What Is Microsoft Pluton Security Processor and How Is It Different from TPM?

Jan. 18, 2022

If you have been keeping up with new developments in the PC world, you might have heard the term “Pluton” in the recent past. If you have been wondering what Microsoft Pluton is all about, what changes it brings, and how it differs from TPM, you have arrived at the right place. In this guide, we have detailed everything you need to know about Microsoft’s Pluton security chip for Windows PCs.

Microsoft says Pluton can be configured as the Trusted Platform Module, as a security processor used for non-TPM scenarios like platform resiliency, or OEMs can choose to turn off Pluton.

Unlike a separate trusted platform module that interacts with the CPU, Pluton is built right into the CPUto help prevent attacks and theft of credential and encryption keys. This way, attack methods (including the ones executed with physical possession of the device) that primarily focus on hijacking the bus interface between the CPU and security processor can be eliminated.“This design helps ensure that emerging attack techniques cannot access key material,”added Microsoft.

“This revolutionary security processor design will make it significantly more difficult for attackers to hide beneath the operating system, and improve our ability to guard against physical attacks, prevent the theft of credential and encryption keys, and provide the ability to recover from software bugs,”says David Weston, Director of Enterprise and OS Security at Microsoft, in anofficial blog post.

According to Microsoft, attackers won’t get access to sensitive data, including credentials, user identities, encryption keys, and personal data, if they have installed malware or have physical access to PCs with Pluton. This new security processor also usesSecure Hardware Cryptography Key (SHACK) technologyto effectively isolate keys even from Pluton’s firmware.

Another benefit to the Pluton chip iseffective firmware updates, thanks to Windows Update integration. With this approach, Microsoft can directly deliver firmware updates to users without having to rely on its OEM partners. This should help the company roll out important security patches to critical bugs on a large scale.

As you might recall from ourTPM explainer, TPM is traditionally a separate hardware chip that is responsible for storing sensitive data on Windows PCs. One key difference between a typical TPM module and Pluton is that the latter is built right into the CPU. Hence, you get the same hardware-level TPM features on Pluton-powered devices. As we mentioned earlier, this approach will reduce the chances of physical attacks.

Coming to functionality, Pluton works with existing TPM specifications and APIs. As a result, you can use existing TPM-powered features such as BitLocker and System Guard on Windows PCs with the Pluton chip. In a nutshell,Pluton is practically the next step to TPM. It incorporates TPM features while adding better update support and making the PCs immune to physical attacks. It is also considered to be better than firmware TPMs like Intel Platform Trust Technology (PTT) and AMD’s fTPM.

“This is about security, it’s not about DRM,”further explains Weston.“The reality is we’ll create an API where people can leverage it. It’s definitely possible for folks to use that for protection of content, but this is really about mainstream security and protecting identity and encryption keys,”hetoldThe Verge.

Since consumer-grade PCs too will come with the Pluton chip (more on this below), it won’t be surprising to see PC game developers utilize the Pluton chip. They would use it to lock down their games and pose a threat to pirated gaming and modding space in a few years.

That said, Microsoft says thatOEMs will have the option to turn off Pluton. So, we will have to see if OEMs choose to turn off Pluton in consumer PCs or simply configure it as a TPM replacement to enable the various security features inWindows 11PCs. Given the security benefits, it’s unlikely for OEMs to disable Pluton completely, and it’s unclear whether it would be possible to disable Pluton manually from the consumer’s end.

Making the announcement a month before AMD, Qualcomm has also promised to use Pluton in itsSnapdragon 8cx Gen 3chips. However, we are uncertain when devices powered by this Qualcomm chip will arrive in the market. AMD will certainly beat the mobile chipmaker to the punch. Intel is also on board and will support Microsoft Pluton, but we will have to wait to see Intel chips featuring Pluton.

Moreover, if you are wondering whether we will see new desktop CPUs with the Pluton chip, the answer is a resounding yes. Microsoft has confirmed thatPluton CPUs for desktops, along with 2-in-1s and other Windows 11 personal computing form factors, will be available in the near future.

Microsoft Pluton Security Chip Explained

Pluton is Microsoft’s industry-wide effort to improve the security of Windows PCs. While we will have to wait to find if Pluton causes DRM troubles, it should reduce security issues on Windows machines. So, what do you think of the Microsoft Pluton processor? So don’t forget to share your thoughts with us in the comments.

Subin writes about consumer tech, software, and security. He secretly misses the headphone jack while pretending he’s better off with the wireless freedom.