Isn't this kind of a PR stunt, or do those techs find their way into "normal" hardware too? I guess so? Since Intel's TPM is practically non existent in what you buy as a DIY builder.
But I think it's good that AMD plays their cards, picking up on their "advantage" in terms of security vs Intel.
https://www.microsoft.com/security/blog/wp-content/uploads/2019/10/fig-2-secured-core-pc.png
You can use most of those protections listed today, on a relatively modern PC, if you're willing to put up with some disadvantages.
- Secure Boot and UEFI-only booting are available in quite a few modern platforms and easy to enable
- TPM 2.0 can be available even without a TPM chip, for example with Intel PTT, takes one trip to the BIOS to enable it, and boom TPM
- Bitlocker is easy to enable
- VBS is available as well, turned on by enabling HyperV or other related features in Windows 10, like Sandbox or Windows Hypervisor Platform.
- HVCI should take effect with VBS enabled and Defender's Core Isolation/Memory Integrity
The last 2 in the image I am unsure about.
I think the last 2 are enabled after you have a fully supported PC with Credential/Device Guard turned on and some other requirements, like TPM etc. Should also be available with the more recent PCs.
The downsides are multiple. Bitlocker will decrease SSD speed some. VBS will have a negative impact on performance, not much but it's there. There are drivers that fail Memory Integrity checks and stop it from enabling. Steelseries comes to mind. Other drivers simply refuse to work in a VBS environment, or work partially. Older GPUs and components might have such issues. Some games won't start under VBS, but then again this is enterprise targeted, although it's nice to be more secure even at home.
If they can fix the performance impact, which is a constant when HyperV is enabled (even without any VMs), and they can work up something to offload Bitlocker's operations fully to some other hardware than the CPU, I would use these features.
This is something Intel should study carefully. Maybe one day in the future they will qualify.
They already do, it has nothing to do Spectre and Meltdown, and Intel is mentioned by name as a partner.
Using new hardware capabilities from AMD, Intel, and Qualcomm, Windows 10 now implements System Guard Secure Launch as a key Secured-core PC device requirement to protect the boot process from firmware attacks.
anyone else remember the secure-boot fiasco on win7 ? when a MS update broke your pc basically, unable to boot unless you disabled secure boot which made no problems before but suddenly was "unsupported" for a somewhat unrelated update that MS forced on everyone again and again and again (I had to hide it like 10x)
funny thing, that was at the same time MS purposefully ruined win 7 patch after patch to make people switch to 10
I am SO glad that I'm not stuck fixing people's PCs anymore because this is the kind of crap that made doing so a royal PITA. Windows 10 is getting more and more difficult to fix, but at the same time, it's also less and less prone to needing fixing.
In some ways this sorta makes sense, because AMD put all these new instructions for the sake of firmware security, though I question how much such things will affect performance, let alone actually work.
I foresee a lot of revenue for them and lots of problems for average Joe.
Security comes in layers, and you can't patch the user
Oh wait, you can, with education Oh wait, that takes effort.
Just whatever, just don't take the Linux boot possibility on the new hardware.
Low level bios/firmware exploits were mostly introduced by the remote management crap and broken "secure boot" Amd and Intel put on their cpus and chipsets. Yes, it could be useful for an enterprise but they are completely useless for the home user.
The old pcs where bios lvl firmware could only be touched by the updater in the mb rom (still shipped) reading from a (crappy) floppy disk were completely immune (unless the hackers had physical access to your system :S).
anyone else remember the secure-boot fiasco on win7 ? when a MS update broke your pc basically, unable to boot unless you disabled secure boot which made no problems before but suddenly was "unsupported" for a somewhat unrelated update that MS forced on everyone again and again and again (I had to hide it like 10x)
funny thing, that was at the same time MS purposefully ruined win 7 patch after patch to make people switch to 10
Even happened on Windows Phone. I had two bricked phones as a result, ha!
You mean with SEDs? Self encrypting drives?
Microsoft seems to deem so many of them unsafe that it now defaults to software, you'd have to manually change a policy to force hardware encryption. Also, I'm not 100% sure if there's no performance impact with that. I wanted to try it when I installed 1909 a few days ago on my 970 Evo Plus, but in the end for my use there's basically no advantages. I mean, I don't even have a password for Win10 since the PC is not used by anyone.
It's good that AMD is getting in on this as it helps with the corporate market.
Even if, working at big corporate, we use literally none of the things that HP have in their, I must say, impressive enterprise package apart from TPM, and v. 1.2 at that.
You will see, Linux either will be unable to boot on those platforms, or rather the Linux Foundation will justify the introduction of some Microsoft code into the Linux kernel, for the greater good.
Remember, Microsoft loves Linux when they have a profit from that.
And the irony is that for some computers, I had to disable the Secure Boot in order to start an Windows 10 USB, then re-enable it.
I hope is not enabled by default. Those are the kind of feature that makes dual boot with linux a pain.
Probably won't happen. The idea is to enable all of these technologies that were somewhat of a pain to enable on normal PCs as a convenience for enterprise users that are not tech savvy and sell it as a new revolutionary feature.
You should be able to turn most off, Secure Boot and the TPM could be problematic if the OEM is locking those parts of the BIOS, but other than that, once in Windows, you can disable anything related to HyperV to get rid of VBS and Core isolation/Memory Integrity in Defender.
Interestingly enough, on my Z370 board which always had Secure Boot on, CSM disabled and UEFI only boot, I don't remember having many issues with booting other stuff, like Gparted, or Windows images "burned" to USB by Rufus, which should theoretically not work with Secure Boot. Yet they do. Didn't try to install Linux fully though.
The last 2 in the image I am unsure about.I think the last 2 are enabled after you have a fully supported PC with Credential/Device Guard turned on and some other requirements, like TPM etc. Should also be available with the more recent PCs. The downsides are multiple. Bitlocker will decrease SSD speed some. VBS will have a negative impact on performance, not much but it's there. There are drivers that fail Memory Integrity checks and stop it from enabling. Steelseries comes to mind. Other drivers simply refuse to work in a VBS environment, or work partially. Older GPUs and components might have such issues. Some games won't start under VBS, but then again this is enterprise targeted, although it's nice to be more secure even at home. If they can fix the performance impact, which is a constant when HyperV is enabled (even without any VMs), and they can work up something to offload Bitlocker's operations fully to some other hardware than the CPU, I would use these features.