Pluton is a big deal for Microsoft because it is at the centre of the security capabilities for Windows 11, providing protection in the boot, identity, credential protection and encryption processes.
Pluton is a security processor architecture designed to store sensitive data like encryption keys securely with hardware that's integrated into the die of a device's processor. This makes access more difficult for attackers, even if they have physical possession of a device. With Pluton being on the die of the device's System on a Chip (SoC), potential attack surfaces, like bus interfaces that pass data between the SoC and other components on a motherboard, are not exposed.
Microsoft named Intel as its first partner for the Pluton security processor, but it was also working with AMD and Qualcomm. The Pluton design was first integrated as a DRM feature in its Xbox One game console, which been based on AMD chips since 2013.
"Pluton will leverage advanced hardware capabilities while built-in security countermeasures from PAC [Pointer Authentication Codes] protect against common exploit patterns to help customers strengthen their device security posture," Weston said.
The other advantage of Pluton-powered PCs is that users will get firmware updates that Microsoft has verified on a predictable timeline, just like its Patch Tuesday updates on the second Tuesday of each month.
"You're getting better protection against physical attacks, you're getting Microsoft verification of firmware to stop some of the new firmware attacks, and we're going to update this thing every month just like it's Patch Tuesday," Weston previously told ZDNet.
The Arm pointer protection (PAC) will protect boot processes, bus interfaces that pass data between the Qualcomm chip and other components on a motherboard, and will keep the Pluton processor's firmware up to date through Windows Update.
So, Pluton-capable laptops won't necessarily spell the end of firmware updates from multiple hardware manufacturers, but at least this particular piece of hardware won't depend for delivery on anyone but Microsoft.
Weston argues it could also mitigate so-called return-oriented programming (ROP) attacks, which are dangerous and common enough that Intel has developed hardware-based security answers to thwart them. Pluton brings similar protections against ROP attacks to Arm systems.
"With Windows 11 on the Snapdragon 8cx Gen 3, the ARM pointer authentication hardware capability provides similar robust mitigation against exploits that leverage return-oriented programming (ROP) or stack modification techniques on ARM-based Windows systems," Weston said in the blog post.
"Windows binaries are compiled with Pointer Authentication Code instructions, injecting a hash (the PAC) for return addresses at function prologue and verifying the hash immediately before function return to verify that the return address has not been tampered. Windows 11 utilizes the Snapdragon 8cx Gen 3 hardware schemes to generate and verify the PAC to provide resilience against attacks that overwrite the intended return address. This helps to break a common technique attackers use to try to execute malicious code", he said.