Is it a concern?
Do you think governments/Microsoft will get capability to remotely access your PC?
No, Pluton is Microsoft’s secure processor along the lines of Google’s Titan chips or Apple’s Secure Enclave Processor. It’s basically just an attempt to improve the security of Windows machines.
Microsoft have put out a lot of scattered blog posts and things like that discussing it, it’s pretty cool and I think it represents a big step up from TPM 2.0 for supported machines anyway.
1 Like
It’s never been clear to me whether Pluton is hardware or firmware. Microsoft’s marketing materials are vague. On Qualcomm Snapdragon platforms Pluton is a virtual secure element enabled by Secure Processing Unit firmware. Anyway this is a nice brief summary in response to a FUD-ish article about Pluton that is informative.
2 Likes
It’s a separate hardware chip inside the SoC.
In addition to a dedicated microcontroller, ROM, and SRAM, Pluton has its own security-focused hardware—for example, a random number generator (RNG), accelerators for cryptographic algorithms such as hashing (SHA-2), symmetric encryption (AES), asymmetric encryption (RSA and ECC), and others. This helps ensure that security-sensitive operations such as creating and using cryptographic keys happen within the Pluton hardware boundary and cannot be accessed or interfered with by the main CPU.
The Qualcomm Secure Processing Unit is a separate chip inside the SoC as well. Pluton isn’t an fTPM since those are vulnerable to attacks on the CPU. It’s trying to avoid the vulnerabilities of firmware TPMs while also avoiding bus sniffing attacks against hardware TPMs.
Does it have its own network stack? Is it like Intel ME?
If it has access to the network interface then there is potential for abuse.
It is one thing to trust Intel with its ME but Microsoft is waaay more untrustworthy company.
Unlikely, the point is just that it handles cryptographic operations and things like that. These chips are meant to be very minimal to avoid unnecessary attack surface.
ME isn’t really a similar thing at all, think a TPM but on steroids.
2 Likes
I didn’t realise the material you had posted was very recent (from 2025!). I think the relevant section (and source of my confusion) is actually quoted below:
- The AMD Ryzen™ 6000 Series pioneered Pluton capabilities, and customers can learn more about the hardware from its recently secured FIPS 140-3 certification. Copilot+ PCs launched this year on the AMD Ryzen™ AI 300 Series also include Pluton support.
- Intel® Core™ Ultra processors (Series 2) for Copilot+ PCs include the Intel® Partner Security Engine (IPSE). This supports Pluton capabilities with hardware-based security isolation from the CPU and within the SoC.
- Copilot+ PCs powered by the Snapdragon® X Series are equipped with the Qualcomm® Secure Processing Unit (SPU), which allows Pluton functionality to be implemented as secure apps running in an independently high-assurance security enclave. Learn more about Snapdragon processors.
The last paragraph in particular seems to line up with Qualcomm’s public product materials and public discussion. So most likely software still for Qualcomm, probably software for Intel, but hardware for AMD. Qualcomm were early adopters for Pluton so it is strange they haven’t moved on to custom hardware yet.