[Dylan16807]

Another commenter familiar with the tech said: Pluton can securely track what software was booted on the main core (called "measure boot") and it basically sends a hash of that to the cloud to prove to the cloud what software is currently running.

That sounds like most of what you need to build a system that can enforce what executables you're allowed to load and prevent you from attaching a debugger.

[mjg59]

Pluton can securely track what software was booted on the main core as long as the previous component in the boot chain participates. If your OS doesn't participate, you don't get any measurements beyond that point. And that means there's no way for Pluton to block execution.

[Dylan16807]

At which point the server will refuse to send you the protected portion of the software, or the decryption key for it. This blocks the execution.

[qayxc]

You omitted the context there: the poster was talking about Azure Sphere - IoT devices that use Pluton for verification with remote services.

That's a different use case (chip-to-cloud). It can also not prevent you from attaching a debugger when all you need to do is to go offline.

In fact, the whole point is that you can run anything without compromising the security of the data in the secure enclave. That's what Zero-Trust is all about.

[Dylan16807]

As a feature for cloud chips, it's great.

If it goes into client chips, and someone uses it for DRM, that's awful.

I guess we'll see?