MICROSOFT INTRODUCED the Pluton crypto-processor three years ago with the promise of providing a more secure PC. The technology stores sensitive information such as encryption keys, user credentials, and biometrics directly into the CPU, making it hard to steal this type of data.
Pluton is the result of a collaboration between Microsoft and chipmakers AMD, Qualcomm, and Intel. However, Intel decided not to support Pluton with its 12th generation of PC microprocessors, code-named Alder Lake. Dell Technologies doesn’t use it on its laptops. And though Lenovo ThinkPads carry Pluton, the processor is disabled by default.
“It is being only offered on AMD and Qualcomm platforms. Intel hasn’t embraced it, and they remain the dominant PC vendor,” says Rob Enderle, president and principal analyst of Enderle Group. “Anyone fielding Intel hardware isn’t supporting it on that hardware.”
Microsoft pioneered the Pluton technology in 2013 with the Xbox gaming platform, and later integrated it into Azure Sphere. In PCs, Pluton stores sensitive information in the CPU. Then, it further isolates those PC “secrets” from other components such as the firmware and the CPU itself, says Matt Soseman, CTO and co-founder of IT consultancy The Partner Masters.
“Given the sophistication of today’s threat landscape and increasing attack surface, Pluton increases the cost, time, and complexity for a threat actor to compromise secrets stored on the chip,” Soseman says. Traditionally, the secrets would reside in a Trusted Platform Module (TPM) chip, separate from the CPU.
Better than TPM?
Despite Intel’s position on Pluton, Enderle says the processor appears to work as promised. He calls it an “enhanced TPM.”
Dave Seibert, CIO at Irvine, Calif.-based IT Innovators, views Pluton as an improvement over TPM. Since TPM is separate from the main processor, it increases the chance of hacking because “it relies on the bus interface to communicate back and forth,” he says. Pluton, on the other hand, eliminates the possibility of interception because the information doesn’t have to be transmitted along the hardware bus interface.
The communication between TMP and the CPU introduces a “man in the middle” vulnerability, says Soseman “Recent history has shown threat actors have evolved their techniques, tactics, and procedures. This vulnerability could be exploited, where the TPM could be bypassed to gain physical access to the device or gain access to secrets.”
Because Pluton is baked into the CPU, it can mitigate this vulnerability, he says. “Pluton can also run side by side with a TPM for additional security scenarios.”
Another Pluton advantage concerns technology updates, says Enderle. “Pluton is updatable while the TPM generally is not, so it can be improved over time in use.”
Soseman likes that Pluton can be updated via Windows Update, which “allows for integration into an existing patching strategy, providing a root of trust for firmware updates, security patches, and deployment of new features.”
Pluton runs on PCs with the AMD Ryzen 6000 and Qualcomm Snapdragon 8cx Gen 3 series processors. But given Intel’s abstention, what should custom builders know about Pluton in preparing their build strategies?
Seibert says an advantage of TPM 2.0 systems over Pluton is they can run Linux and prior versions of Microsoft Windows. However, there may come a time when Pluton becomes a requirement. “”It’s anticipated that Windows 12 corporate sector installs or upgrades could require Pluton,” he says. “”A home version of Windows requiring Pluton is not expected.””
As organizations modernize their security posture with measures such as zero trust, Pluton can play a key role, says Soseman. It could provide signals for hardware attestation in conjunction with an organization’s zero trust policy when users access corporate resources, he says.
“I think we have only seen the tip of the iceberg with Pluton,” Soseman notes. “Given Microsoft’s $20 billion investment in cybersecurity, and the ever-evolving threat landscape, I’m excited to see how Pluton’s unique approach plays a part in protecting devices and helping organizations improve their zero-trust posture.”
PEDRO PEREIRA is a New Hampshire-based freelance writer who has covered the IT channel for two decades.
Image: Courtesy of Microsoft