The first Arm-based laptops with Microsoft’s Pluton security co-processor have arrived in the form of Lenovo’s new ThinkPad X13s, which features Qualcomm’s latest Snapdragon 8cx Gen 3 chipset.
Microsoft started talking about its Pluton dedicated security chip in November 2020 and predicted it would take a few years to arrive in PCs. In January 2022, the company announced Pluton would come with Lenovo’s AMD Ryzen-6000 ThinkPad Z series laptops; now Pluton is coming to Lenovo’s newest laptop with an Arm-based mobile chipset from Qualcomm.
Lenovo’s AMD laptops with Pluton will ship in May, while the ThinkPad X13s with the Pluton processor was just announced at Mobile World Congress (MWC) and will be available in April from $1,099 in the US through AT&T and Verizon, according to ZDNet’s sister site CNET. Both laptops are aimed at the business market.
Pluton is a big deal for Microsoft because it is at the centre of the security capabilities for Windows 11, providing protection in the boot, identity, credential protection and encryption processes.
Pluton is a security processor architecture designed to store sensitive data like encryption keys securely with hardware that’s integrated into the die of a device’s processor. This makes access more difficult for attackers, even if they have physical possession of a device. With Pluton being on the die of the device’s System on a Chip (SoC), potential attack surfaces, like bus interfaces that pass data between the SoC and other components on a motherboard, are not exposed.
Microsoft named Intel as its first partner for the Pluton security processor, but it was also working with AMD and Qualcomm. The Pluton design was first integrated as a DRM feature in its Xbox One game console, which been based on AMD chips since 2013.
Microsoft’s director of enterprise and OS security, Dave Weston, details some of the work on hardware and security that’s gone into the collaboration in a blogpost.
“Pluton will leverage advanced hardware capabilities while built-in security countermeasures from PAC [Pointer Authentication Codes] protect against common exploit patterns to help customers strengthen their device security posture,” Weston said.
The other advantage of Pluton-powered PCs is that users will get firmware updates that Microsoft has verified on a predictable timeline, just like its Patch Tuesday updates on the second Tuesday of each month.
“You’re getting better protection against physical attacks, you’re getting Microsoft verification of firmware to stop some of the new firmware attacks, and we’re going to update this thing every month just like it’s Patch Tuesday,” Weston previously told ZDNet.
The Arm pointer protection (PAC) will protect boot processes, bus interfaces that pass data between the Qualcomm chip and other components on a motherboard, and will keep the Pluton processor’s firmware up to date through Windows Update.
So, Pluton-capable laptops won’t necessarily spell the end of firmware updates from multiple hardware manufacturers, but at least this particular piece of hardware won’t depend for delivery on anyone but Microsoft.
Weston argues it could also mitigate so-called return-oriented programming (ROP) attacks, which are dangerous and common enough that Intel has developed hardware-based security answers to thwart them. Pluton brings similar protections against ROP attacks to Arm systems.
“With Windows 11 on the Snapdragon 8cx Gen 3, the ARM pointer authentication hardware capability provides similar robust mitigation against exploits that leverage return-oriented programming (ROP) or stack modification techniques on ARM-based Windows systems,” Weston said in the blog post.
“Windows binaries are compiled with Pointer Authentication Code instructions, injecting a hash (the PAC) for return addresses at function prologue and verifying the hash immediately before function return to verify that the return address has not been tampered. Windows 11 utilizes the Snapdragon 8cx Gen 3 hardware schemes to generate and verify the PAC to provide resilience against attacks that overwrite the intended return address. This helps to break a common technique attackers use to try to execute malicious code”, he said.