Tom clears the air about the Pluton Security Processor, Microsoft’s successor of the Trusted Platform Module.
Featuring Tom Merritt.
Please SUBSCRIBE HERE.
A special thanks to all our supporters–without you, none of this would be possible.
Thanks to Kevin MacLeod of Incompetech.com for the theme music.
Thanks to Garrett Weinzierl for the logo!
Thanks to our mods, Kylde, Jack_Shid, KAPT_Kipper, and scottierowland on the subreddit
Send us email to [email protected]
Transcript:
I heard there’s a new security chip called Pluton
I just got a TPM now I need to get a Pluton?
But I’m told I CAN’T get a Pluton because it’s already in the CPU.
Confused?
Don’t be
Let’s help you Know a little more about Microsoft’s Pluton Security Processor
We have an episode of Know A Little More about the Trusted Platform Module or TPM which is a kind of a hardware vault for passwords and encryption keys. It is a chip that is designed to store information for authentication and attestation. Apple has a similar module called the T2 in its M-series chips. The TPM was in the news when Windows 11 launched because Windows 11 required a TPM.
But the TPM has a successor.
Microsoft’s Pluton Security Processor was developed in cooperation with AMD, Intel and Qualcomm. Pluton is based on how Microsoft protects the Xbox consoles. Microsoft is working with all the major chipmakers, Intel, AMD, Qualcomm, etc. to combine Pluton into CPUs.
Microsoft developed an integrated security chip in partnership with AMD for its Xbox CPU back in 2013. Back then they did it for DRM, to stop you from cracking Xbox games and it has proved pretty resilient. They then developed it for Azure Sphere devices. (Azure Sphere is Microsoft’s IoT security system that includes a system on a chip with Azure Sphere OS and cloud monitoring) Microsoft announced Pluton for PCs in November 2020. (side note, Microsoft says it won’t use Pluton for DRM but there’s nothing stopping others from it since it is a security chip after all)
Qualcomm first announced support for Pluton in the Snapdragon 8cx Gen 3 SoC and AMD announced support for it in the Ryzen 6000 series and Intel is working on it as well.
At CES 2022 Lenovo announced the first Thinkpads (Z13 and Z16) with Pluton, thanks to the Ryzen 6000 series. Asus Dell and HP also announced laptop models with Pluton chips in them at CES 2022.
Microsoft says that the Pluton chip can not only defend against current attack vectors, including physical access as well as side channel attacks like Spectre and Meltdown but also protect against future attacks.
We’ll refer you to the TPM episode for full details about how a security module can guard security keys in a Secure Enclave without ever releasing them but here’s one of the most important parts.
A TPM has a unique RSA Key burned into itself. That lets it create new keys with an almost impossible to detect private key and one that is pretty much as close to impossible to change as one could imagine.
Even the keys made using the burned-in keys can be kept inside the TPM and never leave. Requests for authorization are computed within the TPM meaning phishing can’t retrieve the key because it can’t be copied without the TPM.
However, Trusted Platform Modules are separated from CPUs and so physical attacks have focused on intercepting data as it flows between the two, usually in a bus interface.
These are not easy attacks but they can be done. The attacker needs in person access to the machine and time and skills to solder leads to the TPM chip in order to sniff data in the bus.
To avoid this kind of attack, Pluton is baked directly into the CPU’s silicon, significantly reducing the attack surface. There aren’t any pins to solder your leads into. Pluton is integrated into the CPU die. There is no bus to attack. Any conceivable attempt to get to the channel between Pluton and the cores should destroy the chip.
While Pluton is integrated into the CPU it is isolated from the rest of the system so it is not vulnerable to speculative execution attacks like SPECTRE. The keys never leave the Pluton security boundary.
Pluton uses Secure Hardware Cryptography Key or SHACK which separates the keys from everything, including Pluton’s own firmware.
Some of you may wonder if Pluton means you need all new software and it does not need to mean that.
Since Pluton can emulate a TPM, Microsoft provides the same APIs as the TPM, so Pluton is backward compatible with TPM-dependent software like BitLocker and Windows Hello. Pluton can protect credentials, user IDs, encryption keys and other personal data. The data cannot be removed from Pluton only verified.
Pluton can provide a secure identity for the CPU itself that complements security platforms including the Open Compute Project’s Project Cerberus to enable root-of-trust and firmware authentication.
And Pluton firmware is updated through Windows Update so new features can roll out to older devices and emerging threats can be mitigated faster. If you hear Microsoft refer to “chip-to cloud” security, that’s what they mean. On the positive side, more chips are more likely to stay up to date and security vulnerabilities to remain unpatched for shorter amounts of time. On the negative side for some people, you rely on Microsoft for all of that.
And of course this doesn’t prevent all manner of physical access attacks, just the ones aimed at the TPM bus.
But another advantage to having the chip on the PC die is that you don’t have to shop for a motherboard that includes a TPM module. CPUs will just come with Pluton. Though really what that means is you’ll have to shop for a CPU with Pluton, since not all CPUs have it.
Also, keep in mind that the Pluton part of a CPU can be shipped turned off. Lenovo shipped its first ThinkPads with Pluton turned off. So just because Pluton is in your CPU doesn’t mean it’s active. You may need to enable it yourself. Lenovo says they did this because enterprise customers wanted to test it before it was turned on for their workforce.
Oh and Linux users, Linux support is promised and Microsoft uses Linux with Pluton in Azure Sphere devices so it’s a matter of when not if.
So now when you see those stories and ads touting a laptop with Pluton, you’ll have a much better idea what that means.
In other words I hope now you know a little more about the Microsoft Pluton Security Processor.