Lenovo Will Not Enable Microsoft’s Pluton Processor by Default

Posted on January 24, 2022 by Paul Thurrott in Hardware, Microsoft, Mobile, Windows 11 with 15 Comments

Lenovo recently announced that it would be the first hardware maker to ship PCs with Microsoft’s Pluton security chipset. But now it says that it will not enable this functionality by default.

“Pluton will be disabled by default on 2022 Lenovo ThinkPad platforms,” a Lenovo spokesperson told The Register. “Specifically, the ThinkPad Z13, Z16, T14, T16, T14s, P16s, and X13 using AMD 6000-series processors. Customers will have the ability to enable Pluton themselves.”

You may not be surprised to discover that Pluton is triggering the same angst, in some circles, as Microsoft’s decision to require that PC makers include a Trusted Platform Module (TPM) 20 years ago. At that time, open-source advocates, in particular, complained that the real aim of this effort was to keep Linux off of PCs. Today, we’re hearing similar complaints.

“Linux is currently an unsupported scenario [for Pluton],” a Microsoft spokesperson told The Register. “Pluton is a hardware security technology that could be used by various OS components similar to how OS code can choose to use the TPM. Linux already has support for TPMs today. However, Microsoft’s current focus is ensuring an optimal experience for Windows 11.” My, how history repeats itself.

The good news? PC buyers can disable Pluton, even when it ships enabled on a PC.

“AMD respects user choice and, as is typical with many other security technologies, we provide the ability for a user to enable or disable Pluton based on their preferences in our reference BIOS,” an AMD statement notes. “AMD Ryzen 6000 Series processors support Linux. AMD has closely collaborated with Canonical (Ubuntu) and Red Hat to certify and optimize OEM designs with their operating systems.”

Intel, which had previously agreed to include the Pluton chipset, said only that its latest “Alder Lake” series chipsets already have a Pluton equivalent in its TPM 2.0-compatible Intel Platform Trust Technology, and that these PCs will, of course, run Linux too.

There are two key differences between Pluton and TPM. One, it is placed inside the System on a Chip (SoC), helping prevent attacks on the path between the security chipset and the CPU. And two, it’s designed by Microsoft. Which, again, is the problem in certain circles.

Tagged with ,

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (15)

15 responses to “Lenovo Will Not Enable Microsoft’s Pluton Processor by Default”

  1. huddie

    Any sense that Microsoft might be planning to open Pluton spec up to Linux ?

  2. mog0

    So will Linux not work with Pluton enabled or is this move just to placate the paranoid brigade who said TPM and then secure boot would block users from using linux (which it didn't).

    • Paul Thurrott

      Linux isn't (yet?) compatible with Pluton. But you can disable Pluton if you want to use Linux on that PC.
  3. bluvg

    “Alder Lake” series chipsets already have a Pluton equivalent in its TPM 2.0-compatible Intel Platform Trust Technology

    That doesn't sound equivalent at all. Putting this type of security mechanism in the SoC itself should make systems more resilient to things like the recent MoonBounce malware.

  4. martinusv2

    Can this affect WSL2?

  5. mikegalos

    Yes, history IS repeating itself. Microsoft is supporting increased security and Linux advocates, being behind, pretend that they care about "openness" but, oddly, don't have any problem with "openness" once they catch up and support the offending technology. Note how they don't have a problem with TPM now where it used to be the Devil's handiwork.

    • MoopMeep

      I’ve been told that open source software like linux is better than closed source windows. Since its open source you have many people who have access to the linux source code and things get fixed fast when issues come up. I expect in the next few hours that support for pluton will be added to linux because of this……

      • mefree

        Open source is absolutely not more secure than closed source simply because of the nature of open source. Let me put it this way. If you build a fortress, then publish the blueprints for everyone to have, do you think that makes your fortress more secure, or less secure because now any potential attacker can see your entire blueprint to look for weaknesses? It also reminds me of the argument that 'Macs don't get viruses' that people used to make. Macs weren't more secure, it's just that Mac didn't have the market share to be worth the time to write viruses for. That has been changing obviously, but the same can be said for linux, at least on the consumer side of things.

  6. mattbg

    I can't be the only one that is confused.

    Microsoft has a fTPM specification. They also have Pluton which they have referred to in some communications as a "processor design". Is it actually a processor, or just a reference implementation?

    Intel and AMD implement fTPM either via a dedicated security processor (AMD) within the CPU package or Platform Trust Technology (Intel) - I am not clear how PTT is implemented, but I believe it's in the chipset, so not on-CPU (?).

    Intel is suggesting they will implement a solution compatible with Pluton, like they did for fTPM when they called it PTT. This makes sense if Pluton is just a reference implementation.

    So, what is Pluton? Can I actually point to a chip that is called Pluton? Or could it be any chip that implements some reference model called Pluton?

    Do I have any of this wrong?

    • ezzy

      Yes and no. I'm not sure exactly, but I believe 7th gen Intel had to use a TPM module (chipset) Depending on the vendor this module may or may not be included or it may require an aftermarket purchase, but the chipset specification required at least a header for it.

      8th Gen and later Intel CPU's had the TPM module included in the chip. So I have a 9th gen Intel processor with the included TPM module, but my motherboard has a slot to put an aftermarket TPM module in case I was using the board with an older processor.

  7. WaltC

    I have no problem with AMD's CPU protection. Pluton is in addition to AMD's terrific integrated security processor already in the Zen2/3/+/4 CPUs. In this day of malicious root kits and other nefarious software, I'd feel foolish about turning it off!

  8. F4IL

    Given that Pluton is a Windows specific design and a closed one at that, it makes sense to provide a kill switch and enable installing additional operating systems like Linux / BSD. It remains to be seen if and when msft formally release a spec to support other systems.

  9. geoff

    If Pluton can be disabled, it's not really a security solution, is it?

    • sean8102

      I guess if someone has physical access to your PC? Then they go into the BIOS and switch it off. Otherwise, how are they going to turn it off? The only way it can be enabled/disabled is in the BIOS.