Microsoft Pluton Processor inside any AMD/Intel/Qualcom processors from 2022

[RoGeorge]

Did any of you knew about this? 

Microsoft convinced PC processor designers to embed a Microsoft Security Processor core, Pluton, inside the hardware of any normal processor.  Agreed in 2020, first models of AMD Ryzen 6000 laptops ready in 2022.  Updates for Pluton core through Windows Update only.  Part of the Microsoft chip-to-cloud, though Windows or not, Microsoft will control any processor.

https://www.howtogeek.com/779095/what-is-microsofts-pluton-security-processor/

[Zoli]

Well, the first reports: https://www.semiaccurate.com/2022/01/18/amds-new-cpus-may-be-safe-to-deploy/
NOT linked  in the previous article; nonetheless, the problem raised in both is serious; personally, I will NOT boy a CPU with Puton.

[hans]

Oh.. this sounds awfully familiar with the Apple Studio device not accepting "SSD" upgrades. Obv they also added a SSD controller inside the M1 chip, but if the (filesystem) encryption keys are stored *inside* the CPU package, then you'll almost likely need a software vulnerability to get them out. It depends if there a possibility to do so. I suppose the keys won't be system exposed, but you can only list, create and delete keys.

Sounds like a recipe for disaster for anyone doing data recovery, wants to swap out SSDs with other machines.. all the reasons why you wouldn't use disk encryption tied to a systems keys. And knowing Microsoft, I sincerely hope they play nice with OSS and help them with proper implementations for it.

In terms of BIOS I'm not sure how useful this is, because that's part of the chipset. If the remaining vulnerability is sniffing traces on the PCB, then I imagine that's a very limited attack vector that no one should be concerned about. So if TPM protects the BIOS firmware/rootkits, then that should be fine right?

[PKTKS]

Frankly ..  what does anyone expect from them?  This is not new

Their business has always been using the filthiest  methods available always imploding better products to force theirs

Claiming property of the hardware and forcing whatever to suit their greed no  matter consequences

This is by no means new.. these  assholes started this  slightly different method to ensure 100% property of the PC.. the same time they love *NIX..

TIME TO SAY NO  MORE IN LOUD AND CLEAR  VISIBLE SOUND..

just ditch them in proper  place

Paul

[VK3DRB]

I don't like where this is heading. Remember that Gates character and his monopolistic pursuits with Internet Explorer. Eventually, some CPU variants might only allow you to run the Microsoft O/S and not Linux. Or to run Windows, you must purchase a particular CPU variant - at a premium cost of course.

[PKTKS]

I don't like where this is heading. Remember that Gates character and his monopolistic pursuits with Internet Explorer. Eventually, some CPU variants might only allow you to run the Microsoft O/S and not Linux. Or to run Windows, you must purchase a particular CPU variant - at a premium cost of course.

Do not expect nothing new.

Their agenda is the very same agenda of always.

They will keep force pushing their bundles inside vendors..
(which by no means disclose what sort of  agreement reached by threats)

This time is a hardware push... consumers will be obliged to pay and use their "processors"..
by the fallacy of security and others..

Eventually they claim property of the x86 PC..

and not exclusively x86.. they have an ARM agenda called Volterra

https://arstechnica.com/gadgets/2022/05/microsoft-will-boost-windows-on-arm-with-a-new-dev-kit-and-arm-native-visual-studio/

Paul

[SiliconWizard]

Sounds nice.

[Richard Crowley]

I don't like where this is heading. Remember that Gates character and his monopolistic pursuits with Internet Explorer. Eventually, some CPU variants might only allow you to run the Microsoft O/S and not Linux. Or to run Windows, you must purchase a particular CPU variant - at a premium cost of course.

[Benta]

Why are you all getting het up?
You made your choice yourself by choosing M$ Windows.
I switched to Linux/Lubuntu three years ago and never looked back.
TPM? Pfft.
Pluton? Pfft.

Problem solved.

[coppice]

The name is rather apt.  Isn't Pluto the god of the underworld?

I thought the name was appropriate because Pluto is a dog.

[MrMobodies]

A More Secure Computing Experience
Microsoft’s Pluton isn’t the most exciting addition to Windows PCs, but it does promise enhanced security, and the platform should make it harder for hackers to extract sensitive data from your PC. Don’t count on it being foolproof, but it’s another step towards greater security. As long as these measures don’t prevent us from running software we actually want to use, Pluton is a welcome development.

Most of the time that won't be necessary especially when people are fooled into giving them their passwords and bank details over the phone.

https://arstechnica.com/information-technology/2022/01/pluton-microsofts-new-security-chip-will-finally-be-put-to-the-test/

DAN GOODIN - 1/4/2022, 10:15 PM
He said that Pluton will also prevent people from running software that has been modified without the permission of developers.

Sounds like DRM to me.

Just NO! I don't want it.

I would want efi/bios options to disable that crap and if not I'll look at buying computers and processor before 2022 or whatever I can without it for a while where I'll have to look at other alternatives many years later.

I don't want that to DICTATE to me what I can and can't do with stuff in my possession via remote control to Microsoft anymore than what I have now.

