Modern security has been described as a “layered approach” involving a combination of security technologies. However, with supply chain attacks and other sophisticated cyberattacks, security is no longer just a “software” problem. Hardware is also part of the equation and requires sophisticated protections built into the hardware layer to help defend systems from compromise. Microsoft Pluton is a new hardware security chip from Microsoft that sets out to evolve hardware security chips from where we are today with TPM 2.0. However, it has met with some challenges.
What is Trusted Platform Module (TPM)?
To understand the challenges that Microsoft is trying to solve with the introduction of Microsoft Pluton, we need first to understand where we are today with the Trusted Platform Module (TPM) chip. Trusted Platform Module (TPM) is a hardware security technology providing secure storage and crypto-processor to carry out security functions. The TPM chip carries out cryptographic operations, and it also has physical hardware security mechanisms that help to protect it from tampering. However, these are not always foolproof, as we will see.
TPMs provide the advantages listed:
- They can generate, store, and provide access to requestors of
- They have a unique RSA key providing device authentication
- It takes and stores security measurements
- Certificates can be installed or created on computers that are using the TPM
TPM devices are most commonly used for system integrity checks and for creating and storing cryptographic keys. In addition, many underlying technologies rely on the TPM device to provide these gold standard measurements of system integrity. It is also used for technologies like BitLocker, etc. Antimalware software can use the integrity measurements taken by the TPM device to prove the integrity of a computer running Windows 10 or 11.
Most modern PCs already have a TPM chip installed that can offer all the security benefits of TPM modules. However, you can also retrofit older PCs with TPM modules that can be purchased online.
Depending on the motherboard capabilities, TPM chips can be added to older PCs
For end-users, using the TPM device is transparent to using Windows. Starting with Windows 10 and 11, the OS initializes and takes ownership of the TPM device. In addition, you can view the details of your TPM processor security device in the Windows Security > Security Processor Details screen.
Viewing security processor details in Windows Security. What is Microsoft Pluton?
IT admins can manage certain features of the TPM security processor using Group Policy.
- The Group Policy settings for TPM services are located at:
– Computer Configuration\Administrative Templates\System\Trusted Platform Module Services\
- You can read more about the TPM controls offered by Group Policy here:
What is Microsoft Pluton?
Microsoft Pluton is a dedicated hardware chip on the central processing unit (CPU). Like TPM (Trusted Platform Module) chips, it can store protected data in an isolated way, helping to protect it from hackers being able to compromise the sensitive data and cryptographic information it contains.
The Microsoft Pluton chip can act as a TPM device. These TPM devices are becoming more crucial as a required component as modern operating systems like Microsoft Windows 11 require them to run. In addition, other current Microsoft technologies like Windows Hello and BitLocker encryption technologies rely on the TPM to store encryption keys. However, while TPM is a step in the right direction, it is still possible to compromise TPM-enabled devices.
Since CPUs need to communicate with the TPM, this is generally handled via a standard bus interface between the CPU and TPM. However, this very communication channel can potentially expose sensitive information exchanges between the CPU and TPM device to the outside world. For example, one of these vulnerabilities has recently been documented in CVE-2020-0526. In this vulnerability, an attacker can potentially bypass the device sleep state to bypass full-disk encryption.
Microsoft has architected Microsoft Pluton to be directly built into the CPU, effectively eliminating this communication channel needed for current TPM chips. With future CPUs, Pluton will be integrated into the CPU itself. The CPU can then emulate the capabilities of current TPM technologies, providing the same specs and APIs used today. Sensitive data such as encryption keys are stored directly on the Pluton processor, which like a TPM, provides an isolated area for sensitive information storage. On top of the secure storage area, Microsoft uses a Secure Hardware Cryptography Key (SHACK) technology to encrypt the data in Pluton.
