Jump to content

Yikes! Lenovo is vendor-locking AMD Ryzen CPUs via PSB

creesch
 Share

Summary

It's basically as the title states, Lenovo is expanding the use of PSB outside of the server markt and to not just EPYC processors but also Ryzen processor lines. PSB allows locking a processor to a specific machine which means it can no longer be used in other machines. 

 

Image

 

image.png.144277a7cc9c2784b9b474b05fb8d747.png

 

Quotes

Quote

At STH, we have covered the AMD PSB or Platform Secure Boot feature several times. In the last week or so, we have gotten a few reports that Lenovo is now bringing this technology to the desktop market in its AMD Ryzen (Pro) systems.

 

Quote

The basic premise of the technology is that it blows field-programmable fuses that lock an AMD CPU to the vendor’s system. The concept is to create a permanent platform so the CPU must align with the motherboard for security purposes. Many of our readers are rightfully nervous about this. One cannot tell a CPU has been PSB fused and so purchasing CPUs on the secondary market can be perilous. If, for example, one purchases a fused Lenovo or Dell AMD EPYC CPU and tries to put it in a non-Lenovo or Dell system it should not work.

 

My thoughts

If more vendors start doing this it effectively makes second hand processors a risky bet. In addition to looking out for fake models you now might get a legit processor which still can't be used. 

 

Sources

https://www.servethehome.com/lenovo-vendor-locking-ryzen-based-systems-with-amd-psb/

https://www.servethehome.com/lenovo-vendor-locking-ryzen-cpus-with-amd-psb-the-video/

 

There aren't many subjects that benefit from binary takes on them in a discussion.

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

Great.. They get more money, people can't (or won't) reuse CPUs and will end up throwing them away. (Oh, did I mention there's a chip [silicon] shortage?)

Edit: Honestly not happy about how more and more products are moving into the "you bought it but you can only use it the way we intended" territory.

Link to comment
Share on other sites

Link to post
Share on other sites

This is what you get for buying new computer anything.

Burn your RTX 3090, shun windows 11, return to the chad utopia that is basically anything older than kaby lake because everything after kaby lake sucked 

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, sexychimichanga said:

Lenovo gets crap all the time when they don't deserve it

Superfish says otherwise.

The US gov't put them on the Do Not Buy list for a long time (dunno if that's been rescinded or not, it's still a standing order in the gov't agency I work for)

They most certainly deserve it.

So rise up, all ye lost ones, as one, we'll claw the clouds

Link to comment
Share on other sites

Link to post
Share on other sites

Idk what PSB actually is. But a human made that, which means another human can crack that. I feel like the "hacker" community could sort this out in a few weeks time.

Link to comment
Share on other sites

Link to post
Share on other sites

14 minutes ago, dizmo said:

 What happens if the motherboard dies?

you can swap it into another lenovo board.

 

12 minutes ago, sexychimichanga said:

Well, Lenovo gets crap all the time when they don't deserve it.  So, this "could" be misleading information.  I'd wait for more sources and proof, plus their response.

this is STH, pretty rarely do they get stuff wrong and they aren't one for clickbait. they've been dealing with locking CPUs on servers for years no

 

I really doubt lenvo will respond to this.

1 minute ago, TempestCatto said:

Idk what PSB actually is. But a human made that, which means another human can crack that. I feel like the "hacker" community could sort this out in a few weeks time.

Platform Secure Boot

its not going to be easy to crack.

 

from dell about epycs version

Spoiler

As you rightly point out, the AMD Platform Secure Boot Feature (PSB) is a mitigation for firmware Advanced Persistent Threats. This allows us to establish an unbroken chain of trust from AMD’s silicon root of trust to our BIOS and then from the BIOS to the OS Bootloader using UEFI secure boot. This provides a very powerful defense against remote and local attackers seeking to embed malware into a platform’s firmware.

