It appears that Microsoft is working on a new security processor, dubbed as PLUTON. Microsoft is doing this in collaboration with AMD, Intel and Qualcomm. These companies will integrate the technology into their own processors.
Pluton security processor will reside inside of future “consumer” chips from both AMD and Intel, though it is being built using a technology that Microsoft and AMD started with the custom processors for Xbox game consoles.
In recent years the security of Windows PCs has been severely compromised by new wave of attacks such as hardware-agnostic malware that exploits different vulnerabilities of CPUs. This made Microsoft to engineer a new hardware processor that will protect the OS and its users, and ensure the overall platform security.
The new security processor also leverages a standard feature found on AMD’s current EPYC server processor lineup. Intel also plans to adopt a similar approach to help secure Windows PCs.
This new collaboration will enable a stronger security that will help prevent physical attacks and encryption key theft, while also protecting against firmware attacks at the same time. This chip-to-cloud security technology, pioneered in Xbox and Azure Sphere, will bring even more security advancements to future Windows PCs and signals the beginning of a journey with ecosystem and OEM partners.
To quote Microsoft:
“Our vision for the future of Windows PCs is security at the very core, built into the CPU, where hardware and software are tightly integrated in a unified approach designed to eliminate entire vectors of attack. This revolutionary security processor design will make it significantly more difficult for attackers to hide beneath the operating system, and improve our ability to guard against physical attacks, prevent the theft of credential and encryption keys, and provide the ability to recover from software bugs.”
In case you didn’t know, the core of OS security is based on a separate component unit called Trusted Platform Module (TPM). TPM has been the preferred method and solution for securing PCs from several potential and unwanted threats.
This new planned Pluton security processor idea and design comes as a result of the recent new attack vectors that have severely compromised the Trusted Platform Module (TPM). The TPM is located off the CPU. It can be used to verify various system parameters and store keys.
Basically, the TPM is a small secondary chip inside the system that stores encryption keys for services like Bitlocker and Windows Hello, among other things.
It can still protect encryption keys, but in recent years attackers/hackers have learned how to penetrate/bypass the bus that connects the TPM to the CPU through physical vector attacks, and other exploits, thus compromising the whole system in the process.
However, with the new security Pluton core, these exploits are removed, as the new TPM (Pluton processor) is now inside the CPU, and even more secure. Microsoft says that security must be built directly into the processor to prevent such kind of attacks, hence the new plan to design the Pluton security processor.
More importantly, the new Pluton design removes the potential for that communication channel to be attacked by building security directly into the CPU.
Windows PCs using the Pluton architecture will first emulate a TPM that works with the existing TPM specifications and APIs, which will allow customers to immediately benefit from enhanced security for Windows features that rely on TPMs like BitLocker and System Guard.
Windows devices with Pluton will use the Pluton security processor to protect credentials, user identities, encryption keys, and personal data. None of this information can be removed from Pluton even if an attacker has installed malware or has complete physical possession of the PC.
This is actually accomplished by storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, thus helping to ensure that emerging attack techniques, like speculative execution, cannot access key material.
According to Microsoft, Pluton also provides the unique Secure Hardware Cryptography Key (SHACK) technology that helps ensure keys are never exposed outside of the protected hardware, even to the Pluton firmware itself, providing an unprecedented level of security for Windows customers.
One of the other major security problems solved by Pluton is keeping the system firmware up to date across the entire PC ecosystem. Today customers receive updates to their security firmware from a variety of different sources than can be difficult to manage, resulting in widespread patching issues.
Pluton provides a flexible, updateable platform for running firmware that implements end-to-end security functionality authored, maintained, and updated by Microsoft. Pluton for Windows computers will be integrated with the Windows Update process in the same way that the Azure Sphere Security Service connects to IoT devices.
The shared Pluton root-of-trust technology will maximize the health and security of the entire Windows PC ecosystem by leveraging the security expertise and technologies from the companies involved.
“At AMD, security is our top priority and we are proud to have been at the forefront of hardware security platform design to support features that help safeguard users from the most sophisticated attacks. As a part of that vigilance, AMD and Microsoft have been closely partnering to develop and continuously improve processor-based security solutions, beginning with the Xbox One console and now in the PC.
We design and build our products with security in mind and bringing Microsoft’s Pluton technology to the chip level will enhance the already strong security capabilities of our processors.” – Jason Thomas, head of product security, AMD.
“Intel continues to partner with Microsoft to advance the security of Windows PC platforms. The introduction of Microsoft Pluton into future Intel CPUs will further enable integration between Intel hardware and the Windows operating system.” – Mike Nordquist, Sr. Director, Commercial Client Security, Intel.
Microsoft believes that processors with built-in security like Pluton are the future of computing hardware.
Stay tuned for more!