In November 2020, Microsoft unveiled Pluton, a security processor that the company designed to thwart some of the most sophisticated types of hack attacks. On Tuesday, AMD said it would integrate the chip into its upcoming Ryzen CPUs for use in Lenovo’s ThinkPad Z Series of laptops.
Microsoft already used Pluton to secure Xbox Ones and Azure Sphere microcontrollers against attacks that involve people with physical access opening device cases and performing hardware hacks that bypass security protections. Such hacks are usually carried out by device owners who want to run unauthorized games or programs for cheating.
Now, Pluton is evolving to secure PCs against malicious physical hacks designed to install malware or steal cryptographic keys or other sensitive secrets. While many systems already have trusted platform modules or protections such as Intel’s Software Guard Extensions to secure such data, the secrets remain vulnerable to several types of attacks.
One such physical attack involves placing wires that tap the connection between a TPM and other device components and extract the secrets that pass between the machines. Last August, researchers disclosed an attack that took only 30 minutes to obtain the BitLocker key from a new Lenovo computer preconfigured to use full-disk encryption with a TPM, password-protected BIOS settings, and UEFI SecureBoot. The hack—which worked by sniffing the connection between the TPM and the CMOS chip—showed that locking down a laptop with the latest defenses isn’t always enough.
A similar attack unveiled three months later showed it was possible to exploit a vulnerability (now fixed) in Intel CPUs to defeat a variety of security measures, including those provided by BitLocker, TPMs, and anti-copying restrictions. Attacks known as Spectre and Meltdown have also repeatedly underscored the threat of malicious code pulling secrets directly out of a CPU, even when the secrets are stored in Intel’s SGX.
A new approach
Pluton is designed to fix all of that. It’s integrated directly into a CPU die, where it stores crypto keys and other secrets in a walled-off garden that is completely isolated from other system components. Microsoft has said that the data stored there can’t be removed, even when an attacker has installed malware or has full physical possession of the PC.
One of the measures making this possible is a unique Secure Hardware Cryptography Key, or SHACK. A SHACK helps ensure keys are never exposed outside of the protected hardware, even to the Pluton firmware itself. Pluton will also be responsible for automatically delivering firmware updates through the Windows Update. By tightly integrating hardware and software, Microsoft expects Pluton to seamlessly install security patches as needed.
“If I’m running an office IT department, I want people to run verified versions of Windows and office apps and lock down as much else as possible to prevent all sorts of malicious and unauthorized stuff,” said Joseph FitzPatrick, a hardware hacker and a researcher specializing in firmware security at SecuringHardware.com. “Pluton is the hardware-enabled path to get there.”
He said that Pluton will also prevent people from running software that has been modified without the permission of developers.
“The upside is it makes x86 systems more secure and reliable by further enabling a walled garden approach,” FitzPatrick said. “The downside is the typical complaints about walled gardens.”
From the outset, TPMs have had a fundamental limitation—they were never designed to protect against physical attacks. Over time, Microsoft and others began using TPMs as a place to more securely stash BitLocker keys and similar secrets. The approach was vastly better than storing keys on disk, but as researchers have demonstrated, it was hardly sufficient.
Eventually, Apple and Google introduced the T2 and Titan chips to improve things. The chips provided some guarantee against physical attacks, but both were essentially bolted on to existing systems. Pluton, by contrast, is integrated directly into the CPU.
The security chip can be configured in any one of three ways: as the device TPM, as a security processor used in non-TMP scenarios such as platform resilience, or as something PC makers turn off before shipping.
ThinkPad Z series laptops equipped with Pluton-integrated Ryzens will begin shipping in May. Microsoft said
ThinkPad Z13 and Z16 models that use Pluton as a TPM will help protect Windows Hello credentials by further isolating the credentials from attackers.