Since Microsoft has announced the new version of Windows, Windows 11, which has more onerous CPU requirements than its predecessors, there has been significant outcry. These changes shut out a significant number of machines already in use from receiving this update. There has been outcry over the requirements, mainly focusing on Trusted Platform Management. Microsoft has not been very clear either. The baseline CPU support for Windows 11 is an 8th generation Intel Core or AMD Zen 2 processor. These are machines that were released in late 2018 (Intel) and mid-2019 (AMD).
What is clear now, after doing some research, is that between the 7th and 8th generation of Intel Core architectures and Ryzen Zen/Zen+ and Zen 2 architectures is that both included significant hardware security enhancements due to Meltdown, Spectre, and other issues discovered by security researchers. These discoveries came about during the release cycle of Windows 10. Microsoft was not able to address the changes needed to implement the needed security changes without breaking backward compatibility.
This would have been a very bad business decision to do this while an operating system was current. Moving the version number to 11 allows Microsoft to make a break from hardware that does not have mitigations for critical security vulnerabilities. It also allows them to implement many of the security enhancements both Intel and AMD have made without breaking legacy environments.
The purpose of today’s article is to explain what changes Intel and Advanced Micro Devices (AMD) made between their 7th and 8th generation Intel Core, and AMD Zen/Zen+ and Zen 2 processors. In the case of Intel, and in some cases AMD, we’ll discuss the significant security changes made for both virtualization and Spectre/Meltdown. For AMD, we’ll look at the CTS Labs vulnerabilities discovered in the first Ryzen 1000 series chips and their Spectre changes. Afterward, we’ll discuss what organizations can do to mitigate the effect of Windows 11 in their environment using newer technologies.
Our goals today are to give concrete reasons why Microsoft would choose to make this decision given past security events, demonstrate that it is not arbitrary, and give the people responsible for their architectures the tools they need to make decisions that will protect their customers’ information.
Google Project Zero, Meltdown, and Spectre
On January 3, 2018, Jann Horn, from Google Project Zero, published the blog post Reading privileged memory with a side channel. This disclosed how the Google Project Zero team was able to abuse CPU data cache timing to bypass security boundaries to leak information. They were able to do this on AMD, ARM, and Intel processors. They reported this issue to them on 6/1/2017. These are hardware issues in the CPUs themselves that have inherent security flaws.
Variant 1 is a bounds check bypass, meaning that they were able to demonstrate arbitrarily reading memory from a 4GiB memory range. Variant 2 allows host kernel memory to be read at a rate of 1500 bytes a second, even from different security contexts. That means that even highly protected information on a machine can be read. Variant 3 abuses the speculative execution features of Intel processors to read kernel memory from unprivileged processes. Anders Fogh’s article, Negative Result: Reading Kernel Memory From User Mode, discusses how this is possible and is directly referenced by in the Google article.
Intel
This was further reinforced by a blog posting from former Intel CEO, Brian Krzanich, on March 15, 2018, Advancing Security at the Silicon Level. This article specifically discussed Project Zero’s research and the three variants. While Variant 1 could be addressed via software fixes, Variants 2 and 3 required redesigning of the processor at the hardware level. The chips that introduced those fixes were the 8th Generation Core family, according to his post.
Intel also made significant security enhancements to the 8th generation of Core processors. According to the 8th and 9th Generation Intel Core Processor Families Datasheet, Volume 1 of 2, Intel made eleven significant security enhancements to existing technologies, in addition to providing hardware fixes for Spectre and Meltdown. These included Trusted Execution Technology (Intel TXT), which provides platform-level enhancements for providing building blocks for building trusted platforms, and Intel Advanced Encryption Standard New Instructions (AES-NI), which provides a hardware-based implementation of the Advanced Encryption Standard (AES), which is the currently supported encryption standard from the National Institute for Standards and Technology (NIST), according to the NIST web page Block Cipher Techniques. The use of encryption requires an improved Random Number Generator, which was introduced with Intel Secure Key technology in this generation. Intel also introduced Boot Guard Technology to further protect unauthorized booting of malicious code. They also introduced several types of protection against malicious code, including Supervisor Mode Execution Protection (SMEP), Supervisor Mode Access Protection (SMAP), Intel Memory Protection Extensions (Intel MPX), Intel Software Guard Exceptions (Intel SGX), and security enhancements to their Virtualization Technology.
