Microsoft has announced a range of Secured-core PCs, devices that adopt a number of security technologies to prevent attacks on a firmware level, rather than software-based approaches. The company says that, as software-based protection has been built into operating systems and connected services, vulnerabilities that target the firmware have largely increased in number in recent years - spiking from just 6 in 2016 to over 400 in 2017 - making this a necessary step.
Secured-core PCs are built in conjunction with Microsoft partners, both PC and silicon manufacturers, and they "meet a specific set of device requirements that apply the security best practices of isolation and minimal trust to the firmware layer, or the device core, that underpins the Windows operating system". The devices are aimed at organizations that handle highly sensitive information, such as those that offer financial services, government institutions, and so on.
These protection features are enabled by a new feature called Dynamic Root of Trust for Measurement (DRTM), which is present in recent hardware from Intel, AMD, and Qualcomm, so you should be able to get that additional layer of protection regardless of your choice of processor. Using this technology, Secured-core PCs use System Guard Secure Launch as a core feature to prevent firmware attacks during the boot process. Other technologies, such as Virtualization-based Security (VBS), Hypervisor-protected Code Integrity (HVCI), and the Trusted Platform Module (TPM) 2.0 help enable additional protection throughout the OS.
Secured-core PCs are now available from a variety of hardware manufacturers, and you can find them here. These include the new Surface Pro X for Business, which is the only Qualcomm-based device on the list for now.