Microsoft Pluton security chip on modern CPUs
In addition to the architectural advantages provided by Microsoft Pluton from a hardware perspective, it also helps to solve some of the challenges with firmware upgrades. With Pluton, Microsoft provides releases and updates to Pluton firmware as part of regular lifecycle updates with Windows, helping to keep the processor updated with the latest security updates and other upgrades.
Is Microsoft Pluton a new chip?
Surprisingly, no. Microsoft Pluton has actually been around in technology terms for ages now, since 2013! Microsoft Pluton was a chip included in the Xbox One gaming console. The purpose of the chip at that point was to prevent attackers or even “enthusiasts” from hacking Xbox One consoles and running pirated games. Pluton was then used in the Azure Sphere service. What is Azure Sphere?
Azure Sphere is a secure application platform for Internet-of-Things (IoT) vendors, combining Azure Sphere OS and Azure-based cloud security services. The MT3620 is the first Azure Sphere chip that contains the Microsoft Pluton security subsystem with a dedicated ARM processor.
Are there systems with Pluton available today?
At the CES 2022 show, Microsoft announced that Lenovo and AMD would be launching laptops featuring the new security processor.
Featuring Hyper-secure chip-to-cloud technology with Microsoft Pluton
Challenges to adoption
However, despite the advantages proposed by Microsoft of the Pluton security chip platform, it has received a less than warm welcome across the industry. Even though Lenovo has configured offerings with the Pluton chip, as linked above, they, along with Dell, have decided against using Microsoft Pluton in many of their PC offerings, opting instead for the better-known Intel vPro technology.
Dell, quoted by the Register, mentioned the following regarding Microsoft Pluton:
“Pluton does not align with Dell’s approach to hardware security and our most secure commercial PC requirements…as with all new technologies, we will continue to evaluate Pluton to see how it compares against existing TPM implementations in the future.”
Microsoft has some pretty large barriers to entry to break down before Pluton becomes a household name in the PC industry. Quite simply, better-known players and established technologies exist in this space. Some have also feared that in the same way Microsoft can control software installed on Xbox, Microsoft would have the same level of control over PCs. Whatever the case, time will tell to see if Microsoft can make headway in its aim to use Pluton as the next evolution of TPM technology. However, it is looking like things may be off to a rocky start with many vendors.
Microsoft Pluton FAQs
- What is Trusted Platform Module (TPM)? Trusted Platform Module TPM devices are special security chips that perform specialized security operations such as generating and storing cryptographic keys. Other security capabilities rely on TPM, such as BitLocker. In addition, TPM chips can take security measurements on boot up to ensure the integrity of modern Windows systems.
- What is Microsoft Pluton? Microsoft Pluton is a security processor from Microsoft that sets out to eliminate the potential for physical eavesdropping or tampering due to the bus communication between the CPU and the Pluton chip that exists with TPM chips. Since Pluton is built directly into the CPU, no bus communication happens between the two. Instead, they directly communicate, eliminating the possibility of eavesdropping on this communication.
- What can TPM and Pluton do to bolster security? First, both technologies add a physical layer of security to modern systems, providing an isolated environment for sensitive information to be generated and stored.
- What PCs have Microsoft Pluton in them today? The Lenovo Thinkpad Z13 and Z16 have the Microsoft Pluton security processor. However, major PC vendors, such as Dell, have been reluctant to include the new Microsoft Pluton chip in new PCs. Instead, they have opted for the Intel vPro solution.
The new Microsoft Pluton security chip holds out the promise of helping to move physical device security forward. it also helps to provide consistent and frequent firmware updates to the Pluton processor as part of the routine Windows Updates delivered to endpoints. However, even though the chip holds promise and many advantages to current TPM technologies, there are certainly roadblocks to its use. Most major PC vendors are more comfortable and familiar with existing TPM technologies and continue to use these in new PCs. Time will tell if the Pluton platform will gain traction in the industry or if competing TPM designs may offer vendors a more familiar and compelling solution.
Learn more about Microsoft Pluton here: