"A lot of badness happens if your firmware goes wonky. Our internal red team and external folks have really turned their eyes to this," says David Weston, director of operating system security at Microsoft. "Firmware runs at a privileged level. It’s the thing that boots up the machine—it plays a critical role. Yet firmware is not integrated into update systems like Windows Updates, and for enterprises their visibility into firmware is generally relatively limited. So it's highly privileged and there’s lots of opportunities for bugs."
When you're booting up a computer, you want the system to confirm that it's running genuine software and that the operating system hasn't been compromised. Microsoft already offers Windows Secure Boot, a feature that checks for cryptographic signatures to confirm software integrity. But those defenses rely on trusting the firmware to scope everything else out. "When the PC starts, the firmware checks the signature of each piece of boot software," Microsoft explains of Secure Boot. But what if the firmware is lying?
Core CompetenceThe idea of secured-core PC is to take firmware out of that equation, eliminating it as a link in the chain that determines what's trustworthy on a system. Instead of relying on firmware, Microsoft has worked with AMD, Intel, and Qualcomm to make new central processing unit chips that can run integrity checks during boot in a controlled, cryptographically verified way. Only the chip manufacturers will hold the encryption keys to broker these checks, and they're burned onto the CPUs during manufacturing rather than interacting with the firmware's amorphous, often unreliable code layer.
"It's rooted in the CPU and no longer in the firmware, because it still boots early," Weston says. "But if there's anything tampered with, the system code would identify this and shut everything down. So we're taking firmware and any potential compromise out of the circle of trust."Microsoft already does something similar in Xbox, which is known to be a particularly secure ecosystem. And Cisco uses a type of chip called a Field Programmable Gate Array to implement its secure boot instead of firmware. In newer iPhones, Apple also uses special hardware checks set up in its custom-built, ARM-based chips to catch any funny business as soon as the processor gets power. But in all of those situations, the same company oversees development of both hardware and software, making those integrations more practical. With Windows, Microsoft can coordinate with chipmakers, it but doesn't manufacture the devices the operating system will ultimately run on.
GM Gives All Its Vehicles a New Soul