Microsoft Releases Standards For Highly Secure Windows 10 Devices

An anonymous reader writes from a report via BleepingComputer: Yesterday, Microsoft released new standards that consumers should follow in order to have a highly secure Windows 10 device. These standards include the type of hardware that should be included with Windows 10 systems and the minimum firmware features. The hardware standards are broken up into 6 categories, which are minimum specs for processor generation, processor architecture, virtualization, trusted platform modules (TPM), platform boot verification, and RAM. Similarly, firmware features should support at least UEFI 2.4 or later, Secure Boot, Secure MOR 2 or later, and support the Windows UEFI Firmware Capsule Update specification.

Re:Did anyone RTFA?

[WaffleMonster]

Every post I see so far is the generic: see Windows in the title, bash Windows in comments.

Fair enough.

The processor architecture requirement is to have a 64-bit processor so that Windows can take advantage of VBS, or Virtualization-based security, which uses the Windows hypervisor.

The idea of using hypervisors rather than operating systems for isolation is both sad and absolutely necessary. What should happen is the operating system should provide these services in a tractably verifiably secure manner. Since that seems to be practically impossible at the moment the hypervisor is the only game in town.

Highly secured Windows 10 devices should support Intel VT-d, AMD-Vi, or ARM64 SMMUs in order to take advantage of Input-Output Memory Management Unit (IOMMU) device virtualization

Not a chance in hell so long as Intel AMT exists. While I agree MMUs are necessary for security they are currently a massive enabler of insecurity.

Another recommended component is a Trusted Platform Module, or TPM â" a hardware module that is either integrated into a computer chipset or can be purchased as a separate module for supported motherboards that handles the secure generation of cryptographic keys, their storage, a secure random number generator, and hardware authentication.

I don't like TPM because if it breaks everything it protects is gone and I neither need nor want my systems to be secured against physical access in a way that can't stand alone. (e.g. passphrase)

In addition, Microsoft recommends platform boot verification, which is a feature that prevents the computer from loading a firmware that was not designed by the system manufacturer. This prevents attackers from uploading a malicious or compromised firmware to the computer.

I have always hated the idea of using complex cryptography guarded by keys that are bound to be compromised with global repercussions. It's a massive house of cards that seems more and more likely to fail as the profit motive for it's compromise increases.

There is a much easier way to protect operating systems from persistent threats.

1. Forbid all hardware from physically possessing any means of self-contained persistent field upgradability. All necessary firmware updates must be loaded during or after boot and they must not survive a reboot.

2. Provide an option for protected storage area the operating system boots from and is then hardware fused to read only prior to becoming available to the end user until next reboot when the process repeats.

This has the following advantages over secure boot.

1. Easier to implement.

2. Future proof, no worries about protecting crypto from unforeseeable threats.

3. Offers maximal flexibility since the OS gets to decide when to blow the fuse it can trade safety for convenience per OS preferences and whims of the end user as allowed by OS.

4. This is more secure because it does not depend on thousands of companies guarding secrets (encryption keys) that have a history of being stolen and prove difficult to practically recall. Also secure boot requires that all signed drivers that can be loaded remain secure against compromise... The attack surface is simply too big to practically address.

5. System can not be misused to deny owners of computing hardware access to load their own systems. Users always retain full control over what operating systems get loaded into the protected area.