AMD and Microsoft Partner with Microsoft’s New Secured-core PC Initiative

Discussion in 'Frontpage news' started by Hilbert Hagedoorn, Oct 22, 2019.

  1. Hilbert Hagedoorn

    Hilbert Hagedoorn Don Vito Corleone Staff Member

    Messages:
    36,267
    Likes Received:
    5,302
    GPU:
    AMD | NVIDIA
  2. fantaskarsef

    fantaskarsef Ancient Guru

    Messages:
    10,893
    Likes Received:
    3,043
    GPU:
    2080Ti @h2o
    Isn't this kind of a PR stunt, or do those techs find their way into "normal" hardware too? I guess so? Since Intel's TPM is practically non existent in what you buy as a DIY builder.
    But I think it's good that AMD plays their cards, picking up on their "advantage" in terms of security vs Intel.
     
  3. toyo

    toyo Active Member

    Messages:
    90
    Likes Received:
    28
    GPU:
    Gigabyte 1070Ti 8G
    [​IMG]
    You can use most of those protections listed today, on a relatively modern PC, if you're willing to put up with some disadvantages.

    - Secure Boot and UEFI-only booting are available in quite a few modern platforms and easy to enable
    - TPM 2.0 can be available even without a TPM chip, for example with Intel PTT, takes one trip to the BIOS to enable it, and boom TPM
    - Bitlocker is easy to enable
    - VBS is available as well, turned on by enabling HyperV or other related features in Windows 10, like Sandbox or Windows Hypervisor Platform.
    - HVCI should take effect with VBS enabled and Defender's Core Isolation/Memory Integrity

    The last 2 in the image I am unsure about.

    I think the last 2 are enabled after you have a fully supported PC with Credential/Device Guard turned on and some other requirements, like TPM etc. Should also be available with the more recent PCs.

    The downsides are multiple. Bitlocker will decrease SSD speed some. VBS will have a negative impact on performance, not much but it's there. There are drivers that fail Memory Integrity checks and stop it from enabling. Steelseries comes to mind. Other drivers simply refuse to work in a VBS environment, or work partially. Older GPUs and components might have such issues. Some games won't start under VBS, but then again this is enterprise targeted, although it's nice to be more secure even at home.

    If they can fix the performance impact, which is a constant when HyperV is enabled (even without any VMs), and they can work up something to offload Bitlocker's operations fully to some other hardware than the CPU, I would use these features.
     
    Last edited: Oct 22, 2019
    fantaskarsef likes this.
  4. Kaarme

    Kaarme Ancient Guru

    Messages:
    1,667
    Likes Received:
    469
    GPU:
    Sapphire 390
    This is something Intel should study carefully. Maybe one day in the future they will qualify.
     

  5. toyo

    toyo Active Member

    Messages:
    90
    Likes Received:
    28
    GPU:
    Gigabyte 1070Ti 8G
    They already do, it has nothing to do Spectre and Meltdown, and Intel is mentioned by name as a partner.
    Here's the Intel press release.
    https://itpeernetwork.intel.com/fou...or-the-changing-security-landscape/#gs.b4gzm4
     
    fantaskarsef likes this.
  6. kakiharaFRS

    kakiharaFRS Member Guru

    Messages:
    182
    Likes Received:
    27
    GPU:
    MSI Gaming X 1080ti
    anyone else remember the secure-boot fiasco on win7 ? when a MS update broke your pc basically, unable to boot unless you disabled secure boot which made no problems before but suddenly was "unsupported" for a somewhat unrelated update that MS forced on everyone again and again and again (I had to hide it like 10x)
    funny thing, that was at the same time MS purposefully ruined win 7 patch after patch to make people switch to 10
     
    nick0323, schmidtbag and fantaskarsef like this.
  7. schmidtbag

    schmidtbag Ancient Guru

    Messages:
    4,491
    Likes Received:
    1,387
    GPU:
    HIS R9 290
    I am SO glad that I'm not stuck fixing people's PCs anymore because this is the kind of crap that made doing so a royal PITA. Windows 10 is getting more and more difficult to fix, but at the same time, it's also less and less prone to needing fixing.
    In some ways this sorta makes sense, because AMD put all these new instructions for the sake of firmware security, though I question how much such things will affect performance, let alone actually work.
     
