Commissioned by Microsoft, the March 2021 Security Signals report, indicates that a vast majority of enterprise customers have experienced at least one firmware attack in the past two years.
Collaborating with AMD, Microsoft is announcing the latest Secured-core offering, the all-new Surface Laptop 4 powered by AMD Ryzen Mobile Processors. These devices offer comprehensive security out of the box with tightly integrated hardware, software, firmware, and identity protection layers.
At the heart of the Surface Laptop 4, the device leverages the Trusted Platform Module 2.0 (TPM) and the AMD Ryzen Mobile Processors with System Guard to boot securely and minimize the impact of firmware vulnerabilities by sandboxing firmware to protect critical subsystems and sensitive data. Kernel Direct Memory Access Protection is pre-enabled on these devices, helping to ensure that the system is protected against malicious and unintended Direct Memory Access (DMA) attacks for all DMA-capable devices, such as PCI devices, thwarting the entire class of drive-by DMA attacks like Thunderspy.
The TPM 2.0 serves as the hardware root-of-trust for the Surface Laptop 4. With hardware protections for sensitive assets like BitLocker keys and security measurements for the state of the system, the TPM 2.0 helps make the Surface Laptop 4 ready for Zero Trust security.
As pointed out in the Security Signals report, firmware is emerging as a primary target because it’s where devices store sensitive information, like credentials and encryption keys. To address this Microsoft introduced its own open-source Unified Extensible Firmware Interface (UEFI) to help enable a secure and maintainable interface to manage firmware.
Surface takes a multi-pronged approach to raise the security of our UEFI. To start, it can be updated via Windows Update. Our UEFI does not require an outside tool from a third party or download site. In fact, when the vulnerability of Spectre and Meltdown was announced, Surface already had a fix available that was automatically pushed to every Surface device accepting updates.
Windows Update patched the microcode of our processors all through UEFI. Another security step we take is to lock down the UEFI, to help protect against known exploits. Surface UEFI uses a combination of Platform Secure Boot (PSB) and UEFI Secure Boot, which translates to a measured and signed firmware check at each stage in the initial boot process.
Along with limiting to a small, trusted computing base by establishing a hardware root of trust, Surface Laptop 4 confirms that code running within that trusted computing base runs with integrity.
Virtualization-based security (VBS) isolates the operating system and provides a hardware-based security boundary, thereby separating security features and sensitive code and data from vulnerabilities in the operating system. Hypervisor-enforced Code Integrity (HVCI) checks the system software before it is loaded, allowing only executables that are signed by known, approved authorities to start. The hypervisor also helps ensure that kernel executable memory is not writable. This prevents the modifications of sensitive kernel structures and provides strong protections against kernel viruses and malware. Time and again, the protections offered by VBS and HVCI have been shown to provide essential resistance against practical real-world threats.
Complementing the platform security provided by secured-core and Project Mu, Surface Laptop 4 helps ensure that user identities and credentials are protected against theft, compromise, and phishing attacks.
Surface Laptop 4, powered by AMD Ryzen Mobile Processors, joins Surface Pro X as the second secured-core PC offering in the Surface portfolio. These devices provide powerhouse protection out of the box, with capabilities such as Virtualization-Based Security, System Guard, and Kernel DMA protection enabled by default. With these devices, users and businesses can be confident that they have the right protections in place to mitigate security risks and simplify the end-user experience in configuring the device.