The emergence of TPMs has drastically enhanced the security of laptops. However, flaws persist. This is the whole purpose of Pluto, Microsoft’s security solution which will land in the first PCs in 2022.
Microsoft’s Pluto security chip isn’t new. Its presentation dates back to November 2020. This technology had however remained far from our computers, Microsoft having only used it to secure its Xbox consoles and certain microcontrollers of the Azure ecosystem. Things will change since at CES 2022, we learn about the imminent arrival of laptops featuring AMD processors with a Pluto security processor.
With its solution, Microsoft intends to build a new bulwark against malicious attacks in which hackers have physical access to computers. The idea is to prevent them from installing malware or stealing all kinds of sensitive data. So, of course, protections already exist against these kinds of attacks. TPM chips are now democratized – Intel offers its Software Guard Extensions – but despite the existence of these solutions, computers and data remain vulnerable to certain types of attacks.
Bridging the gaps in TPM
Our colleaguesArsTechnica recall for example the hacking of a Lenovo computer using the encryption of its storage space with a TPM module, whose BIOS was protected by a password with UEFI Secure Boot activated, and this in less than 30 min. This hack had allowed the collection of the BitLocker encryption key of the PC. Likewise, an Intel vulnerability (since fixed) allowed hacking of machines with BitLocker and TPM chip. And by physically accessing computers, it is possible to bypass the connection made between TPM chips and other components, which opens the door to various exploits.
That’s why, when imagining Pluto, Microsoft took a different approach. The idea is to integrate protection directly into the CPU, where Pluto will directly store encryption keys and other data that must be highly secure, completely isolated from other system components. Thus, this information cannot be deleted even with physical access to the computer. To achieve this, Microsoft uses a unique key called Shack (for Secure Hardware Cryptography Key) which certifies that the other security keys it protects cannot be exposed, even to Pluto’s firmware itself. The latter is for its part associated with Windows Update in order to distribute security updates with complete assurance.
Protection integrated into the CPU
For Pluto, it therefore becomes possible with a hardware layer to prevent the installation of malicious, corrupt or modified programs without the agreement of the developers. This technology improves the robustness of x86 systems against very sophisticated attacks, with a “sandbox” approach isolating components at risk. It is a guard against the limits of the generalization of TPMs which were never designed to face physical attacks. Admittedly, the contribution of TPMs is indisputable – especially since these modules are now used to store keys and critical data formerly present on the general storage spaces of systems -, but this was insufficient, because it is a question of a layer of security that is not perfectly impervious to attacks.
In the same way that it has praised the efforts of companies like Apple or Google with the appearance of dedicated security chips such as T2 and Titan, the community of security experts mentions Pluto with great interest in the measure where, in addition, it is a technology integrated in the very heart of the systems, that is to say in the CPU. Note that computer manufacturers who will integrate a processor with Pluto will have the choice to activate it as a TPM module, to use it as an additional security layer outside the scope of the TPM, or to use it as a TPM module. deactivate.
The first PCs to take advantage of Pluto will be a priori models manufactured by the Chinese group Lenovo in the ThinkPad professional range. These will be the ThinkPad Z13 and Z16 in their configurations with AMD Ryzen processors, expected to be released in May. Indeed, as written in the preamble, AMD is the first to integrate Microsoft’s Pluto technology into its processors.