Tag: trusted environment

Microsoft integrates the Trusted Platform Module in to computer CPUs

Articles

Microsoft brings Trusted Platform Module functionality directly to CPUs under securo-silicon architecture Pluton | The Register

Microsoft reveals Pluton, a custom security chip built into Intel, AMD and Qualcomm processors | TechCrunch

Microsoft Pluton is a new processor with Xbox-like security for Windows PCs | The Verge

From the horse’s mouth

Microsoft

Meet the Microsoft Pluton processor – The security chip designed for the future of Windows PCs (Blog Post)

My Comments

Most recently-built desktop and laptop regular computers that run Windows, especially business-focused machines offered by big brands, implement a secure element known as the Trusted Platform Module. This is where encryption keys for functions like BitLocker, Windows Hello or Windows-based password vaults are kept. But this is kept as a separate chip on the computer’s motherboard in most cases.

But Microsoft are taking a different approach to providing a secure element on their Windows-based regular-computer platform. Here, this is in the form of keeping the Trusted Platform Module on the same piece of silicon as the computer’s main CPU “brain”.

Microsoft initially implemented a security-chip-within-CPU approach with their XBox platform as a digital-rights-management approach. Other manufacturers have implemented this approach in some form or another for their computing devices such as Samsung implementing in the latest Galaxy S smartphones or Apple implementing it as the T2 security chip within newer Macintosh regular computers. There is even an Internet-of-Things platform known as the Azure Sphere which implements the “security-chip-within-CPU” approach.

This approach works around the security risk of a person gaining physical access to a computer to exfiltrate encryption keys and sensitive data held within the Trusted Platform Module due to it being a separate chip from the main CPU. As well, before Microsoft announced the Pluton design, they subjected it to many security tests including stress-tests so that it doesn’t haunt them with the same kind of weaknesses that affect the Apple T2 security chip which was launched in 2017.

Intel, AMD and Qualcomm who design and make CPUs for Windows-based regular computers have worked with Microsoft to finalise this “security-chip-within-CPU” design. Here, they will offer it in subsequent x86-based and ARM-based CPU designs.

The TPM application-programming-interface “hooks” will stay the same as far as Windows and application-software development is concerned. This means that there is no need to rewrite Windows or any security software to take advantage of this chipset design. The Microsoft Pluton approach will benefit from “over-the-air” software updates which, for Windows users, will come as part of the “Patch Tuesday” update cycle.

More users will stand to benefit from “secure-element” computing including those who custom-build their computer systems or buy “white-label” desktop computer systems from independent computer stores.

As well, Linux users will stand to benefit due to efforts to make this open-source and available to that operating-system platform. In the same context, it could allow increasingly-secure computing to be part of the operating system and could open up standard secure computing approaches for Linux-derived “open-frame” computer platforms like Google’s ChromeOS or Android.

Here, the idea of a secure element integrated within a CPU chip die isn’t just for digital-rights-management anymore. It answers the common business and consumer need for stronger data security, user privacy, business confidentiality and operational robustness. There is also the goal of achieving secure computing from the local processing silicon to the cloud for online computing needs.

Microsoft hasn’t opened up regarding whether the Pluton trusted-computing design will be available to all silicon vendors or whether there are plans to open-source the design. But this could lead to an increasingly-robust secure-element approach for Windows and other computing platforms.

The trusted-environment concept to become a key mobile security trend

The trusted-environment concept for mobile devices

The trusted-environment concept for mobile devices

At Google I/O 2014, it was a chance for Google to premiere the next version of Android for the smartphones and tablets; along with officially releasing Android Wear for wearables and Android variants for the car and the TV.

One feature that Google was promoting was the concept of a “trusted environment” for your Android smartphone where you don’t have to unlock the phone with your PIN or “pattern” routine to use it in that environment. Similarly, Apple just lately put forward a patent to implement this same “trusted-environment” concept in their iOS devices. Applications that were highlighted included you home, car or work and this was determined by one or more conditions being true.

For example, using a “voice unlock” routine can equate your voice as being a trusted user. Similarly, being connected to a particular Bluetooth watch or headset which is on and alive, or being in a particular location by virtue of association with a known Wi-Fi network segment or within range of a GPS “bearing” could also relate to a “trusted” environment.  Apple’s implementation also is about about context-based behaviour such as bringing forward or disabling apps that relate to a particular environment, such as showing up a video-on-demand app when at home or disabling apps not safe for use when driving. It could extend to bringing forward a business-specific app like a “handheld electronic menu” for your favourite restaurant or an “online concierge” for your favourite hotel.

A good question is whether this concept of the “trusted environment” could be integrated with the Internet Of Everything? For example, the concept of having your mobile device near a computer or building-security device could be considered trusted as long as you authenticated with that device within a certain timeframe and/or with a particular key such as your own keycard or code.

This concept may not be considered appropriate in locations where there is a risk of your smartphones or similar device being stolen or accessed without your knowledge or permission. Examples of this may be a workplace where public and staff-only areas aren’t clearly delineated or a party or gathering that is happening at home.  Personally, these setups also have to be about user privacy and about working totally to a user’s needs and habits.