Inside Pluton -- Microsoft's security processor that's coming to a PC near you soon

Microsoft first announced its Pluton security processor as far back as 2020 and more recently has said it will be enabled by default on all Copilot+ PCs as part of the company's commitment to Secure by Design.

Today the company is releasing more details about Pluton and how it operates. Operating directly on dedicated hardware on the CPU system-on-chip (SoC), Pluton helps provide additional protection for sensitive assets like credentials and encryption keys, using a combination of hardware, firmware and software

Pluton also receives its firmware and feature updates directly from Microsoft, simplifying management and delivering the latest, ongoing protection to help against current and future threats while adhering to safe rollout and deployment practices.

Microsoft has recognized that customers are expecting to use their devices for longer and want reliable updates across their lifetime. Pluton is therefore built on a memory-safe platform that allows the security processor to be updated and remain more resilient against the rapidly changing threat landscape, while maintaining performance into the future.

The open source Rust-based Tock OS kernel is used as the foundation for Pluton, so customer-facing functions, such as the Trusted Platform Module firmware on supported platforms, are implemented as a Tock user-mode app on top of the Tock kernel.

Pluton can be used as a security processor alongside a discrete TPM 2.0 device. It can also be configured as a TPM 2.0 on supported systems. OEMs have the option to use Pluton as the TPM for the system or to expose UI in the BIOS settings on the device that allow the customer to choose Pluton or another TPM option, if present, for their device.

Copilot+ PCs on AMD Ryzen AI and Intel Core Ultra processors (Series 2) are the first
Pluton platforms to be released with the new Rust-based core. Future developments will include enabling Pluton as a key storage provider. Nazmus Sakib, principal product manager lead writes on the Microsoft blog, "We're committed to adding new software functionality that extends Pluton security features, providing the latest protection from the evolving threat landscape. The first addition will be a key storage provider (KSP) for Pluton that is enabled even if Pluton is not the configured TPM. This will make Pluton's cryptography capabilities available to the Windows system and applications using APIs that are familiar to Windows developers."

You can find out more about Pluton on the Microsoft blog.