In an effort to encourage PC manufacturers to ship more secure Windows 10 computers, as well as to increase demand for such devices from consumers, Microsoft released a set of hardware and firmware standards for secure Windows 10 devices. These security recommendations apply to Windows 10 version 1709, Fall Creators Update.
There are six hardware standards that manufacturers should consider when building their new Windows 10 devices.
Microsoft said that only Intel and AMD processors from generation seven and up comply with its standards, mainly because these chips support the Mode Based Execution Control (MBEC) feature, which is supposed to stop malicious changes to a guest kernel.
This feature may primarily be necessary to strengthen the Windows Defender App Guard security solution, which essentially puts the Edge browser inside a minimal guest Windows 10 operating system to isolate it from the main system.
App Guard is not available to consumers, only to Windows 10 Enterprise users, but it may eventually trickle down regular Windows users, too, as it could significantly beef-up the somewhat lacking Edge browser security.
The list of 7th generation processors includes Intel chips such as: Core i3/i5/i7/i9-7x, Core M3-7xxx, Xeon E3-xxxx, and current Intel Atom, Celeron and Pentium Processors, as well as processors such as the A Series Ax-9xxx, E-Series Ex-9xxx, FX-9xxx.
Microsoft said that 64-bit support is necessary for secure devices, which includes modern AMD64 (or x64 as they’re sometimes called) processors, as well as ARMv8.2 CPUs.
As we’ve seen in the past, 32-bit architectures offer poor address space layout randomization (ASLR) security, a feature that shouldn’t be lacking from any modern operating system at this point. ASLR is a big hurdle for many attackers because they can’t pinpoint which memory locations to exploit. Microsoft also noted that the 64-bit process architecture is necessary for other virtualization-based security features, too.
The company included a list of features that are required for new Windows 10 computers to support modern virtualization.
Processors must support Input-Output Memory Management Unit (IOMMU) device virtualization and all I/O devices need to be protected by IOMMU/SMMU. The systems must support Intel VT-d, AMD-Vi, or ARM64 SMMUs.
Systems must also support virtual machine extensions with second level address translation (SLAT). That means the systems must have VT-x with Extended Page Tables (EPT), or AMD-V with Rapid Virtualization Indexing (RVI).
All the virtualization features must be supported in firmware and the OS should be able to use them.
Systems must have a TPM 2.0 module that is in compliance with the Trustworthy Computing Group (TCG) specifications. Microsoft recommended TPM modules either from Intel or AMD, or from third-party vendors such as STMicroelectronics, Nuvoton, or Infineon (whose TPM was recently found to generate weak cryptographic keys).
Platform Boot Verification
Secure systems must implement cryptographically verified boot solutions, such as Intel Boot Guard in Verified Boot mode, AMD Hardware Verified Boot, or equivalents.
Microsoft also said that secure systems should have 8GB or more of RAM. This is probably not a security feature per se, but a minimum 8GB of RAM is likely required if you intend to do any kind of virtualization on your system. The more memory there is, the more effective ASLR should be, too, as there are more places in which code can hide from attackers.
What seems to be missing in this category is a requirement for error-correcting code (ECC) RAM, or any other required protection against RowHammer, a dangerous attack vector that puts the vast majority of existing computers at risk. Microsoft should probably update its requirements to include such protection before long.
According to Microsoft, secure Windows 10 build 1709 machines must also come with UEFI 2.4 or later (latest is UEFI 2.7). The firmware must implement UEFI Class 2 or 3.
The drivers on secure Windows 10 devices must comply with some stringent hypervisor-based code integrity (HVCI) requirements that Microsoft has defined in the past. Systems’ firmware must also have UEFI Secure Boot, which has to be enabled by default, too.
Secure Boot is a an important protection against rootkit malware, but PC manufacturers should also take into account that at least some users will want to install other operating systems on their machines (such as Linux distros), and often that’s only possible if Secure Boot can be disabled in a secure way, such as through a dedicated button or a combination of keyboard keys.
Systems must also implement the Secure MOR (memory overwrite request) revision 2 security feature.
Finally, systems must support the Windows UEFI Firmware Capsule Update specification, which will allow manufacturers to securely update the UEFI firmware.
These new hardware and firmware requirements for “highly secure Windows 10 devices” seem quite reasonable, and it should enable the development of Windows 10 devices that have a baseline of security.
However, what seems to be missing is a way for OEMs to promote that their devices follow these baseline requirements. Perhaps Microsoft also needs to consider a certification program along with a “Secure Windows 10 device” badge to allow OEMs to differentiate from competitors based on this certification and give them a good reason to adopt these requirements in the first place.