←back to thread

The Dangers of Microsoft Pluton

(gabrielsieben.tech)
733 points gjsman-1000 | 1 comments | 26 Jul 22 03:46 UTC | HN request time: 0.287s | source
Show context
mjg59 ◴[26 Jul 22 16:48 UTC] No.32240713[source]
This is not a good article. At a technical level it's confused about a whole bunch of things:

* SMM has been part of x86 for decades. The Secured Core requirements around SMM actually reduce its power.

* The claimed requirement to remove the third party UEFI CA certificate from 2022 Secured Core PCs is entirely unrelated to Pluton (it's required regardless of whether Pluton is enabled or not, and even whether the CPU has Pluton or not)

* Most of the description of Pluton is actually a description of a TPM. You don't need DICE for remote attestation. TPMs are already a hardware keystore.

* System firmware is already being updated via Windows Update. The discussion about Pluton and Windows Update is around Pluton getting firmware updates that way (the existing story around firmware updates for TPMs is largely not good)

* Existing TPM-based remote attestation already includes the secure boot state

The short version: everything that the article is worried about being enabled by Pluton is already possible, and has been for years.

But there's a meaningful point here. Remote attestation can certainly be used to restrict access to resources in ways that are incompatible with general purpose computing, or which reduce user choice. Remote attestation can also be used to give end users confidence that their machine is in a good state without constraining what they do with it. As a technology, remote attestation can be used in both good and bad ways. We do need to keep track of whether anyone is threatening to use it in bad ways and react appropriately.

(But tbh remote attestation as an attack on general purpose computing isn't the really scary thing about widespread remote attestation. Remote attestation ties back to the TPM's endorsement key, an immutable cryptographic key certified by the TPM vendor at manufacturing time. The straightforward implementation of allowing arbitrary remote sites to trigger remote attestation would tie all of these accesses back to a single piece of hardware, and would be a privacy nightmare.)

replies(4): >>32240944 #>>32242883 #>>32245326 #>>32253456 #
userbinator ◴[26 Jul 22 23:26 UTC] No.32245326[source]
Arguing about the technicalities DOES NOT MATTER one bit about what the final outcome will be, and in fact appears to be a carefully calculated means of distraction.

everything that the article is worried about being enabled by Pluton is already possible, and has been for years.

There's a HUGE difference between "possible" and "very easy to deploy". https://news.ycombinator.com/item?id=29859106

replies(1): >>32245601 #
mjg59 ◴[27 Jul 22 00:13 UTC] No.32245601[source]
There's literally zero difference in how easy it is to deploy using Pluton and using existing TPMs.
replies(1): >>32245681 #
gjsman-1000 ◴[27 Jul 22 00:30 UTC] No.32245681[source]
This is partly true but its not quite. Think a little long-term here. Windows 10 ends support in just three years, in 2025. Windows 11 requires TPM 2.0, which was a big headache when Windows 11 was announced.

That means in three years, every supported PC will have TPM 2.0. Within ~1 year, assuming that Intel and AMD fulfill what they've implied in the launch announcement, every new PC will also come with Pluton.

That's a lot easier to deploy to compared to having some PCs with TPM, others without, some out-of-date on TPM 1.1, some with unpatched firmware (like the 2017 Infineon bug), so forth.

Now... some say, what about non-Windows systems, like macOS and Chrome? Think bigger for a second - Cisco (as an example) is in the Trusted Computing Group that designed a lot of this stuff, and Cisco Meraki is deployed in so many businesses for Wi-Fi security its incredible. All Cisco Meraki has to do (for example, maybe its not Cisco) is make a connection app that uses Pluton/TPM on Windows, Secure Enclave/T2 on macOS/iOS with Apple DeviceCheck, and SafetyNet on ChromeOS/Android. And you are all done - you've successfully made sure every new system is almost certainly untampered with. You've locked the door. For any system that can't be verified, no problems sending them to the IT Help Desk to be manually registered with a private key and sign a disclaimer.

It wasn't possible before, but five years from now, it will be much easier. Every Windows PC will be on the same page, and all major systems will have consistent assertion frameworks. Now, is Pluton wholly responsible? No. Windows 11 plays a role. Pluton just makes it broader and stronger, and Pluton also provides a long-term strengthening as eventually the TPM 2.0-only level will be able to be cut off for just Pluton.

replies(1): >>32245713 #
mjg59 ◴[27 Jul 22 00:37 UTC] No.32245713[source]
If your argument is "It's bad that all Windows systems will be guaranteed to have TPMs", then that's a reasonable argument to have! Everything that you're scared of here is 100% possible using TPMs (I have deployed hardware backed 802.1x certificates! I have made it impossible to get onto networks unless you have a TPM!), and Pluton doesn't change that. Making this about Pluton rather than about TPMs in general just means that people will believe they're somehow safe from the worst case outcome because they bought a CPU that doesn't have Pluton, when in reality if Microsoft decides to suddenly be extremely evil here they're going to be screwed over just as badly.
replies(2): >>32245788 #>>32245981 #
1. gjsman-1000 ◴[27 Jul 22 00:49 UTC] No.32245788[source]
At this point, even if a TPM can recreate much of Pluton's functionality, I still believe some fear regarding Pluton is still necessary and healthy, although I do not dispute that for some uses it may be useful - after all, why was my fear mongering section explicitly labeled "Fearmongering and Doomsday speculations"? Microsoft can still screw people over, but Pluton is different from a TPM and should still be (generally) regarded with caution where possible, and more caution than a standard TPM.

This is mainly because, at this point,

A. A TPM's level of access and capabilities to a system is well-known at this point. Pluton, we do not know with certainty what all of its capabilities are.

B. Microsoft has explicitly stated Pluton will have functionality added to it in the future though software updates, most likely that cannot be downgraded, that are not present yet. It's not that Pluton might have stuff added later - Microsoft has said stuff will be added later. What these upgrades entail or are capable of is also unknown.

C. Because of the above, Pluton requires a previously-unknown level of trust for Microsoft, because Pluton almost certainly has anti-downgrade procedures. Microsoft could, potentially, send out an update just blocking Linux and if Pluton received the update, it would be irreversible. Maybe this isn't within Pluton's abilities, but we just don't know. Just that Microsoft (or a hacker of Microsoft - I'm more concerned about a rogue employee than Microsoft at the moment) could have permanent effects on the security of a system is worth paying attention over.

D. Because of the reasons above, Pluton should be regarded with extra skepticism as it is a magical black box, with unknown capabilities, that it is not clear whether it can actually be disabled. (Already on my blog, there's a user talking about how Pluton briefly boots and then disables itself if the UEFI says that it should be disabled, not that it never starts, so theoretically a Pluton update could ignore its own disable switch.) I don't have verification of that, but until we know more... TPM is known, TPM can screw people, Pluton has the potential to extremely screw people over, and while many of my doomsday speculations can actually be recreated with just a TPM if TPMs are widely adopted, perhaps it could be enhanced with more Pluton-specific ones. Perhaps my doomsday predictions actually weren't far enough.

Thus, your point that Pluton doesn't add too much might be completely valid right now. That doesn't mean Pluton isn't also a potential Trojan horse that Microsoft updates as they please with new things that we didn't expect or ask for with no ability to undo them.

Edit: Removed a previous edit, and adding that, to complement the above notes, it does not help instill confidence that Microsoft isn't telling what Pluton can and cannot do at a hardware level. They've said a few things it can do right now, and just said more stuff will be coming in the future, but they won't talk about where its limits are. So... trust the black box without questions please. To be fair, this isn't the first time (Intel ME, AMD PSP?), but it is unsettling to have another one.