What's new

CES 2022: Chip to cloud security: Pluton-powered Windows 11 PCs are coming

As we enter this new year, security remains a top concern as businesses continue to evolve and define their digital transformation strategies and what hybrid work means for their organizations and their employees. Over the last year, we’ve seen a 150% increase in ransomware attacks. Every second there are 579 password attacks, and since March 2020 we have seen a 667% increase in phishing attacks. While cloud-delivered protections and significant advancements in the Windows OS have made things more difficult for attackers, they continue to evolve as well – targeting the seams that exist between hardware and software and sensitive information like encryption keys and credentials within a device’s firmware. Security decision makers have taken note. The Microsoft Security Signals 2021 survey found that 80% believe that modern hardware, and not just software, is needed to protect against emerging threats.

These modern, sophisticated threats, combined with today’s distributed workforce, require solutions that are designed to protect each layer of computing from the chip to the cloud. To deliver that for our customers, we’ve made several important strides with the release of secured-core PCs, Windows 11 and the Microsoft Pluton security processor. The Microsoft Pluton is a security processor, pioneered in Xbox and Azure Sphere, designed to store sensitive data, like encryption keys, securely within the Pluton hardware, which is integrated into the die of a device’s CPU and is therefore more difficult for attackers to access, even if they have physical possession of a device. This design helps ensure that emerging attack techniques cannot access key material.


Today, we are thrilled to see Lenovo and AMD introduce one of the first Microsoft Pluton powered PCs. The new Lenovo device powered by AMD Ryzen 6000 Series processors introduces a valuable new hardware security capability for Windows customers, including:
  • Security updates from the chip to the cloud
    • The Pluton security processor’s firmware will be updateable through Windows Update along with standard industry controls. This tightly integrated hardware and software helps protect against security vulnerabilities by adding additional visibility and control, and provides a platform for innovation that allows customers to benefit from new features in future releases of Windows that leverage the Pluton hardware and, with this design, are adaptable to changes in the threat landscape.
  • Physical attack resistance
    • The Microsoft Security Signals 2021 survey showed that 70% of security decision makers were more concerned with the risk of device theft given the move to hybrid work. Even if the attacker has complete physical possession of the PC, the AMD Security Processor and Pluton are designed to co-exist on AMD client silicon to ensure constant communication, which helps to eliminate an attack vector that physical attackers could exploit.
  • Trusted, proven security built alongside our partners built on approaches and technologies used in Xbox and Azure Sphere.

Improving security for all Windows users with innovation built on partnerships​

Pluton’s flexible, secure platform helps to improve security across a range of scenarios that benefit everyday consumers, small businesses and large commercial enterprises. Supporting the needs of our customers is always a top priority, which is why Pluton can be configured in three ways: as the Trusted Platform Module; as a security processor used for non-TPM scenarios like platform resiliency; or OEMs can choose to ship with Pluton turned off. That means for devices like the Lenovo ThinkPad Z13 and Z16, when Pluton is configured as the TPM 2.0 for a Windows 11 system, Pluton helps protect Windows Hello credentials by keeping them further isolated from attackers. Device encryption can use Pluton when it is configured as the TPM to securely protect encryption keys from physical attacks and help keep data safe from prying eyes. The flexibility of Pluton and the innovation supported by Microsoft’s ecosystem partners allow the hardware security capabilities supported by Pluton to be used for scenarios beyond the TPM.

The first example of such a scenario was developed in close partnership with multiple OEMs. Windows will use Pluton to securely integrate with other hardware security components on the system to provide greater visibility into the state of the platform to the Windows end user and eventually to IT administrators, who will have new platform resiliency signals that can be used for zero-trust conditional access workflows.

Windows OEMs work closely with commercial customers to help ensure that their device security needs are met. Given that OEMs help build a device from the case to the motherboard and connected peripherals, they are uniquely positioned to provide customers insight into what the expected state is across these various components.

In the future these signals will also be reported to cloud services like Intune, through the Microsoft Azure Attestation service, so that they can be used by IT administrators to take a step further in the zero-trust security paradigm of verifying as much as possible before authorizing access to any privileged resources.

To learn more about Lenovo’s device, visit their website.

The start of the Pluton journey with the Windows ecosystem​

Our OEM partners are leveraging platforms from silicon partners to begin offering customers Windows systems with Pluton enabled. This is the start of a journey with the Windows ecosystem to bring the Pluton benefits of cloud-delivered, up-to-date protection, physical attack resilience and established security features to more Windows systems over time. Look for updates from Microsoft and our partners in the future around expanded hardware availability of Pluton.


Source: CES 2022: Chip to cloud security: Pluton-powered Windows 11 PCs are coming
 
As TPM can be emulated in a VM easily enough -- it surely isn't an impossible problem to have a "Virtual Pluton" processor in the Virtual CPU.

So for "Hackers" -- Problem solved before the hardware even exists.
Host machine is Arch Linux kernel 5-16-11, KDE-plasma v 5.24, wayland-session desktop with KVM as virtualisation software and swtpm as IBM's TPM emulator.

Screenshot_20220227_094630.png

Guest running W11 (I know the VM title says W10 -- W11 was upgraded from W10 on this VM) - Virtual TPM hardware detected and working properly.

Screenshot_20220227_100023.png
Cheers
jimbo
 
Last edited:

My Computer

System One

  • OS
    Windows XP,7,10,11 Linux Arch Linux
    Computer type
    PC/Desktop
    CPU
    2 X Intel i7

Users who are viewing this thread

Back
Top