From the horse’s mouth
Most recently-built desktop and laptop regular computers that run Windows, especially business-focused machines offered by big brands, implement a secure element known as the Trusted Platform Module. This is where encryption keys for functions like BitLocker, Windows Hello or Windows-based password vaults are kept. But this is kept as a separate chip on the computer’s motherboard in most cases.
But Microsoft are taking a different approach to providing a secure element on their Windows-based regular-computer platform. Here, this is in the form of keeping the Trusted Platform Module on the same piece of silicon as the computer’s main CPU “brain”.
Microsoft initially implemented a security-chip-within-CPU approach with their XBox platform as a digital-rights-management approach. Other manufacturers have implemented this approach in some form or another for their computing devices such as Samsung implementing in the latest Galaxy S smartphones or Apple implementing it as the T2 security chip within newer Macintosh regular computers. There is even an Internet-of-Things platform known as the Azure Sphere which implements the “security-chip-within-CPU” approach.
This approach works around the security risk of a person gaining physical access to a computer to exfiltrate encryption keys and sensitive data held within the Trusted Platform Module due to it being a separate chip from the main CPU. As well, before Microsoft announced the Pluton design, they subjected it to many security tests including stress-tests so that it doesn’t haunt them with the same kind of weaknesses that affect the Apple T2 security chip which was launched in 2017.
Intel, AMD and Qualcomm who design and make CPUs for Windows-based regular computers have worked with Microsoft to finalise this “security-chip-within-CPU” design. Here, they will offer it in subsequent x86-based and ARM-based CPU designs.
The TPM application-programming-interface “hooks” will stay the same as far as Windows and application-software development is concerned. This means that there is no need to rewrite Windows or any security software to take advantage of this chipset design. The Microsoft Pluton approach will benefit from “over-the-air” software updates which, for Windows users, will come as part of the “Patch Tuesday” update cycle.
More users will stand to benefit from “secure-element” computing including those who custom-build their computer systems or buy “white-label” desktop computer systems from independent computer stores.
As well, Linux users will stand to benefit due to efforts to make this open-source and available to that operating-system platform. In the same context, it could allow increasingly-secure computing to be part of the operating system and could open up standard secure computing approaches for Linux-derived “open-frame” computer platforms like Google’s ChromeOS or Android.
Here, the idea of a secure element integrated within a CPU chip die isn’t just for digital-rights-management anymore. It answers the common business and consumer need for stronger data security, user privacy, business confidentiality and operational robustness. There is also the goal of achieving secure computing from the local processing silicon to the cloud for online computing needs.
Microsoft hasn’t opened up regarding whether the Pluton trusted-computing design will be available to all silicon vendors or whether there are plans to open-source the design. But this could lead to an increasingly-robust secure-element approach for Windows and other computing platforms.