back to article Dell opts out of Microsoft's Pluton security for Windows

Yet another top-tier PC maker seemingly isn't interested right now in Microsoft's vision of hardware-level security for Windows 11 systems. Dell won't include Microsoft's Pluton technology in most of its commercial PCs, telling The Register: "Pluton does not align with Dell's approach to hardware security and our most secure …

  1. ShadowSystems

    What a coincidence...

    I'll opt out of using "Microsoft security" in any sentence that doesn't involve snickering, giggles, or outright howls of derisive laughter.

    Microsoft is to security what flame throwers are to icecream cones.

    1. simonlb Silver badge
      Thumb Down

      Re: What a coincidence...

      Microsoft is to security what flame throwers are to icecream cones.

      When the slighest 'update' to a component, or the turning on or off of a feature within the OS requires you to perform a full reboot then the fundamental design of the OS is critically flawed.

    2. Anonymous Coward
      Anonymous Coward

      Re: What a coincidence...

      The only active use I have seen Microsoft make of security features is to further customer lock-in and to prevent any rival operating systems from installing. Forcing OEMs to lock down UEFI was clearly enough of a warning to manufacturers not to fall for that twice.

      If they put half as much much money they put into wining and dining competence-free decision makers and anti-competitive efforts into really securing Windows I think most ransomware gangs would already be out of business.

  2. Paul Crawford Silver badge

    So basically this is all about DRM?

    1. Anonymous Coward
      Anonymous Coward

      No, DRM in the usual sense is only part of it. It's also about restricting what software you can run on your own computer, making that software more opaque and more difficult to replace, and limiting your ability to use third-party data services. The end goal is the same one Microsoft have always had: total end-to-end control of and visibility into everything everyone does on any computer anywhere, with the ability to monetise all of it for themselves.

      1. GidaBrasti

        Ahem... isn't

        "...total end-to-end control of and visibility into everything everyone does on any computer anywhere, with the ability to monetise all of it for themselves..."

        what Apple has been doing right from the start?

        Absolutely despicable practice, but Microsoft didn't invent the stuff.

        1. Anonymous Coward
          Anonymous Coward

          Weirdly, most of what I have running on MacOS and iOS (whose most irritating feature is the messed up cAPitalisation, but I digress) speaks Open Standards and happily integrates with all sorts of backends .. unless, unsurprisingly, they're made by Microsoft which always seems to require extra hoops to jump through. Crapware like Exchange doesn't even talk caldav or carrdav.

          Also, the music I buy from them is unlocked - they made that decision years ago.

          Where it does still play to a maddening degree is their app stores which are country locked to the point that you cannot even buy something unless your means of payment are registered in that country which clearly demonstrates that their mindset is still firmly locked in that American box - Europeans travel and move much more across borders, but their App Stores have yet to catch up with that.

        2. Anonymous Coward
          Anonymous Coward

          Never said Microsoft invented this, only that it's their goal. At the same time, you need to be careful about what "right from the start" means with respect to Apple. Pre-1997 Apple didn't look anything like modern Apple and did not share Microsoft's objectives. By the time Jobs returned via NeXT, Apple had become completely irrelevant and was more or less out of business. Only in the post-1997 (and really post-iPhone) era has Apple started to look and act more like Microsoft. By 1997, Microsoft had been an entrenched monopolist for almost 20 years and was firmly established as the standard-bearer for misbehaviour in the technology industry. So while I agree that Microsoft didn't invent this kind of behaviour or business objectives, it certainly preceded Apple to them by a considerable margin. That's just history, though; what matters is how they're behaving today.

    2. Pascal Monett Silver badge

      Borkzilla is all about DRM

  3. Robin Bradshaw

    Its a silicon feature not a vendor addon

    How would dell opt in to using pluton security? Start fabbing their own custom intel chips with a pluton proceesor added?

    1. Anonymous Coward
      Anonymous Coward

      @Robin Bradshaw - Re: Its a silicon feature not a vendor addon

      If I'm not mistaking, Dell still has control of the firmware so it can activate this "feature" or not. Or make it opt-in for end-users.

      Let's not forget, for a long time Dell was the only big PC manufacturer who was not afraid to offer Linux preinstalled on their PCs.

      1. Falmari Silver badge

        Re: @Robin Bradshaw - Its a silicon feature not a vendor addon

        @AC "f I'm not mistaking, Dell still has control of the firmware so it can activate this "feature" or not. Or make it opt-in for end-users."

