFI 2.4 or later, and be able to resist tampering while supporting updating.
I’ll spare you the rest of the spec’s gory detail and skip to the ‘what it all means’ bit…
The first thing that it shows is that securing PCs is increasingly a job that’s done (or at least begun) in the first few seconds after it’s turned on, when the system checks to see that important software hasn’t been interfered with.
This isn’t brand new, of course, but it is increasingly central to defending PCs, not simply the main UEFI layer and its various functions but also the other hidden firmware that might be present in the computer (remember the suspected low-level hacking of hard drives?). It also needs to be managed when vulnerabilities are exposed.
Secondly, we learn something about the future, specifically how things like Mode Based Execution Control (MBEC) might soon be used to boost Windows Defender Application Guard (WDAG), a Hyper‑V virtualization isolation layer used by, among other things, the Edge browser.
This is only available for enterprise customers today but the spec hints that this will change at some point to include everyone.
Which brings us to the version of Windows that fully enables WDAG, namely Windows 10 version 1709, Fall Creators Update (released in mid-October), the Windows version that Microsoft’s new spec assumes as a sort of reference year zero.
Is all this a lot to ask?
If you don’t have a PC that meets these requirements – and almost everyone who bought a PC or laptop before last year won’t – it might seem so.
There will also be cynics who suspect that PC companies will use it to harry people into upgrading their PCs more often.
Then there are convenient exceptions such as the strange beast that is Windows 10 S, the cut-down Chromebook-like-but-not-quite computer, that isn’t required to meet the spec because, frankly, it can’t.
Nonetheless, corporate buyers will pay close attention to the new spec and it could even end up buried inside compliance regimes, in time.
If that happens, Microsoft’s spec will end up being a two-minute read with two-decade implications.
Source : Naked Security