* SMM has been part of x86 for decades. The Secured Core requirements around SMM actually reduce its power.
* The claimed requirement to remove the third party UEFI CA certificate from 2022 Secured Core PCs is entirely unrelated to Pluton (it's required regardless of whether Pluton is enabled or not, and even whether the CPU has Pluton or not)
* Most of the description of Pluton is actually a description of a TPM. You don't need DICE for remote attestation. TPMs are already a hardware keystore.
* System firmware is already being updated via Windows Update. The discussion about Pluton and Windows Update is around Pluton getting firmware updates that way (the existing story around firmware updates for TPMs is largely not good)
* Existing TPM-based remote attestation already includes the secure boot state
The short version: everything that the article is worried about being enabled by Pluton is already possible, and has been for years.
But there's a meaningful point here. Remote attestation can certainly be used to restrict access to resources in ways that are incompatible with general purpose computing, or which reduce user choice. Remote attestation can also be used to give end users confidence that their machine is in a good state without constraining what they do with it. As a technology, remote attestation can be used in both good and bad ways. We do need to keep track of whether anyone is threatening to use it in bad ways and react appropriately.
(But tbh remote attestation as an attack on general purpose computing isn't the really scary thing about widespread remote attestation. Remote attestation ties back to the TPM's endorsement key, an immutable cryptographic key certified by the TPM vendor at manufacturing time. The straightforward implementation of allowing arbitrary remote sites to trigger remote attestation would tie all of these accesses back to a single piece of hardware, and would be a privacy nightmare.)
everything that the article is worried about being enabled by Pluton is already possible, and has been for years.
There's a HUGE difference between "possible" and "very easy to deploy". https://news.ycombinator.com/item?id=29859106
That means in three years, every supported PC will have TPM 2.0. Within ~1 year, assuming that Intel and AMD fulfill what they've implied in the launch announcement, every new PC will also come with Pluton.
That's a lot easier to deploy to compared to having some PCs with TPM, others without, some out-of-date on TPM 1.1, some with unpatched firmware (like the 2017 Infineon bug), so forth.
Now... some say, what about non-Windows systems, like macOS and Chrome? Think bigger for a second - Cisco (as an example) is in the Trusted Computing Group that designed a lot of this stuff, and Cisco Meraki is deployed in so many businesses for Wi-Fi security its incredible. All Cisco Meraki has to do (for example, maybe its not Cisco) is make a connection app that uses Pluton/TPM on Windows, Secure Enclave/T2 on macOS/iOS with Apple DeviceCheck, and SafetyNet on ChromeOS/Android. And you are all done - you've successfully made sure every new system is almost certainly untampered with. You've locked the door. For any system that can't be verified, no problems sending them to the IT Help Desk to be manually registered with a private key and sign a disclaimer.
It wasn't possible before, but five years from now, it will be much easier. Every Windows PC will be on the same page, and all major systems will have consistent assertion frameworks. Now, is Pluton wholly responsible? No. Windows 11 plays a role. Pluton just makes it broader and stronger, and Pluton also provides a long-term strengthening as eventually the TPM 2.0-only level will be able to be cut off for just Pluton.
This is mainly because, at this point,
A. A TPM's level of access and capabilities to a system is well-known at this point. Pluton, we do not know with certainty what all of its capabilities are.
B. Microsoft has explicitly stated Pluton will have functionality added to it in the future though software updates, most likely that cannot be downgraded, that are not present yet. It's not that Pluton might have stuff added later - Microsoft has said stuff will be added later. What these upgrades entail or are capable of is also unknown.
C. Because of the above, Pluton requires a previously-unknown level of trust for Microsoft, because Pluton almost certainly has anti-downgrade procedures. Microsoft could, potentially, send out an update just blocking Linux and if Pluton received the update, it would be irreversible. Maybe this isn't within Pluton's abilities, but we just don't know. Just that Microsoft (or a hacker of Microsoft - I'm more concerned about a rogue employee than Microsoft at the moment) could have permanent effects on the security of a system is worth paying attention over.
D. Because of the reasons above, Pluton should be regarded with extra skepticism as it is a magical black box, with unknown capabilities, that it is not clear whether it can actually be disabled. (Already on my blog, there's a user talking about how Pluton briefly boots and then disables itself if the UEFI says that it should be disabled, not that it never starts, so theoretically a Pluton update could ignore its own disable switch.) I don't have verification of that, but until we know more... TPM is known, TPM can screw people, Pluton has the potential to extremely screw people over, and while many of my doomsday speculations can actually be recreated with just a TPM if TPMs are widely adopted, perhaps it could be enhanced with more Pluton-specific ones. Perhaps my doomsday predictions actually weren't far enough.
Thus, your point that Pluton doesn't add too much might be completely valid right now. That doesn't mean Pluton isn't also a potential Trojan horse that Microsoft updates as they please with new things that we didn't expect or ask for with no ability to undo them.
Edit: Removed a previous edit, and adding that, to complement the above notes, it does not help instill confidence that Microsoft isn't telling what Pluton can and cannot do at a hardware level. They've said a few things it can do right now, and just said more stuff will be coming in the future, but they won't talk about where its limits are. So... trust the black box without questions please. To be fair, this isn't the first time (Intel ME, AMD PSP?), but it is unsettling to have another one.