All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Pluton Security Processor ROM

Certificate#4880StandardFIPS 140-3Level2TypeHardwareEmbodimentSingle ChipStatusActiveVendorAdvanced Micro Devices (AMD), Microsoft Corporation
High review priority  ·  exposes HSM/SE firmware trust anchor  ·  last validated 20 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level2
Module typeHardware
EmbodimentSingle Chip
StatusActive
Sunset date11/13/2026
CaveatInterim validation
VendorAdvanced Micro Devices (AMD), Microsoft Corporation
Hardware versionsModel Ryzen 7 Pro 6850H with Radeon Graphics

Vendor resources (verify with the vendor)

Product pagehttps://learn.microsoft.com/en-us/windows/security/hardware-security/pluton/microsoft-pluton-security-processor
Support pagehttps://learn.microsoft.com/en-us/windows/security/hardware-security/pluton/microsoft-pluton-security-processor open support
Documentationhttps://learn.microsoft.com/en-us/windows/security/hardware-security/pluton/microsoft-pluton-security-processor
https://learn.microsoft.com/en-us/windows/security/hardware-security/pluton/pluton-as-tpm
AssessmentMicrosoft Learn provides public documentation for the Pluton security processor (architecture, firmware load flow, TPM behavior); no login required. ROM-level module internals remain vendor-confidential.

Approved Algorithms (2)

AlgorithmACVP Cert
ECDSA SigVer (FIPS186-4)A2348
SHA2-256A2348

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification2
Self-Tests1
Life-Cycle Assurance1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Pluton Security Processor ROM
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C1["[high] Firmware / bootloader<br/>versions disclosed<br/>(identity, not provenance)<br/><i>Rembrandt B1 = 0x8262_0B00</i>"]
    C2["[high] Firmware update / recovery<br/>/ rollback services<br/><i>Load Firmware</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Show Status<br/>Perform Self- Tests</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I1["Component identity is<br/>disclosed, but provenance<br/>and patch lineage are not."]
    I2["Trusted code is reachable<br/>through update and<br/>recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R1["Do the vendor version<br/>strings obscure the<br/>upstream baseline, fork<br/>lineage, or known-CVE<br/>exposure?"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E1["SBOM / component baselines<br/>· patch and backport<br/>manifest · CVE disposition"]
    E2["update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C1 --> I1 --> R1 --> E1
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C1,C2,C3,C6 clue;
  class I1,I2,I3,I6 infer;
  class R1,R2,R3,R6 risk;
  class E1,E2,E3,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Pluton Security Processor ROM
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C1["[high] Firmware / bootloader versions disclosed (identity, not provenance)<br/><i>Rembrandt B1 = 0x8262_0B00</i><br/>src: certificate.firmwareVersions"]
    C2["[high] Firmware update / recovery / rollback services<br/><i>Load Firmware</i><br/>src: securityPolicy.services"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Show Status<br/>Perform Self- Tests</i><br/>src: securityPolicy.services"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C1,C2,C3 clueHigh;
  class C6 clueLow;

Security Policy, page by page

Page 1
Prepared ByMicrosoft Corporation One Microsoft Way Redmond, WA 98052-6399
Document Version Number1.1
Updated OnNovember 1, 2024

Pluton Security Processor ROM

Page 2

Pluton Security Processor ROM

Page 3

Pluton Security Processor ROM

Page 4
Document VersionDateDescription
1.0May 13, 2022Draft submitted to CMVP for a full validation.
1.1November 1, 2024Updated in response to CMVP feedback.

Pluton Security Processor ROM

Page 5
Security level
NameISO SectionRequirementLevel
11GeneralLevel 2
22Cryptographic module specificationLevel 2
33Cryptographic module interfacesLevel 2
44Roles, services, and authenticationLevel 2
55Software/Firmware securityLevel 2
66Operational environmentN/A
77Physical securityLevel 2
88Non-invasive securityN/A
99Sensitive security parameter managementLevel 2
1010Self-testsLevel 2
1111Life-cycle assuranceLevel 2
1212Mitigation of other attacksN/A

Pluton Security Processor ROM

Page 6

Pluton Security Processor ROM

Page 7
Module configuration
NameModelHardware VersionFirmware VersionFeatures
AMD Ryzen 6000 Series SOCAMD Ryzen 6000 Series SOCModel Ryzen 7 Pro 6850H with Radeon GraphicsRembrandt B1 = 0x8262_0B00CPUID F.4.1 Extended CPUID 19.44