  8. anticupidon

    anticupidon Ancient Guru

    Messages:
    4,010
    Likes Received:
    777
    GPU:
    integrated
    I foresee a lot of revenue for them and lots of problems for average Joe.
    Security comes in layers, and you can't patch the user
    Oh wait, you can, with education Oh wait, that takes effort.
    Just whatever, just don't take the Linux boot possibility on the new hardware.
     
    sykozis and schmidtbag like this.
  9. TieSKey

    TieSKey Member Guru

    Messages:
    117
    Likes Received:
    25
    GPU:
    Gtx870m 3Gb
    Low level bios/firmware exploits were mostly introduced by the remote management crap and broken "secure boot" Amd and Intel put on their cpus and chipsets. Yes, it could be useful for an enterprise but they are completely useless for the home user.
    The old pcs where bios lvl firmware could only be touched by the updater in the mb rom (still shipped) reading from a (crappy) floppy disk were completely immune (unless the hackers had physical access to your system :S).
     
    anticupidon likes this.
  10. nick0323

    nick0323 Master Guru

    Messages:
    949
    Likes Received:
    30
    GPU:
    Palit GTX970 Jetstream OC
    Even happened on Windows Phone. I had two bricked phones as a result, ha!
     
    anticupidon likes this.

  11. sykozis

    sykozis Ancient Guru

    Messages:
    21,050
    Likes Received:
    668
    GPU:
    MSI RX5700
    This is already possible with the right SSDs....
     
  12. toyo

    toyo Active Member

    Messages:
    90
    Likes Received:
    28
    GPU:
    Gigabyte 1070Ti 8G
    You mean with SEDs? Self encrypting drives?

    Microsoft seems to deem so many of them unsafe that it now defaults to software, you'd have to manually change a policy to force hardware encryption. Also, I'm not 100% sure if there's no performance impact with that. I wanted to try it when I installed 1909 a few days ago on my 970 Evo Plus, but in the end for my use there's basically no advantages. I mean, I don't even have a password for Win10 since the PC is not used by anyone.
     
  13. AlmondMan

    AlmondMan Master Guru

    Messages:
    483
    Likes Received:
    37
    GPU:
    5700 XT Red Dragon
    It's good that AMD is getting in on this as it helps with the corporate market.
    Even if, working at big corporate, we use literally none of the things that HP have in their, I must say, impressive enterprise package apart from TPM, and v. 1.2 at that.
     
  14. asturur

    asturur Master Guru

    Messages:
    400
    Likes Received:
    92
    GPU:
    Geforce Gtx 1080TI
    I hope is not enabled by default. Those are the kind of feature that makes dual boot with linux a pain.
     
    anticupidon likes this.
  15. anticupidon

    anticupidon Ancient Guru

    Messages:
    4,010
    Likes Received:
    777
    GPU:
    integrated
    You will see, Linux either will be unable to boot on those platforms, or rather the Linux Foundation will justify the introduction of some Microsoft code into the Linux kernel, for the greater good.
    Remember, Microsoft loves Linux when they have a profit from that.
    And the irony is that for some computers, I had to disable the Secure Boot in order to start an Windows 10 USB, then re-enable it.
     

  16. toyo

    toyo Active Member

    Messages:
    90
    Likes Received:
    28
    GPU:
    Gigabyte 1070Ti 8G
    Probably won't happen. The idea is to enable all of these technologies that were somewhat of a pain to enable on normal PCs as a convenience for enterprise users that are not tech savvy and sell it as a new revolutionary feature.
    You should be able to turn most off, Secure Boot and the TPM could be problematic if the OEM is locking those parts of the BIOS, but other than that, once in Windows, you can disable anything related to HyperV to get rid of VBS and Core isolation/Memory Integrity in Defender.
    Interestingly enough, on my Z370 board which always had Secure Boot on, CSM disabled and UEFI only boot, I don't remember having many issues with booting other stuff, like Gparted, or Windows images "burned" to USB by Rufus, which should theoretically not work with Secure Boot. Yet they do. Didn't try to install Linux fully though.
     

Share This Page