PCs coming this year with Microsoft’s integrated Pluton security chip won’t be locked down to Windows 11, and users will have the option to install Linux and turn off the feature completely.
The first PCs with Pluton chips and Windows 11 PCs were shown at CES earlier this month. Major PC chip makers, including Intel, AMD and Qualcomm are embedding the Pluton processor inside processors as a secure hardware layer to protect PCs.
But Microsoft’s invasion at the hardware level has some users – especially in the open-source community – on high alert. The concern relates to the chip being a proprietary backdoor for Microsoft to take control of PCs and tying the hardware closely to Windows 11.
AMD integrated Microsoft’s Pluton in Ryzen 6000 chips, which were introduced at CES earlier this month. AMD’s goal is to bring better security to PCs, but users can disable Pluton.
“AMD respects user choice and, as is typical with many other security technologies, we provide the ability for a user to enable or disable Pluton based on their preferences in our reference BIOS,” an AMD spokeswoman told The Register.
Pluton is a Windows security technology, but it does not restrict Linux installation, the spokeswoman said.
“AMD Ryzen 6000 Series processors support Linux. AMD has closely collaborated with Canonical (Ubuntu) and Red Hat to certify and optimize OEM designs with their operating systems,” the spokeswoman said.
Lenovo at CES announced new ThinkPads with AMD’s Ryzen chips, but the laptops will ship without Pluton turned on.
“Pluton will be disabled by default on 2022 Lenovo ThinkPad platforms. Specifically the Z13, Z16, T14, T16, T14s, P16s and X13 using AMD 6000-series processors. Customers will have the ability to enable Pluton themselves,” a Lenovo spokesperson told The Register.
An Intel spokesman told The Register that Alder Lake PCs will support Linux, but did not provide further details. He pointed out that the chip maker offered a Pluton-equivalent called Intel Platform Trust, which is a TPM 2.0, and helps protect against certain classes of physical attacks.
Pluton is designed for Windows PCs, and support for Linux “is currently an unsupported scenario,” Microsoft spokesperson told The Register.
“Pluton is a hardware security technology that could be used by various OS components similar to how OS code can choose to use the TPM. Linux already has support for TPMs today, however Microsoft’s current focus is ensuring an optimal experience for Windows 11,” Microsoft said in an email.
To be sure, Apple and Google have homegrown security processors in their own devices. Microsoft largely collaborates with chip makers to tune processors for Windows, but Pluton marks a milestone in Microsoft’s growing efforts to develop custom silicon.
It’s up to PC makers to make this opt in or opt out
Pluton secures sensitive information like user credentials and encryption keys on integrated processor baked into the CPU die. Microsoft says that Pluton’s proximity to the CPU mitigates systems from being exposed to chip-level security bugs like Spectre and Meltdown, which prompted major tech companies, including Microsoft, to rethink hardware systems and software.
Pluton for PCs evolved through security subsystems in the Xbox and the Azure Sphere IoT platform, which includes an Arm-based microcontroller and Linux OS. Microsoft has said Pluton provides “chip to cloud” security, with firmware updates coming through Windows Update.
“Pluton for Windows computers will be integrated with the Windows Update process in the same way that the Azure Sphere Security Service connects to IoT devices,” Microsoft said in a blog entry. The Azure Sphere Security Service uses a technique called remote attestation to authenticate a device and to ensure it has genuine software that is secure and trusted.
But the Xbox roots of Pluton has users worried about it being some kind of DRM system, but Microsoft has said that Pluton is more of a building block to address the long-standing problem of securing PCs from bad actors.
PC makers can choose to ship computers with Pluton turned off, and the technology does not verify the signature of bootloaders, the Microsoft spokesman said. The security processor can be a Trusted Platform Module, or used in a non-TPM scenario, like to maintain system resiliency.
Microsoft has already demonstrated that Pluton could be built into IoT systems based on Linux. The Azure Sphere IoT platform Pluton security subsystem in the Arm-based MCU to identify and protect systems.
Microsoft told The Register it is committed to helping customers using Linux to secure environments, giving the example of a proposal and shared code for a new Linux Security Module to help with the problem of authorizing code execution by policy. ®