All Surface devices are Secured-core PCs: here is what this means
Microsoft revealed today that all of its Microsoft Surface devices are Secured-Core PCs. Announced in 2022 for the first time, Secured-Core PCs combine hardware, software and firmware defenses to protect against threats.
Microsoft writes its own firmware and software for its Surface devices. It controls and manages the "entire ecosystem" to "keep data safe and secure".
Recently, the company pledged six years of firmware and driver updates for all Surface devices released in 2021 and later.
Secured-Core PCs
Secured-Core PCs need to meet certain requirements regarding firmware and hardware. Microsoft lists these on a support page.
This includes Secure Boot, Trusted Platform Module 2.0 and Direct Memory Access Protection on the root level. Surface devices have Secure Boot enabled by default and configured to only trust Microsoft firmware. The feature is designed to block malicious software from running early during system start.
Secure Boot verifies components such as the bootloader on start to make sure they have not been tampered with.
Other Secured-Core PCs requirements include integrated defenses against firmware level attacks. Microsoft lists System Guard Secure Launch with System Management Mode isolation as one of the protective features.
On the OS and software level, Hypervisor Code Integrity, Windows Hello and Bitlocker encryption are integrated. Hypervisor Code Integrity is designed to block the execution of unverified code on the system.
Microsoft VP Surface Development, Scott Fudally, gives four examples in the announcement:
- Protecting against vendor vulnerabilities.
- Streamlining security improvements -- Microsoft's control of firmware, drivers and the device helps it react faster to security issues and threats.
- Enabling seamless and secure sign-in.
- Managing hardware access -- IT admins can control and deactivate components at the firmware level.
Microsoft's Surface division decreased by 22% in the last quarter according to the latest earnings call by the company. Revenue of all other divisions was up; even Windows revenue increased by 4%.
Windows and Surface head Panos Panay announced this quarter that he is leaving Microsoft. The reason for the departure is unclear. Panay is rumored to join Amazon's hardware division in the near future.
The focus on Secured-Core PCs for all Surface devices could give Microsoft's loss-making division a much needed boost. It remains to be seen how dedicated Microsoft will be in regards to Surface. New devices were announced last month, including a new Surface Laptop Go 3, a surface Laptop Studio 2 for Business and a new Surface Go 4.
So, MS backed/controlled pluton is finally surfacing (no pun intended) in actual products.
Apart from being baked into the last Ryzen generation for whatever nefarious misconception that made AMD agree to that.
Maybe a mistaken effort to be “first movers” and getting a jump on Intel, while underestimating the demand for it. Like the gamble they took way way back to be the ones to define the 64bit extension to IA32. That actually worked because MS (and RAM and other vendors) were pressing hard to get 64 now now now on the widely used commodity/consumer platform that is the pc, instead of moving their customers to big iron that they can not afford.
Meanwhile Intel has understandably been very reluctant to take pluton in, not wanting to have their hardware run the risk of being beholden to MS holding keys to important parts of the x86/x64 kingdom or dictating the future of PC hardware.
They do NOT want anyone but themselves having the equivalent of M.E. access. MS may run the OS but Intel is not about to let themselves be dethroned in the CPU/mobolevel without one hell of a fight.
This AMD gamble on pluton will not really take off. MS may stick to pluton where they already partner with AMD and on their own devices such as ‘surface’ (vs chromebook), and use it on PC because the percentage is too big to lock out, but they will not ignore intels offering when it arrives.
Meanwhile, TPM2 will carry on.
In everyones interest, pluton needs to fail, being too dangerous to let that OS-vendor control the design and keys. If they succeed, they’ll go for the throat to get the MS version of macs established as the only kind of PC – short of actual macs – whatever it takes, laws be damned, to replicate that profitable type of vertically integrated brand monopoly, making sure windows won’t run on anything else (and won’t run in a non-windows based VM, unless they are hosting it in their own cloud).
The trick kinda works for apple, but the difference is that it is their own hardware and their own walled garden/prison, they do not have to worry about being leaned on by themselves. And they cater to a considerably wealthier segment.
Not so in the windows/intel world, where noone wants to risk MS leaning on them.
It is already plenty difficult to work with secure boot without professional help, if even if you are lucky enough to have a bios that lets you type in new keys without some vendorspecific DMI tool to change them, that they (or MS) dont want in the hands of the public. Pluton dials that into never never land. MS considers it theirs and by extension your whole pc, which can then be held hostage on a hardware/deepfirmware level, not just OS level. And we know how they are about sharing.
Sadella may not be as obvious as balmer or gates, he just hides the corporate megalomania better, but MS is MS and it is still foolish to let them control such keys, you’ll constantly be one windows-delivered update away from it being locked down or having your system turned unbootable by any means, without having a master key to do anything about it.
After all, it is about protecting the system from anything and anyone but themselves and their TLA partners. And it means excluding you, users and owners, from being in control.