Pluton Security Processor ROM

Page 8
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
ECDSA SigVer (FIPS 186-4)A2348Signature VerificationP-384 curve with SHA2-256.Signature Verification
SHA2-256 (FIPS 180-4)A2348SHA2-256Message length: 0-51200, increment 8.Secure Hashing
Approved algorithm
NameCAVP CertMode MethodKey SizeUse Function
ECDSA SigVer (FIPS 186-4)A2348Signature VerificationP-384 curve with SHA2-256.Signature Verification
SHA2-256 (FIPS 180-4)A2348SHA2-256Message length: 0-51200, increment 8.Secure Hashing

Pluton Security Processor ROM

Page 9
Approved algorithm
Name
N/A (The module implements only approved algorithms.)

Pluton Security Processor ROM

Page 10

Pluton Security Processor ROM

Page 11
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
Direct access of memory, registersDirect access of memory, registersData InputHard-coded ECDSA Signature (PSP) used for verification of firmware image, measurements.
RegistersRegistersControl InputPlatform Configuration Register (PCR) numbers.
RegistersRegistersStatus OutputReturn and error codes.
Service
NameRolesInputOutput
Show StatusCrypto OfficerAutomatically executed by the module.Status output across the module’s Status Output logical interface.
Perform Self-TestsCrypto OfficerAutomatically executed by the module after every power on or reset.Implicit in Module availability: if the Module is available, the self-tests have passed; if the self- tests fail, the Module resets.
Load FirmwareCrypto OfficerExecuted when the “load firmware” command is received; firmware address and size is passed in.Firmware application ECDSA signature is validated.
DecommissionCrypto OfficerExecuted when the “disable Pluton” command is received.Permanently changes the module state to end of life.
PCR3 ExtendCrypto OfficerExecuted when the “PCR3 extend” command is received, with value and software PCR number is passed in.Extends PCR number 3 with passed-in data.
All PCR ExtendCrypto OfficerExecuted when the “all PCR extend” command is received.Extends all PCRs with a hard-coded, fixed value.
Show Module’s Versioning InformationCrypto OfficerImplicit by the AMD SOC the module resides within.CPUID indicated in Table 2.

Pluton Security Processor ROM – Security Policy

  1. Cryptographic Module Interfaces As indicated in the table below, all status and control ports are accessed through the Pluton registers and the API command handlers implemented in the Pluton ROM image. For data input, direct access to memory through the address spaces maintained by the Pluton registers and the API command handlers implemented in the Pluton ROM image are used. This direct access to memory, the Pluton registers, and API commands defines the FIPS interfaces across the module’s cryptographic boundary. Error statuses available through these interfaces do not reveal any sensitive materials to the interface initiators. Table 7: Ports and Interfaces
  2. Roles, Services, and Authentication The module supports a single role, Crypto Officer, which may use any of the module’s services. The Crypto Officer role is implicitly assumed by the party accessing services implemented by the Module. There is no non-Crypto Officer role in approved mode. The module does not support cryptographic bypass. The following table identifies all services offered in each role, with corresponding input and output. This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision).
Page 12

Pluton Security Processor ROM

Page 13
Service
NameDescriptionRolesCsps AccessedApproved FunctionsAccessIndicator
Show StatusShows module status.Crypto OfficerNoneN/AN/AImplicit in SOC availability. An error in module will result in the SOC failing to boot.
Perform Self- TestsPerforms module self-tests.Crypto OfficerNoneSHA2-256 (FIPS 180-4) and ECDSA SigVer (FIPS 186-4)N/AImplicit in module availability. If the SHA2 self-test fails, the module halts and no cryptographic function may be performed. For ECDSA, a failure status returned to the platform processor of the AMD SOC.
Load FirmwareValidates a firmware application ECDSA signature.Crypto OfficerECDSA public keyECDSA SigVer (FIPS 186-4)R, ELoadRuntime succeeds and the module generates a postcode that digital signature validation succeeded.
DecommissionPermanently changes the module state for decommissioning.Crypto OfficerNoneN/AN/AHSP state is changed and will reject any commands like LoadRuntime or PcrExtend.
PCR3 ExtendExtends the Platform Configuration Register (PCR) number 3 with passed-in data.Crypto OfficerNoneSHA2-256 (FIPS 180-4)N/APCR3 extended with passed-in data.
All PCR ExtendExtends all PCRs with a hard-coded, fixed value.Crypto OfficerNoneSHA2-256 (FIPS 180-4)N/APCR3 extended with hard- coded fixed value.
Show Module’s Versioning InformationShow module’s versioning information.Crypto OfficerNoneN/AN/ACPUID matching those indicated in Table 2.