 

We design PowerEdge servers with security built-in as the security of our products is critical to helping ensure our customers’ data and systems are protected. Given the pervasiveness and increasing sophistication of these ongoing persistent threats, we decided to enable the PSB function that AMD makes available. The tradeoff, as you pointed out, is that the CPU would only be able to operate in another Dell EMC PowerEdge server. However, we feel that’s a rather limited use case for how customers look to decommission old equipment and wanted to err on the side of security.

https://www.servethehome.com/amd-psb-vendor-locks-epyc-cpus-for-enhanced-security-at-a-cost/2/

Good luck, Have fun, Build PC, and have a last gen console for use once a year. I should answer most of the time between 9 to 3 PST

NightHawk 3.0: R7 5700x @, B550A vision D, H105, 2x32gb Oloy 3600, Sapphire RX 6700XT  Nitro+, Corsair RM750X, 500 gb 850 evo, 2tb rocket and 5tb Toshiba x300, 2x 6TB WD Black W10 all in a 750D airflow.
GF PC: (nighthawk 2.0): R7 2700x, B450m vision D, 4x8gb Geli 2933, Strix GTX970, CX650M RGB, Obsidian 350D

Skunkworks: R5 3500U, 16gb, 500gb Adata XPG 6000 lite, Vega 8. HP probook G455R G6 Ubuntu 20. LTS

Condor (MC server): 6600K, z170m plus, 16gb corsair vengeance LPX, samsung 750 evo, EVGA BR 450.

Spirt  (NAS) ASUS Z9PR-D12, 2x E5 2620V2, 8x4gb, 24 3tb HDD. F80 800gb cache, trueNAS, 2x12disk raid Z3 stripped

PSU Tier List      Motherboard Tier List     SSD Tier List     How to get PC parts cheap    HP probook 445R G6 review

 

"Stupidity is like trying to find a limit of a constant. You are never truly smart in something, just less stupid."

Camera Gear: X-S10, 16-80 F4, 60D, 24-105 F4, 50mm F1.4, Helios44-m, 2 Cos-11D lavs

Link to comment
Share on other sites

Link to post
Share on other sites

3 minutes ago, TempestCatto said:

Idk what PSB actually is. But a human made that, which means another human can crack that. I feel like the "hacker" community could sort this out in a few weeks time.

If it was software, yes. But it doesn't appear to be as simple as that. Not to mention that even if this can be circumvented it is something you need to know about and have the ability to fix. Not something a lot of people who might buy these CPUs second hand are likely to have as more often than not they are the people with a limited budget and not necesairly the people with the technical know how. 

There aren't many subjects that benefit from binary takes on them in a discussion.

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

29 minutes ago, sexychimichanga said:

It would help if you went back to the things I quoted specifically. 🙂 Because it is not that this is done, but that Lenovo is doing this to CPUs other than Epyc CPUs and therefore outside the server environment. Context is important. 

There aren't many subjects that benefit from binary takes on them in a discussion.

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

14 minutes ago, sexychimichanga said:

Your missed the point.  You, the user, have to agree to it.  They don't do it automatically.  AMD is also the one who created it, not Lenovo.  Lenovo is getting blamed for something AMD gave them to use.  Plus, I'd be more annoyed over an Epyc than your common desktop CPU due to the cost differences.

No, I did  not miss the point, in fact I am fairly sure you are. 

This being enabled for consumer CPUs means that any second hand CPU on the second hand market becomes suspect as you can no longer rely on it working even though it is the correct CPU for your motherboard. It is a bad development for consumers in general.  Not to mention that if this feature is being enabled in the way as is shown in the screenshot it will likely be enabled by many people not fully realizing what it does, locking them out of future repairs in case they ever need to replace a motherboard later in the life cycle (where lenovo no longer supports it officially) and other shenanigans. 

 

This feature being actively enabled in consumer products is simply not healthy in a market that is already plagued by chip shortages and where increasingly focus is put on reducing e-waste. 

 

Also, to be clear, it isn't bad that Lenovo specifically does this, it is bad that this is done at all. So you really don't need to defend Lenovo's honor here as far as I am concerned, as I would have posted the same article if it had been any other pc vendor. 

 

Edit: 

Also, it appears that in some cases Lenovo is currently selling systems with already locked CPUs. Which is just outright bad news for consumers. 

 

image.png.513c0cd9e56397699812a8179b026f68.png

There aren't many subjects that benefit from binary takes on them in a discussion.

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

11 minutes ago, sexychimichanga said:

AMD gave them to use

I think the blame is shared. AMD implemented it. I don't like that. 

Lenovo is choosing to use it. What other vendors have chosen to do this?