        From article:-

        "Reading between the lines: Dell isn't shipping PCs with processors featuring Pluton, and so it's not in a position, or interested in being in a position, to be onboard with the tech."

        Dell can't activate what is not their as Pluton is not on the processors.

      2. Tom 7

        Re: @Robin Bradshaw - Its a silicon feature not a vendor addon

        Let's not forget, for a long time Dell was the only big PC manufacturer who was not afraid to offer Linux preinstalled on their lower specced PCs.

    2. Anonymous Coward
      Anonymous Coward

      Re: The two faces of Pluton... external facing switch and internal facing switch.

      Worth stating that while vendors can turn Pluton on and off, via their own UEFI firmware interface, what's to say Pluton doesn't have another internal facing switch within the Intel processor itself (Intel's own management engine for instance) so in effect Intel's management engine can enable and disable Pluton at will (and importantly update the microcode), for its own purposes, separate from the UEFI firmware.

      And if Pluton is anything like today's 2022-03 Cumulative Update for Windows 10 Version 21H2 for x64-based Systems (KB5011487), that resulted in a kernel fault, and 'full on' meltdown this morning, I would actively avoid any new laptop with this technology on board. To those that haven't yet installed 2022-03 Cumulative Update, worth pausing updates if you can.

      Microsoft's testing regime, is now pretty much "just throw it out there, see what sticks".

      Clunky 'bag of rusty nails' Windows Update is more than enough, in terms of showing how bad Microsoft is at providing updates, we don't need another (lack of) Microsoft provided firmware to obsolete machines, in the same way they are doing with Windows 11.

      Dell seems to have come to the same conclusion, Pluton is not a selling point, it's an active reason for consumers to avoid Dell products, if this feature is permanently enabled by default. Commendable that Dell have taken the side of their customers and used some due diligence.

      Pluton is a massive 'power grab', and should be resisted at all costs, there are better ways to do security where you remain in control, and if Microsoft get this wrong, and history shows they will, it will be outside your control and nothing you can do when the shit hits the fan.

      Basically, another attack vector, along with the borked Intel Management Engine, in the same way 'Extensible' has started to be seen in terms of the UEFI.

      1. Falmari Silver badge

        Re: The two faces of Pluton... external facing switch and internal facing switch.

        @AC Just two small problems with your post.

        Intel cannot have a secret way to turn on Pluton on their processors because Pluton is not on their processors.

        Dell not enabling Pluton does not mean they have come to any conclusions. Neither is it worthy of the commendation that Dell have taken the side of their customers.

        Because Dell can't activate what is not there and Pluton is not on the processors.

        1. Anonymous Coward
          Anonymous Coward

          Re: The two faces of Pluton... external facing switch and internal facing switch.

          OK, I have jumped the gun a little, projecting this scenario, in terms of right now.

          Have to say, I took Intel's announcement, "Intel's 12th Gen platforms do not support Pluton," within the context of Intel's custom dynamic mix'n'match fabrication plans, going forward, based on vendors needs, in a subtly different way in what it didn't say. 'Does not support Pluton', doesn't say it couldn't. After all, Pluton is essentially an updatable, modifiable software based implementation controlled and updated by Microsoft, based on a form of Linux.

          12th-generation Core family code-named Alder Lake, Intel has stated (according to reports) that it is using its own Platform Trust Technology for Alder Lake. What Intel didn't make clear is whether the coprocessor was present and dormant on the die (or could be added with mix'n'match fabrication processes for certain vendors), and/or just not implemented in terms of software.

          In much the same way that Apple had never spoken about the hardware/software virtualisation* + internal bus within the M1 Processor that allowed multiple chip dies to be fused together to form the M1 Ultra before yesterday. So what else have Apple not talked about regarding the M1, because there is clearly a narrative developing there with hiding things.

          None of this offers an reassurance in terms of security. because much of it is hidden from view, and anything that operates below the radar can be used to circumvent Democracy in all its forms. That's the key message people should take from this, it's no different to having 'malware' operating on their terms, malware controlled by the those providing the technologies here.

          *(so it's seen as a single processor/single continuous memory architecture, it appears to implementing core technologies similar to Tidalscale to do this). It will be interesting to see if they have licenced those technologies//patents or working around them.

