Microsoft notes that the National Vulnerability Database has monitored a five-fold increase in firmware-based attacks on devices from 2016 to 2018. The company specifically calls out Russian-based APT28 group (aka FancyBear, Strontium) for using firmware attacks that can reside on a device even if a user reinstalls Windows or installs a new hard drive. This is possible because the firmware has direct access to the hardware on your system and has priority access over the operating system.
In effort to crush attackers like APT28, Microsoft is introducing what it calls the Secure-core PC initiative that its OEM partners will be able to adopt. At its core, the initiative takes a multi-pronged approach to security by offering protection for not only device hardware and software, but also critical firmware.
At the firmware level, Microsoft is counting on System Guard Security Launch, which is a required for a device to be certified as a Secured-core PC. Microsoft says that hardware included on the latest chips from Intel, AMD, and Qualcomm make use of Dynamic Root of Trust for Measurement (DRTM) security.
"[DRTM] enable(s) the system to leverage firmware to start the hardware and then shortly after re-initialize the system into a trusted state by using the OS boot loader and processor capabilities to send the system down a well-known and verifiable code path," writes Microsoft. "This mechanism helps limit the trust assigned to firmware thereby providing a powerful mitigation against cutting-edge, targeted threats against firmware."
DRTM can be further used to protect virtualization-based security (VBS) from malware attacks. System Guard Security Launch works in conjunction with System Management Mode (SMM), which can monitor a PC for firmware changes after it has already booted into the Windows environment, offering another level of protection for customers.
According to Microsoft, Secured-core PCs will be launching in the coming weeks from a number of OEM partners including familiar names like Dell, Hewlett-Packard, and Lenovo. And as you might expect, Microsoft's own first-party Surface devices are also among the PCs supported.