AMD and Microsoft Partner with Microsoft’s New Secured-core PC Initiative
Microsoft announced their new Secured-core PC initiative which aims to create highly secure PCs with a deep integration between hardware and software and featuring the most advanced CPUs available.
Being a key Microsoft partner and with a constant focus on security, AMD is committed to this approach and will be enabling Secured-Core PC in the next generation of Ryzen Processors.
Microsoft recently announced their Secured-core PC initiative which relies on a combined effort from OEM partners, silicon vendors and themselves to provide deeply integrated hardware, firmware and software for enhanced device security. As a leading silicon provider to the PC market, AMD will be a key partner in this effort with upcoming processors that are Secured-core PC compatible.
In a computer system, low level firmware and the boot loader are initially executed to configure the system. Then ownership of the system is handed over to the operating system whose responsibility is to manage the resources and to protect the integrity of the system. In today’s world, cyberattacks are becoming increasingly sophisticated, with threats targeting low level firmware becoming more prominent. With this changing paradigm in security threats, there is strong need to provide end customers with an integrated hardware and software solution which offer comprehensive security to the system. This is where the Microsoft Secured-core PC initiative comes into the picture. A Secured-core PC enables you to boot securely, protect your device from firmware vulnerabilities, shield the operating system from attacks and prevent unauthorized access to devices and data with advanced access controls and authentication systems.
AMD plays a vital role in enabling Secure-Core PC as AMD’s hardware security features and associated software helps safeguard low level firmware attacks. Before we explain how AMD is enabling Secured-Core PC in next gen AMD Ryzen products, let’s first explain some security features and capabilities of AMD products.
SKINIT: The SKINIT instruction helps create a “root of trust” starting with an initially untrusted operating mode. SKINIT reinitializes the processor to establish a secure execution environment for a software component called the secure loader (SL) and starts execution of the SL in a way to help prevent tampering SKINIT extends the hardware-based root of trust to the secure loader.
Secure Loader (SL): The AMD Secure Loader (SL) is responsible for validating the platform configuration by interrogating the hardware and requesting configuration information from the DRTM Service.
AMD Secure Processor (ASP): AMD Secure Processor is dedicated hardware available in each SOC which helps enable secure boot up from BIOS level into the Trusted Execution Environment (TEE). Trusted applications can leverage industry-standard APIs to take advantage of the TEE’s secure execution environment.
AMD-V with GMET: AMD-V is set of hardware extensions to enable virtualization on AMD platforms. Guest Mode Execute Trap (GMET) is a silicon performance acceleration feature added in next gen Ryzenwhich enables hypervisor to efficiently handle code integrity check and help protect against malware.
Now let’s understand the basic concept of firmware protection in a Secured-core PC. The firmware and bootloader can load freely with the assumption that these are unprotected code and knowing that shortly after launch the system will transition into a trusted state with the hardware forcing low level firmware down a well-known and measured code path. This means that the firmware component is authenticated & measured by the security block on AMD silicon and the measurement is securely stored in TPM for further usage by operating systems including verification and attestation. At any point of time after system has booted into OS, the operating system can request AMD security block to remeasure and compare with old values before executing with further operations. This way the OS can help ensure integrity of the system from boot to run time.
The firmware protection flow described above is handled by AMD Dynamic Root of Trust Measurement (DRTM) Service Block and is made up of SKINIT CPU instruction, ASP and the AMD Secure Loader (SL). This block is responsible for creating and maintain a chain of trust between components by performing the following functions:
- Measure and authenticate firmware and bootloader
- To gather the following system configuration for the OS which will in turn validate them against its security requirements and store information for future verification.
- Physical memory map
- PCI configuration space location
- Local APIC configuration
- I/O APIC configuration
- IOMMU configuration / TMR Configuration
- Power management configuration
Whilst the above methods help in safeguarding firmware, there is still an attack surface that needs to be protected, the System Management Mode (SMM). SMM is a special-purpose CPU mode in x86 microcontrollers that handles power management, hardware configuration, thermal monitoring, and anything else the manufacturer deems useful. Whenever one of these system operations is requested, an interrupt (SMI) is invoked at runtime which executes SMM code installed by the BIOS. SMM code executes in the highest privilege level and is invisible to the OS. Due to this, it becomes attractive target for malicious activity and can be potentially used access hypervisor memory and change the hypervisor.
Since the SMI handler is typically provided by a developer different then the operating system and SMM handler code running at a higher privilege has access to OS/Hypervisor Memory & Resources. Exploitable vulnerabilities in SMM code leads to compromise of Windows OS/HV & Virtualization Based Security (VBS). To help isolate SMM, AMD introduces a security module called AMD SMM Supervisor that executes immediately before control is transferred to the SMI handler after an SMI has occurred. AMD SMM Supervisor resides in AMD DRTM service block and the purpose of AMD SMM Supervisor is to:
- Block SMM from being able to modify Hypervisor or OS memory. An exception is a small coordinate communication buffer between the two.
