Lenovo recently announced that it would be the first hardware maker to ship PCs with Microsoft’s Pluton security chipset. But now it says that it will not enable this functionality by default.
“Pluton will be disabled by default on 2022 Lenovo ThinkPad platforms,” a Lenovo spokesperson told The Register. “Specifically, the ThinkPad Z13, Z16, T14, T16, T14s, P16s, and X13 using AMD 6000-series processors. Customers will have the ability to enable Pluton themselves.”
You may not be surprised to discover that Pluton is triggering the same angst, in some circles, as Microsoft’s decision to require that PC makers include a Trusted Platform Module (TPM) 20 years ago. At that time, open-source advocates, in particular, complained that the real aim of this effort was to keep Linux off of PCs. Today, we’re hearing similar complaints.
“Linux is currently an unsupported scenario [for Pluton],” a Microsoft spokesperson told The Register. “Pluton is a hardware security technology that could be used by various OS components similar to how OS code can choose to use the TPM. Linux already has support for TPMs today. However, Microsoft’s current focus is ensuring an optimal experience for Windows 11.” My, how history repeats itself.
The good news? PC buyers can disable Pluton, even when it ships enabled on a PC.
“AMD respects user choice and, as is typical with many other security technologies, we provide the ability for a user to enable or disable Pluton based on their preferences in our reference BIOS,” an AMD statement notes. “AMD Ryzen 6000 Series processors support Linux. AMD has closely collaborated with Canonical (Ubuntu) and Red Hat to certify and optimize OEM designs with their operating systems.”
Intel, which had previously agreed to include the Pluton chipset, said only that its latest “Alder Lake” series chipsets already have a Pluton equivalent in its TPM 2.0-compatible Intel Platform Trust Technology, and that these PCs will, of course, run Linux too.
There are two key differences between Pluton and TPM. One, it is placed inside the System on a Chip (SoC), helping prevent attacks on the path between the security chipset and the CPU. And two, it’s designed by Microsoft. Which, again, is the problem in certain circles.