Now Microsoft thinks it has a solution to the problem. As part of a new partnership with PC manufacturers, the company is launching an initiative called Secured-core PC. With Secured-core PC, Microsoft is rethinking Windows’s relationship with firmware and how it handles booting up a device.
Under this new system, a processor’s firmware will power up the system as always, but then limit how much the processor trusts its own firmware to define the code path it takes to launch the system. The processor will instead call on Microsoft’s bootloader for those instructions. The ultimate goal of the framework is to create a safe and reliable path the processor can take each and every time it boots your computer. One major advantage of this system is that it puts the emphasis on preventing attacks, instead of merely detecting them.
Since Windows 8, Windows has included a feature called Secure Boot that checks the authenticity of a bootloader to ensure it’s safe to use. The issue with Secure Boot and the reason Microsoft is moving to this new system is that it depends on trusting firmware to check each piece of boot software. Because it operates on the assumption your firmware is safe, Secure Boot can’t protect your system when the firmware is attacked.
To implement Secured-core PC, Microsoft is working with all the major chipmakers, including Intel, AMD and Qualcomm, to make processors that feature secure encryption keys burned into the chips during the manufacturing process. Since the system depends on new hardware to protect your PC, you won’t be able to download a software update to protect your existing PC against firmware-level attacks. That said, there’s a good chance your next Windows computer will come with the feature built-in. One of the first devices that will include Secured-core PC is Microsoft’s upcoming Surface Pro X, with devices from Dell, Lenovo and Panasonic to follow.