Just found this:
https://www.theregister.com/2022/01/20/microsoft_amd_pluton_lenovo/

For those worried about Microsoft's Pluton TPM chip: Lenovo won't even switch it on by default in latest ThinkPads
Folks can enable or disable it, install Linux as normal. Just sayin'
Agam Shah hu 20 Jan 2022 // 20:44 UTC

PCs coming out this year with Microsoft's integrated Pluton security chip won't be locked down to Windows 11, and users will have the option to turn off the feature completely as well as install, say, Linux as normal, we understand. The first Windows 11 PCs with Pluton built-in were shown at CES earlier this month. Major PC chip houses – think Intel, AMD, and Qualcomm – are said to be embedding Pluton inside their just-launched or upcoming microprocessors. Pluton can act as a Trusted Platform Module (TPM) or as a non-TPM security coprocessor. It's a way for Microsoft to specify exactly how it wants a TPM component to be present in microprocessors so that Windows 11 can use the hardware as a root-of-trust and secure its stuff. Microsoft's invasion at the hardware level has some users – especially those in the open-source community – on high alert. The concern relates to the chip being a means to lock equipment exclusively to Windows 11, shutting out other operating systems, such as Linux distros and the BSDs. Manufacturers tell us that's not the case: Pluton won't get in the way.

We provide the ability for a user to enable or disable Pluton based on their preferences in our reference BIOS
AMD integrated Microsoft's Pluton design into its Ryzen 6000 chips, which were just introduced at CES. AMD said its goal is to bring better security to Windows PCs, and users can disable Pluton on machines that follow AMD's reference firmware. "AMD respects user choice and, as is typical with many other security technologies, we provide the ability for a user to enable or disable Pluton based on their preferences in our reference BIOS," an AMD spokeswoman told The Register. Pluton does not restrict Linux installation, and is a security component for Windows deployments, the spokeswoman added. "AMD Ryzen 6000 Series processors support Linux. AMD has closely collaborated with Canonical (Ubuntu) and Red Hat to certify and optimize OEM designs with their operating systems," she said. Microsoft poaches Apple chip expert for custom silico Windows giant seeks Pluton-ic relationship with chipmaker: AMD first out of the gates with Microsoft's security processor Windows 11 in detail: Incremental upgrade spoilt by onerous system requirements and usability mis-steps Microsoft brings Trusted Platform Module functionality directly to CPUs under securo-silicon architecture Pluton Lenovo at CES announced ThinkPads powered by the aforementioned AMD Ryzen chips, and these laptops will ship without Pluton turned on.

"Pluton will be disabled by default on 2022 Lenovo ThinkPad platforms. Specifically the Z13, Z16, T14, T16, T14s, P16s and X13 using AMD 6000-series processors. Customers will have the ability to enable Pluton themselves," a Lenovo spokesperson told The Register. An Intel spokesman told The Register its latest Alder Lake PC processors will run Linux, and that its chips already include a Pluton-equivalent called Intel Platform Trust Technology. This is a TPM 2.0 compatible component. Pluton is designed for Windows, and using it with Linux "is currently an unsupported scenario," a Microsoft spokesperson told The Register. "Pluton is a hardware security technology that could be used by various OS components similar to how OS code can choose to use the TPM. Linux already has support for TPMs today, however Microsoft’s current focus is ensuring an optimal experience for Windows 11," the IT giant's PR team explained in an email.

To be sure, Apple and Google have homegrown security processors in their own devices. Microsoft largely collaborates with chip makers to tune processors for Windows, though Pluton marks a milestone in Microsoft's growing efforts to develop custom silicon. In this case, getting a TPM-like unit within microprocessors rather than, or in addition to, TPM hardware present in the motherboard chipset. It's up to PC makers to make this opt in or opt outPluton can act as a TPM baked onto the processor die, where it can secure the storage of keys and other sensitive information, and check the integrity of the running Windows system, while keeping its communication signals with the main CPU cores away from prying eyes and private within the same processor package. In other words, the integration should prevent TPM-CPU bus traffic from being physically sniffed and decoded. Or rather, that's the sales pitch.

Pluton for PCs evolved from security mechanisms in the Xbox console family and the Azure Sphere IoT platform. Microsoft has said Pluton provides "chip to cloud" security, with firmware updates coming through Windows Update. "Pluton for Windows computers will be integrated with the Windows Update process in the same way that the Azure Sphere Security Service connects to IoT devices," Microsoft said in a blog entry describing the tech. Microsoft has demonstrated that Pluton could be built into IoT systems based on Linux. But the Xbox roots of Pluton has netizens worried about it being some kind of DRM or copy protection tool. Microsoft has argued Pluton is more of a building block to address the long-standing problem of securing Windows PCs from bad actors. PC makers can choose to ship computers with Pluton turned off, and the technology does not verify the signature of bootloaders, Microsoft PR said. The security processor can be configured to act as a TPM, or used in a non-TPM scenario, or disabled. Microsoft told The Register it is interested in helping customers secure their open-source environments, giving the example of a proposal and shared code for a new Linux Security Module to authorize code execution by policy.

Well that's nice to know... not as bad as I thought.

[Marco]

It doesn't seem that bad, at least on AMD.

// EntryValue[36] = 1: Disable, HSP core is disabled then PSP will gate the HSP clock, no further PSP to HSP commands. System will boot without HSP.

With a gated clock it's going to do bugger all, that's as turned off as turned off gets.

[tggzzz]

Will you still be able to dual-boot Windows and Linux?

Will you still be able to easily dual-boot Windows and Linux without having to change BIOS/UEFI/etc settings?

Will you still be able to run Windows guest inside a Linux host VM?

[PKTKS]

We will be forced to PAY the chip and the bundles... and if if if 
.. things will actually work with that crap inside

Essentially a NEW MS FEE

Paul