Intel Hardware Shield isn’t new to vPro-badged chips but in this latest release it is being made mandatory. Hardware Shield provides protection against firmware-level attacks. It ensures that the operating system runs on legitimate hardware and unmodified firmware. And it also provides hardware-to-software security visibility, allowing organizations to enforce a more comprehensive security policy without requiring any additional infrastructure.
Intel’s General Manager and Vice President for business client platforms, Stephanie Hallford, said “We do a series of recommended and required specifications in order to be badged Intel vPro platform and with this round … we’re actually requiring that Intel hardware shield and the technologies under that are a requirement in order to get that badge.”
These two features are provided by dynamic root of trust for measurement (DRTM). Sometimes referred to as Secure Launch by Microsoft, DRTM launches the PC into a trusted state and transfers control from the processor directly to the Windows 10 hypervisor loader using a secured and measured handoff process.
Intel says that Hardware Shield reinforces virtualization-based security (VBS) to protect computers at runtime, including support for Secure Boot. Hardware Shield helps to minimize the risk of malicious code injection by locking down BIOS memory to stop malware infecting the operating system.
In 2019, Microsoft launched a new initiative called Secured-Core PCs. Devices must meet standards that follow isolation best practices and have minimal trust of firmware. Microsoft says that Secured-Core PCs are intended for industries whose workers handle intellectual property, customer or personal data, including Personally Identifiable Information (PII).
Windows Defender System Guard, which is built-in to Windows 10, enables Secured-Core PCs to provide organizations with assurances of OS integrity and verifiable measurements to help prevent firmware attacks. Secured-Core PCs come with VBS, hypervisor code integrity (HVCI), and DRTM enabled by default.
Most PCs, even if they have the necessary hardware to support VBS and HVCI, don’t come with these features enabled by default because they affect performance. Although Microsoft is working to improve performance and it hopes that VBS and HVCI can be enabled out-of-the-box on more devices in the future.
For more information on Secured-Core PCs, see Microsoft Secured-Core PCs to Protect Financial Services, Government, and Healthcare on Petri.
According to ZDNet’s Chris Duckett, Intel’s advanced threat protection offloads many non-critical processes to the GPU, freeing up the CPU for mission-critical system operations and investigations. The idea being that during an attack, the performance of the PC isn’t significantly reduced.
The new processor lineup includes three 10-core, 20-thread i9 desktop CPUs with 20MB cache. Additionally, there are three i7 and five i5 Core CPUs. Seven Xeon processors with ten, eight, or six cores with the same cache size as the Core processors are also available.
For mobile devices, i9, i7, and i5 H series Core chips have four to eight cores with eight to sixteen MB caches. There are also two Xeon processors available. For the U-series, there are two i7 CPUs and one i5.
Intel’s move to make Hardware Shield mandatory for its latest batch of 10th-generation vPro CPUs is designed to address the security needs of an increasingly remote workforce. The chips also get integrated Wi-Fi 6 (Gig+) connectivity, providing up to 9.6 Gbps network throughput and capacity for 4 times more devices than 802.11ac.
The increase in employees working from home during the Covid-19 pandemic has seen criminals target remote workers. Because Intel vPro CPUs provide the latest security and performance enhancements, the chips should result in a more reliable and performant experience for remote workers while making sure that they are better secured.