          1. Falmari Silver badge

            Re: The two faces of Pluton... external facing switch and internal facing switch.

            @AC "OK, I have jumped the gun a little, projecting this scenario, in terms of right now."

            Yes just a little, but you are right Intel could easily add Pluton to their next processor after all they helped develop it.

            "Microsoft launched to much fanfare its Pluton security layer for PCs in 2020 after developing it with Intel, AMD, and Qualcomm."

            But it is very unlikely Intel have a Pluton coprocessor present and dormant on the die as they have gone with their own TPM coprocessor on Alder Lake.

            1. Anonymous Coward
              Anonymous Coward

              Re: The two faces of Pluton... external facing switch and internal facing switch.

              But as said, there are several ways to interpret what has been said so far, and if we are talking Microsoft Windows and PC's then for all that matters in terms of numbers, Intel is the only game (processor) in town.

              So discussing how the Pluton could potentially have an internal interface (used by the processor, looking ahead - Intel) and an external interface accessible by vendors, is valid comment. Everything else is a distraction about whether it's there or not, currently within the die or not.

              We just don't know if Pluton does or doesn't (have such an dual interface), and that's my point. How can it be seen as 'security' and not seen as more specifically DRM, (as it is used for in the XBOX), when we haven't a clue what's going on below the radar, in terms of what Pluton is doing, or importantly if extended, what it has the potential to do. In effect, Pluton is a moving target, that can morph into anything it wants to be.

              Zero Trust, remember, and that includes Microsoft and others.

              Just look at the ominous Windows 10/Windows 11 'Microsoft Health Tools', it acts essentially like malware.

              Go on, try to uninstall it from the control panel and every time you do, it is reinstalled again and again by Windows Update. Effectively it's the new form of the previous GetWindowsX 'malware' with the all the full screen nags and the forced upgrades, that were surreptitiously carried out.

              No one forgets clicking the 'Red X', that meant you'd accepted an upgrade from 7 to 10.

      2. nematoad
        Happy

        Re: The two faces of Pluton... external facing switch and internal facing switch.

        "...today's 2022-03 Cumulative Update for Windows 10 Version 21H2 for x64-based Systems (KB5011487), that resulted in a kernel fault, "

        Interesting, my sister has just bought a Windows (spit) laptop and as I was trying to do something with it the other day it stopped me in my tracks and demanded that I update it. I had no option but to agree so walked away from the thing as it did "The magic" (quote from the initial setup). So it looks like it did get that KB.

        If it has bricked the laptop it might allow me to nuke the OS and put a decent one on instead, PCLinuxOS in this case. So although there might be wailing and gnashing of teeth in the short term this update may be a blessing in diguise.

        1. Terry 6 Silver badge

          Re: The two faces of Pluton... external facing switch and internal facing switch.

          My own precaution is image, image, image.

          Windows, touching wood, has worked fine for me. Updated with no problems and so forth.

          But Macrium Reflect is on permanent duty. Imaged to a second internal HDD before update. And another image to an external USB HDD just in case. And a drawer in another room of the house with a couple of redundant HDDs that happen to contain backups and...more images.

          Do I use Windows? yes. Most people do. Do I trust Microsoft? Just about as far as I could throw an elephant.

          1. General Purpose

            Re: The two faces of Pluton... external facing switch and internal facing switch.

            >Do I use Windows? yes. Most people do. Do I trust Microsoft? Just about as far as I could throw an elephant.

            Well said. Unfortunately, at a time of war, I trust an AC telling us not to install a security update due to an otherwise unreported "kernel fault, and 'full on' meltdown" about as far as I can throw the other elephants.

    3. Anonymous Coward
      Anonymous Coward

      Re: Its a silicon feature not a vendor addon

      "How would dell opt in to using pluton security? Start fabbing their own custom intel chips with a pluton proceesor added?"

      You're forgetting, Intel has announced a mix n' match policy regarding fabricating key technologies and custom fabrication, aimed at vendors like Dell. But given everything is about price and margins for vendors, I don't hold up much hope, it's going to be baked in going forward for the masses.

  4. Anonymous Coward
    Anonymous Coward

    "The big concern among users is the presence of a Microsoft chip in a PC, and the concept of "chip-to-cloud security," which could help the software maker exert more control of systems across the entire stack."