Pluton Security Processor ROM

Page 14

Pluton Security Processor ROM

Page 15

Pluton Security Processor ROM

Page 16

Pluton Security Processor ROM – Security Policy

  1. Software/Firmware Security The module’s executable code is stored in non-reconfigurable memory on the SOC, as defined by FIPS 140-3 IG 5.A. The SOC non-reconfigurable memory will not change or degrade for a minimum of 10 years, guaranteeing firmware security. This design requires no integrity testing. As a sub-chip embedded in the AMD SOC, the module is expected to last the lifetime of the SOC. The non-reconfigurable memory of the SOC should not degrade for at least 10 years. The module and SOC are determined to be end-of-life at the discretion of the user within this period. At end-of-life, the user should discontinue use of the SOC. As the module does not generate, establish, or import any CSPs, no sanitization process is required.
  2. Operational Environment The Operational Environment requirements do not apply, as the module’s operational environment is non-modifiable and the physical security level claimed is Level
  3. Apart from the Pluton ROM image, the rest of the module is comprised of integrated circuits fabricated on silicon dies as hardware components. The Pluton ROM image is non-modifiable as it is written to the SOC as part of the process to complete the SOC GDS IC layout before wafer fabrication. The module cannot be modified and no code can be added or removed.
  4. Physical Security The module is a sub-chip embedded in the AMD Ryzen 6000 Series SOC, which is a single-chip standalone device. The module is embedded in all AMD Ryzen 6000 SOC models and SKUs. The SOC conforms to the FIPS 140-3 Level 2 requirements for physical security. The SOC resides in a package which provides opaqueness in the visible spectrum and protection against environmental or other physical damage. It is contained in a tamper-evident enclosure which deters direct observation, probing, or manipulation and provides evidence of attempts to tamper with or remove the module. No operator-applied tamper evident seals or security appliances are required, as the seals are applied as part of manufacturing the SOC. The following table identifies the physical security mechanisms of the module and the protocol for maintaining them. This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision).
Page 17
Physical Security MechanismRecommended Frequency ofInspection / Test Guidance
Inspection / TestDetails
Tamper-evident enclosureInspect whenever the user is concerned they have lost physical control of the computer with the Pluton processor.Examine the SOC for scratched or damaged epoxy coating. If tampering is evident, the user may contact Microsoft at FIPS@microsoft.com.

Table 10: Physical Security Inspection Guidelines The following photographs show the tamper-evident enclosure. The image at left shows the module Figure 4: Module before Tampering (Left) and after Tampering (Right) As a Level 2 module that does not implement EFP/EFT, the module is not subject to hardness testing. 8. Non-Invasive Security The module does not implement non-invasive attack mitigation techniques to protect the unprotected SSPs from non-invasive attacks. This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision).

Page 18
Sensitive security parameter
NameStrengthSecurity FunctionGenerationEstablishmentStorageZeroizationUseImport Export
ECDSA Public Key (SHA2- 256)P-384 (192 bits)ECDSA SigVer (FIPS 186-4), certificate #A2348.Pre-loaded by the manufacturer.N/AHard-coded in immutable memory.N/AFirmware application signature verification.N/A

Pluton Security Processor ROM

Page 19

Pluton Security Processor ROM

Page 20

Pluton Security Processor ROM

Page 21

Pluton Security Processor ROM

Page 22

Pluton Security Processor ROM

Page 23

Pluton Security Processor ROM – Security Policy

  1. Life-Cycle Assurance 11.1. Crypto Officer Guidance The operation of the module does not need FIPS 140-3 specific guidance. The FIPS 140-3 functional requirements are always invoked. The module is determined to be a FIPS 140-3 validated module by using the validated product described in this Security Policy. No Crypto Officer installation or maintenance is required. 11.2. User Guidance The operation of the module does not need FIPS 140-3 specific guidance. The FIPS 140-3 functional requirements are always invoked. The module is determined to be a FIPS 140-3 validated module by using the validated product described in this Security Policy. No User installation or maintenance is required.
  2. Mitigation of Other Attacks The module does not claim any mitigation of other attacks. This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision).

Referenced URLs