From 726038c9c4a970f19e9f4bd47d9583164c0d941d Mon Sep 17 00:00:00 2001 From: Justinha Date: Tue, 21 Feb 2017 12:38:12 -0800 Subject: [PATCH] copyedits --- windows/keep-secure/credential-guard.md | 2 +- ...ments-and-deployment-planning-guidelines-for-device-guard.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 0a07dfca35..766a49ddda 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -130,7 +130,7 @@ The following tables provide more information about the hardware, firmware, and | Protection for Improved Security | Description | |---------------------------------------------|----------------------------------------------------| -| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
- VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.
- UEFI runtime service musty meet these requirements:
    - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
    - PE sections need to be page-aligned in memory (not required in non-volitile storage).
    - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
        - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
        - No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.

Notes:
- This only applies to UEFI runtime service memory, and not UEFI bootb service memory.
- This protection is applied by VBS on OS page tables.


Please also note the following:
- Do not use sections that are both writeable and exceutable
- Do not attempt to directly modify xceutable system memory
- Do not use dynamic code

**Security benefits**:
- Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
- Reduces the attack surface to VBS from system firmware. | +| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
- VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.
- UEFI runtime service must meet these requirements:
    - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
    - PE sections need to be page-aligned in memory (not required for in non-volitile storage).
    - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
        - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
        - No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.

Notes:
- This only applies to UEFI runtime service memory, and not UEFI boot service memory.
- This protection is applied by VBS on OS page tables.


Please also note the following:
- Do not use sections that are both writeable and exceutable
- Do not attempt to directly modify executable system memory
- Do not use dynamic code

**Security benefits**:
- Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
- Reduces the attack surface to VBS from system firmware. | | Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.

**Security benefits**:
- Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
- Reduces the attack surface to VBS from system firmware.
- Blocks additional security attacks against SMM. | ## Manage Credential Guard diff --git a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md index 8a2a5ff86c..9320fcb6d1 100644 --- a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md +++ b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md @@ -86,7 +86,7 @@ The following tables describes additional hardware and firmware requirements, an | Protection for Improved Security | Description | |---------------------------------------------|----------------------------------------------------| -| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
- VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.
- UEFI runtime service musty meet these requirements:
    - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
    - PE sections need to be page-aligned in memory (not required in non-volitile storage).
    - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
        - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
        - No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.

Notes:
- This only applies to UEFI runtime service memory, and not UEFI bootb service memory.
- This protection is applied by VBS on OS page tables.


Please also note the following:
- Do not use sections that are both writeable and exceutable
- Do not attempt to directly modify xceutable system memory
- Do not use dynamic code

**Security benefits**:
- Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
- Reduces the attack surface to VBS from system firmware. | +| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
- VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.
- UEFI runtime service must meet these requirements:
    - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
    - PE sections need to be page-aligned in memory (not required for in non-volitile storage).
    - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
        - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
        - No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.

Notes:
- This only applies to UEFI runtime service memory, and not UEFI boot service memory.
- This protection is applied by VBS on OS page tables.


Please also note the following:
- Do not use sections that are both writeable and exceutable
- Do not attempt to directly modify executable system memory
- Do not use dynamic code

**Security benefits**:
- Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
- Reduces the attack surface to VBS from system firmware. | | Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.

**Security benefits**:
- Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
- Reduces the attack surface to VBS from system firmware.
- Blocks additional security attacks against SMM. | ## Device Guard deployment in different scenarios: types of devices