If Ford or anyone else makes a car that will go over a 30kph speed limit, who gets blamed when the car is speeding? 

I'm not actually trying to be as grumpy as it seems.

I will find your mentions of Ikea or Gnome and I will /s post. 

Project Hot Box

CPU 12900k, Motherboard Gigabyte Aorus Elite AX, RAM CORSAIR Vengeance 4x16gb 5200 MHZ, GPU AMD Radeon 6800 XT FE, Case Lian Li O11 Dynamic Mini, Storage Sabrent Rocket Q4 2tbCORSAIR Force Series MP510 1920GB NVMe, CORSAIR FORCE Series MP510 960GB NVMe, PSU CORSAIR sf600, Cooling Arctic Liquid Freezer ii 360, Displays Odyssey G9, LG 34UC98-W 34-Inch,Keyboard Mountain Everest Max, Mouse Mountain Makalu 67, Sound AT2035, Massdrop 6xx headphones, Go XLR 

Oppbevaring

CPU i9-9900k, Motherboard, ASUS Rog Maximus Code XI, RAM, 48GB Corsair Vengeance LPX 32GB 3200 mhz (2x16)+(2x8) GPU Asus ROG Strix 2070 8gb, PNY 1080, Nvidia 1080, MSI 1070 Gaming X 8gb, Case Phanteks Enthoo Evolv X, 2x Storage Samsung 860 Evo 500 GB, 5x Seagate IronWolf 8tb NAS(ZFS1), PSU Corsair RM1000x, Cooling Asus Rog Ryuo 240 with Noctua NF-12 fans, OS Unraid

 

Why is the 5800x so hot?

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, sexychimichanga said:

Then blame AMD?  The thing is AMD is handing it to vendors calling it q security feature.  Lenovo is at least telling you the truth about it.  You don't have to listen to them and press y.  It's worse that you're blaming them when AMD is the one at fault, and it's the user's fault if they click yes.  Lenovo isn't forcing you to agree, so blaming Lenovo for it is silly.  Can I blame the Surgeon General for women smoking while they're pregnant?

 

It's worth noting that there are A LOT of features made available by both AMD and Intel that are purely aimed at the server market and never make it to the consumer market for a variety (and sometimes obvious) reasons. This appears to be in my view one of those features that could and should have stayed in the server space of computers and should not cross over to the consumer market for obvious reasons. Calling out that this is happening and explaining why it is bad is generally a good thing and part of reporting on developments. It is not the tit-for-tat blame game you seem to insist making out of it. 

 

I am also just going to quote myself, as it seems you did overlook a rather specific part of what I said earlier. 

 

7 minutes ago, creesch said:

Also, to be clear, it isn't bad that Lenovo specifically does this, it is bad that this is done at all. So you really don't need to defend Lenovo's honor here as far as I am concerned, as I would have posted the same article if it had been any other pc vendor. 

 

 

4 minutes ago, sexychimichanga said:

You don't have to listen to them and press y

Just to be clear, I added some additional screenshots which came from the linked articles you might also want to read. The original CPU that system came with was already vendor locked. The screenshot of the confirmation screen is of someone swapping in another CPU and having that presented to them. The original CPU that came in the PC was not working in other motherboards. 

 

 

 

There aren't many subjects that benefit from binary takes on them in a discussion.

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

With Pluton being embedded in next gen AMD and Intel CPUs, this fusing practice should be rendered moot. And fuck IBM!

Link to comment
Share on other sites

Link to post
Share on other sites

2 hours ago, GDRRiley said:

you can swap it into another lenovo board.

That still doesn't make this completely unnecessary step warranted.