- Prevent SMM from introducing new SMM code at run time
- Block SMM from accessing DMA, I/O, or registers that can compromise the Hypervisor or OS
To summarize, AMD will continue to innovate and push boundaries of security in hardware, whether it is DRTM service block to help protect integrity of the system, the use of Transparent Secure Memory Encryption (TSME) to help protect data or Control-flow Enforcement technology (CET) to help prevent against Return Oriented Programming (ROP) attacks. Microsoft is a key partner for AMD and as part of this relationship there is a joint commitment with the Secured-core PC initiative to improve security within software and hardware to offer a more comprehensive security solution to customers.
AMD and Samsung Announce Partnership in Ultra LowPower, High Perf Graphics Technologies - 06/03/2019 02:53 PM
AMD and Samsung today announced a multi-year strategic partnership in ultra low power, high performance mobile graphics IP based on AMD Radeon graphics technologies. ...
AMD and Oracle Collaborate to Provide AMD EPYC Processor-Based Offering in the Cloud - 10/24/2018 07:51 AM
Today at Oracle OpenWorld 2018, AMD (NASDAQ: AMD) announced the availability of the first AMD EPYC processor-based instance on Oracle Cloud Infrastructure. With this announcement, Oracle becomes the...
Extensive distributor leak reveals AMD and Intel Roadmaps - AMD Z490 and Intel Z390, 8-Core CFL - 05/04/2018 07:45 AM
A colossal frack up from German-based Bluechip. They have had a 30-minute youtube presentation for its business partners where it shared NDA information on both Intel and AMD releases, these include...
AMD and NVIDIA AIB GPU Market Share from 2002 to 2016 - 11/24/2016 11:39 AM
An interesting slide has been compiled that shows the varying market share relative to sales for add in board graphics cards sales from both AMD and NVIDIA relative to generational releases....
Star Wars Battlefront Beta Early Access Competition with AMD and Guru3D - 10/06/2015 05:03 PM
AMD has joined forces with Guru3D to bring you early access to the Star Wars Battlefront beta before its public release on October 8th. These codes will grant you instant access allowing you to hone y...
Senior Member
Posts: 379
Joined: 2008-10-15

You can use most of those protections listed today, on a relatively modern PC, if you're willing to put up with some disadvantages.
- Secure Boot and UEFI-only booting are available in quite a few modern platforms and easy to enable
- TPM 2.0 can be available even without a TPM chip, for example with Intel PTT, takes one trip to the BIOS to enable it, and boom TPM
- Bitlocker is easy to enable
- VBS is available as well, turned on by enabling HyperV or other related features in Windows 10, like Sandbox or Windows Hypervisor Platform.
- HVCI should take effect with VBS enabled and Defender's Core Isolation/Memory Integrity
I think the last 2 are enabled after you have a fully supported PC with Credential/Device Guard turned on and some other requirements, like TPM etc. Should also be available with the more recent PCs.
The downsides are multiple. Bitlocker will decrease SSD speed some. VBS will have a negative impact on performance, not much but it's there. There are drivers that fail Memory Integrity checks and stop it from enabling. Steelseries comes to mind. Other drivers simply refuse to work in a VBS environment, or work partially. Older GPUs and components might have such issues. Some games won't start under VBS, but then again this is enterprise targeted, although it's nice to be more secure even at home.
If they can fix the performance impact, which is a constant when HyperV is enabled (even without any VMs), and they can work up something to offload Bitlocker's operations fully to some other hardware than the CPU, I would use these features.
Senior Member
Posts: 2269
Joined: 2013-03-10
This is something Intel should study carefully. Maybe one day in the future they will qualify.
Senior Member
Posts: 379
Joined: 2008-10-15
They already do, it has nothing to do Spectre and Meltdown, and Intel is mentioned by name as a partner.
Here's the Intel press release.
https://itpeernetwork.intel.com/foundational-pc-protection-for-the-changing-security-landscape/#gs.b4gzm4
Senior Member
Posts: 563
Joined: 2015-11-21
anyone else remember the secure-boot fiasco on win7 ? when a MS update broke your pc basically, unable to boot unless you disabled secure boot which made no problems before but suddenly was "unsupported" for a somewhat unrelated update that MS forced on everyone again and again and again (I had to hide it like 10x)
funny thing, that was at the same time MS purposefully ruined win 7 patch after patch to make people switch to 10
Senior Member
Posts: 12060
Joined: 2014-07-21
Isn't this kind of a PR stunt, or do those techs find their way into "normal" hardware too? I guess so? Since Intel's TPM is practically non existent in what you buy as a DIY builder.
But I think it's good that AMD plays their cards, picking up on their "advantage" in terms of security vs Intel.