The most sensitive parts of your computer have come to live in a distinct hardware component known as a "secure enclave." These chips are designed not only to keep hackers from accessing your system's crown jewels, but to establish a "root of trust," running cryptographic checks to ensure that no hacker has maliciously altered them. Historically, companies like Intel, AMD, and Qualcomm have developed their own versions of these protective tools. But now Microsoft is partnering with all three to create a new secure chip aimed at bringing enhanced security to the Windows masses.
It's early days still, but the idea is that eventually the Microsoft Pluton processor will come standard with mainstream CPUs as part of a "system on a chip," where all the main components of a computer are housed together for efficiency and speed. Apple announced last week that its new in-house M1 processor for Macs would take that approach, incorporating its security processor with the SoC rather than as a distinct T2 chip as in recent models. Apple's controlled, top-down ecosystem allows the company to push updates easily to nearly its entire population of products. The world of Windows isn't nearly as tidy. But Microsoft's goal with Pluton is to make root of trust protections ubiquitous despite the diverse range of manufacturers who license its operating system.
"What we’ve done here is we’ve said, let’s not change the nature of the PC ecosystem—keep the choice, keep the customer variety," says David Weston, Microsoft's director of enterprise and operating system security. "But when it matters, which is where your encryption keys are stored, how you boot the system, now Microsoft writes the code for Pluton and works with Intel or others to get it signed and delivered. So there are fewer people involved, and the PC is going to be more secure for it. The fact that Microsoft designed a processor and Intel is putting it in their CPU—that’s like a head-exploding concept."
Ubiquity comes with its own risks. Elements designed for security can quickly become a single point of failure if they can no longer be trusted themselves. That's not just a theoretical problem; weaknesses have been found in the secure enclaves of tech giants like Apple, Cisco, and Intel. But proponents emphasize that the mechanisms still raise baseline security for all devices that contain them, even if they sometimes prove fallible.
With this concern in mind, Microsoft views Pluton as an option that can be implemented in different ways by different silicon vendors. It can supplement, rather than replace, other secure enclaves that device manufacturers may want to use instead. For example, AMD says that its Security Processor will work alongside Pluton to act as the hardware root of trust for the silicon chips in a system and their firmware, while Pluton can provide the root of trust for Windows.
"Working with partners like Microsoft allows us to make an even bigger impact," AMD head of product security Jason Thomas said in a statement.
Microsoft also has specific past experience developing chips that resist attacks both digitally and physically. For almost a decade, Xbox gaming consoles have been a rare example of popular, ubiquitous devices that are difficult to hack and alter even when you can take the device apart and mess with its internals. Microsoft intentionally built Xbox systems to be difficult to "mod," and these defenses have been successful so far. Along with the company's secure internet-of-things service Azure Sphere, Xbox has helped Microsoft test the viability of a protection like Pluton.
Pluton also directly addresses a sophisticated avenue of attack against secure enclaves. Hackers have begun to target the internal connectors, or "buses," that link security chips to main computer processors, sniffing out ways that data might leak along the way. And processor makers, particularly Intel, have grappled with how to secure features like Intel’s SGX, which creates encrypted enclaves inside regular CPUs but has been repeatedly defeated. By working directly with chipmakers to add Pluton as a system-on-a-chip component, Microsoft aims to eliminate these attack vectors.
"We're trying to keep the hardware as simple as possible, that way there's not a big surface area," says Mike Nordquist, director of strategic planning and architecture for Intel's business client group. "The firmware is also easily updatable. And the cool part is this is all an evolution. When you shut down one avenue, the hackers are going to go somewhere else, so our goal is to bring the bar up every year and be ready for whatever comes next."
Pluton chips won't appear on CPUs for more than a year, but Nordquist says that Intel is actively working on the integration. And the company plans to offer the addition at low or no additional cost to make it possible for Pluton-equipped CPUs to truly proliferate whether a manufacturer is actively looking for such a feature or not.
Microsoft's Weston is realistic; he says no protection is foolproof, but he emphasizes that Microsoft and its Pluton partners are putting a lot of effort into striking a balance between developing sophisticated, capable hardware and leaving enough to firmware that they can still patch most bugs and vulnerabilities. If something's wrong with the chip itself, there's no such easy fix. Weston adds that Microsoft's Red Team has been hard at work trying to find Pluton's flaws. "They would love to have broken this in a way that would have made us rethink things," he says.