    Exactly. The purpose of Pluton, like the purpose of TPMs, is not primarily to increase the security of the computer owner's data. It's to transfer control of the computer and the data it processes away from the owner to third parties of the manufacturer's choosing. That might be themselves or their corporate partners or the media industry. Unsurprisingly, the people who buy computers prefer to have control of their own assets.

  5. JassMan

    Thank god, someone's got some sense

    "AMD Ryzen 6000 processors will include Pluton as it's present in those AMD chips, though the feature will be disabled by default. AMD has provided an option for users to turn the feature on and off."

    Just as it should be. I just hope it doesn't add too much to the cost of AMD chips.

    I also hope that the evil empire doesn't find a way to subvert it so that it is always on, if the PC has Windows installed, so that it prevents you from wiping the disk and installing a useful OS.

    1. Norman Nescio Silver badge

      Re: Thank god, someone's got some sense

      "AMD Ryzen 6000 processors will include Pluton as it's present in those AMD chips, though the feature will be disabled by default. AMD has provided an option for users to turn the feature on and off."

      There are plenty of nefarious ways of turning on a capability that exists but is 'disabled by default'. It doesn't take much to add hardware that sniffs a register or a data-line waiting for a key-pattern that triggers turning on a hidden capability. It's basically a variant of malware traffic signalling techniques on networks: MITRE: Traffic Signalling

      You might not even need to add hardware: firmware running in a TPM (which could be distributed as an opaque, encrypted BLOB) can easily be programmed to do things on receipt of a magic pattern in what would otherwise be a legitimate datastream being processed.

      This is why open firmware and open hardware is important.

    2. Spanners Silver badge
      Devil

      Re: Thank god, someone's got some sense

      "an option for users to turn the feature on and off."

      Also an option of criminal organisations, including the CIA, FBI and the NSA to turn it on perhaps without you even knowing.

  6. Boris the Cockroach Silver badge
    FAIL

    The issue

    I have is that pluton can be updated (via windows update)

    So its only a matter of time before the malware creators find a way of updating pluton themselves... and then baking that into an email attatchment.

    If pluton was a 'burn it once' type device that cannot be altered from external software , then it maybe a good idea.

    Until that point..... it sounds more like a m$ power grab than any 'security' for my PC

    Oh and preventing linux from being installed unless the distro has a m$ supplied key(for a suitable price)

    1. Terry 6 Silver badge

      Re: The issue

      Or indeed that Microsoft could presumably decide that for our own good they'll take even more control of our PCs to do whatever their beancounters decide would make them even more money.

  7. Bartholomew

    "Pluton" in geology, an "intrusive body".

    Does anyone really need another CPU inside their CPU, one that only runs blobs created by Microsoft. It is bad enough that there is the Intel ME (or the AMD PSP) running code that can never be audited, do we really need another one, just for Microsoft.

    1. Anonymous Coward
      Anonymous Coward

      Anything that operates below the radar can be used to circumvent Democracy in all its forms.

      None of this offers any reassurance in terms of security, because much of it is hidden from view (and controlled by a single vendor), and anything that operates below the radar can be used to circumvent Democracy in all its forms.

      That's the key message people should take from this, it's no different to having 'malware' operating on their terms, malware controlled by the those providing the technologies here. Again, it should be seen for what it is, a massive 'power grab'.

  8. Steve Hersey

    Another way to look at Pluton

    A denial-of-competition attack. They've done that one before, why trust them not to try it again?

    1. Anonymous Coward
      Anonymous Coward

      Re: Another way to look at Pluton

      I think you can trust them very much to try again.

  9. MrDamage Silver badge

    The end user is not the customer.

    "Microsoft and our partners are giving customers the flexibility and choice to configure Pluton to meet their specific needs. Microsoft is committed to working with partners and customers in the coming months and years to continue to bolster security with Pluton," the spokesperson said.

    Given the ever-increasing snooping prevalent in Windows, data as currency, "user is the product" approach by MS and others, I think we need to remind every Windows user that they no longer count as "the customer" in Microsoft's eyes.Microsoft's customers, are those who pay the greedy fucks to spy on us.

  10. shawn.eary

    Can we dump the TPM requirement for Win 11 already? TPMs can be easily hacked from my understanding...

  11. Mr Dogshit

    HP declined to answer questions on its stand on Pluton,

    because they don't design anything any more, and just flog rebranded Foxconn and Wistron kit.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like