deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-29 05:37:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update how-hardware-based-root-of-trust-helps-protect-windows.md

Browse Source 
to fix acrolinx score
This commit is contained in:
Lovina Saldanha 2021-11-05 12:26:57 +05:30
parent b7dda4a560
commit 2a25b5f8ba
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
View File

@ -1,6 +1,6 @@
--- ---
title: How a Windows Defender System Guard helps protect Windows 10 title: How a Windows Defender System Guard helps protect Windows 10
description: Windows Defender System Guard re-organizes the existing Windows 10 system integrity features under one roof. Learn how it works. description: Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof. Learn how it works.
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
@ -21,7 +21,7 @@ ms.technology: windows-sec
To protect critical resources such as the Windows authentication stack, single sign-on tokens, the Windows Hello biometric stack, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy. To protect critical resources such as the Windows authentication stack, single sign-on tokens, the Windows Hello biometric stack, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy.
Windows Defender System Guard re-organizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It's designed to make these security guarantees: Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It's designed to make these security guarantees:
- Protect and maintain the integrity of the system as it starts up - Protect and maintain the integrity of the system as it starts up
- Validate that system integrity has truly been maintained through local and remote attestation - Validate that system integrity has truly been maintained through local and remote attestation
@ -38,7 +38,7 @@ This hardware-based root of trust comes from the devices Secure Boot feature,
This technique of measuring the static early boot UEFI components is called the Static Root of Trust for Measurement (SRTM). This technique of measuring the static early boot UEFI components is called the Static Root of Trust for Measurement (SRTM).
As there are thousands of PC vendors that produce many models with different UEFI BIOS versions, there becomes an incredibly large number of SRTM measurements upon bootup. As there are thousands of PC vendors that produce many models with different UEFI BIOS versions, there becomes an incredibly large number of SRTM measurements upon bootup.
Two techniques exist to establish trust here—either maintain a list of known 'bad' SRTM measurements (also known as a block list), or a list of known 'good' SRTM measurements (also known as an allow list). Two techniques exist to establish trust here—either maintain a list of known 'bad' SRTM measurements (also known as a blocklist), or a list of known 'good' SRTM measurements (also known as an allowlist).
Each option has a drawback: Each option has a drawback:
- A list of known 'bad' SRTM measurements allows a hacker to change just 1 bit in a component to create an entirely new SRTM hash that needs to be listed. This means that the SRTM flow is inherently brittle - a minor change can invalidate the entire chain of trust. - A list of known 'bad' SRTM measurements allows a hacker to change just 1 bit in a component to create an entirely new SRTM hash that needs to be listed. This means that the SRTM flow is inherently brittle - a minor change can invalidate the entire chain of trust.