The effects of the bug fixes for Spectre and Meltdown and the eleven enhancements from Intel in that generation of Core processors provides an excellent baseline for people to build a secure platform on top of. These enhancements were introduced after Windows 10 was released. It would have been a very bad decision for Microsoft to introduce support for changes made in the middle of a released operating system’s lifecycle and remove support for devices used by most users. The move to Windows 11 allowed them to do so.
AMD
AMD, on the other hand, also designed many of these features into their chips, and also has full memory encryption, according to their publication AMD Pro Security. Intel still does not have this. They have a dedicated hardware security processor, and support Intel’s AES-NI encryption. They also have their own versions of Virtualization security and Secure Boot that Microsoft supports on the chip.
However, the first generations of the Zen architecture, which include the Ryzen 1000 and 2000 series, also are vulnerable to Spectre at the hardware level. According to Ian Cutress of Anandtech, in his article AMD Zen 2 Microarchitecture Analysis: Ryzen 3000 and EPYC Rome, AMD incorporated mitigations for the Spectre v4 vulnerability at the hardware level.
AMD also had to address numerous vulnerabilities in the Zen architecture discovered by CTS-Labs. On March 13, 2018, Ian Cutress of Anandtech published the article Security Researchers Publish Ryzen Flaws, Give AMD 24 hours Prior Notice. Their report, Several Security Advisory on AMD Processors, discussed sixteen critical vulnerabilities in the first generation of AMD Zen architecture processors. This was given to AMD with 24 hours’ notice, as opposed to Google, who published their research six months after notifying Intel, AMD, and ARM.
The Zen 2 processors were released, according to Wikichip, in June 2019. This means that the original Zen and Zen+ chips had vulnerabilities at the hardware level that would have made it impossible to build a trusted security platform on top of. Again, it would have been a very bad business decision to cut support for Windows 10 on that hardware in the middle of a product release cycle.
What can we do about this?
If you have 8th generation Intel Core-based or Ryzen 3000 or greater systems in your environment, you can likely run Windows 11 on them if you meet the other requirements Microsoft has laid out. However, many organizations will not be able to.
Our recommendations include leveraging Virtual Desktop Infrastructure running on newer servers that have the newer CPU technologies on the back end, or in one of the cloud-based Virtual Desktop services provided by Microsoft Azure, Google, or Amazon, to present the desktop environment running Windows 11. We also recommend migrating on-premises workloads to servers running on newer Intel or AMD processors. If you have Cloud or hosted workloads, please check with your service provider to make sure you are not running them on vulnerable CPUs.
For your legacy applications, we recommend upgrading them to the latest versions that can run on Windows 11 or Windows Server 2022. If you cannot do this, migrate to applications that can. You are putting your customers and patients’ personal information at risk if you do not at the software and hardware level.
For your Electronic Medical Records platform, please work with your EMR vendor of choice on a migration plan to get on-premises hardware to a newer platform and Windows 11/Server 2022 on Virtual Desktop Infrastructure and Application Delivery.
These methods will allow you to process your critical data leveraging the security features of Windows 11 while still using your existing hardware to present the applications to your team members. The plan still needs to be to support existing hardware under Windows 10 or Linux, and to migrate off of it when feasible.
Conclusion
Microsoft, Intel, and AMD were in a very tough place in 2018. Numerous security vulnerabilities were announced at the hardware level. Both Intel and AMD had to put hardware fixes in place for numerous issues. Microsoft was in the position of having to support a current operating system and put software fixes in place despite them. This put all three in a very untenable position of attempting to provide a high degree of security to customers despite hardware flaws preventing the implementation of a more trusted platform. Windows 11 allows them to address this situation by only supporting platforms that have mitigations for Spectre, Meltdown, their variants, and the CTS-Labs vulnerabilities. It also allows them to fully support the new security features introduced by Intel in the 8th generation Core processors, and by AMD in the Zen series.
However, by taking some steps to centralize core processing on these newer platforms and operating systems, we can take a good first step to protect the information of those we care about. We can also leverage the security features of these newer hardware platforms and Windows 11 in a more financially feasible way.