CPU: Ryzen 9 5900 Cooler: EVGA CLC280 Motherboard: Gigabyte B550i Pro AX RAM: Kingston Hyper X 32GB 3200mhz

Storage: WD 750 SE 500GB, WD 730 SE 1TB GPU: Gigabyte GTX 1050 PSU: Corsair SF750 Case: Streacom DA2

Monitor: LG 27GL83B Mouse: Razer Basilisk V2 Keyboard: G.Skill KM780 Cherry MX Red Speakers: Mackie CR5BT

 

MiniPC - Sold for $100 Profit

Spoiler

CPU: Intel i3 4160 Cooler: Integrated Motherboard: Integrated

RAM: G.Skill RipJaws 16GB DDR3 Storage: Transcend MSA370 128GB GPU: Intel 4400 Graphics

PSU: Integrated Case: Shuttle XPC Slim

Monitor: LG 29WK500 Mouse: G.Skill MX780 Keyboard: G.Skill KM780 Cherry MX Red

 

Budget Rig 1 - Sold For $750 Profit

Spoiler

CPU: Intel i5 7600k Cooler: CryOrig H7 Motherboard: MSI Z270 M5

RAM: Crucial LPX 16GB DDR4 Storage: Intel S3510 800GB GPU: Nvidia GTX 980

PSU: Corsair CX650M Case: EVGA DG73

Monitor: LG 29WK500 Mouse: G.Skill MX780 Keyboard: G.Skill KM780 Cherry MX Red

 

OG Gaming Rig - Gone

Spoiler

 

CPU: Intel i5 4690k Cooler: Corsair H100i V2 Motherboard: MSI Z97i AC ITX

RAM: Crucial Ballistix 16GB DDR3 Storage: Kingston Fury 240GB GPU: Asus Strix GTX 970

PSU: Thermaltake TR2 Case: Phanteks Enthoo Evolv ITX

Monitor: Dell P2214H x2 Mouse: Logitech MX Master Keyboard: G.Skill KM780 Cherry MX Red

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, sexychimichanga said:

Well, I can agree with the original being a problem, if true.  The second one is the user's fault.  I'm more curious if AMD made them use it or Lenovo did it on their own. 

Lenovo choose to, AMD isn't telling anyone they have to or forcing them to do this and PSB does more than just this.

 

HPE does not vendor lock EPYC CPUs and never will since they have their own security features built in to iLO and their system platform firmware that offers equivalent security measures as well as more. HPE's implementation can detect if hardware has been changed, even different CPU model, that shouldn't have been and refuse to boot the system. Utilizing AMD's PSB feature to vendor lock CPUs cannot offer this. 

Link to comment
Share on other sites

Link to post
Share on other sites

Also FYI to everyone this can be unlocked

 

Quote

A CPU that has gone through the de-PSB process cannot be used again with the PSB feature but can be used in any system with PSB disabled

 

The CPUs are not locked forever and useless.

Link to comment
Share on other sites

Link to post
Share on other sites

If this happened on Intel my bet is that this forum and Youtube would be full of "Intel screws over customers, again!"...

Good thing it happened on AMD so that people didn't instantly assume malice. Maybe we can have a level headed discussion about what is happening, why and what can be done about it.

 

  

6 hours ago, StDragon said:

With Pluton being embedded in next gen AMD and Intel CPUs, this fusing practice should be rendered moot. And fuck IBM!

1) I don't see how Pluton would change anything about this.

2) Before throwing around "fuck IBM" or any other company, it's a good idea to actually look up if your hatred is aimed at the right company. IBM has nothing to do with this, unless you count the 37.8% of stock IBM owns in Lenovo. Lenovo basically bought IBM's PC and x86 server business using their own stock. That's essentially the only connection IBM and Lenovo shares. The only two parties that are involved in this CPU/Mobo locking are Lenovo and AMD. Not IBM.

Link to comment
Share on other sites

Link to post
Share on other sites

43 minutes ago, LAwLz said:

Good thing it happened on AMD so that people didn't instantly assume malice. Maybe we can have a level headed discussion about what is happening, why and what can be done about it.

No need to worry, I'm betting Intel will offer a similar feature that also allows this functionality. The fire is setup and ready to burn and Intel is on the way with a match.

 

Silicon Root of Trust is a hot ticket area in IT security for the last few years, I just cannot see Intel not playing in this field.

Link to comment
Share on other sites

Link to post
Share on other sites

25 minutes ago, sexychimichanga said:

 There's more to it thann that, but I'm half awake.

You should go to bed 🙂 Tensor and cuda cores have next to nothing to do with AMD CPUs or desktop CPUs for that matter and are a completely different subject 🙂

There aren't many subjects that benefit from binary takes on them in a discussion.

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

5 hours ago, LAwLz said:

1) I don't see how Pluton would change anything about this

This is stupid. Why else would Lenovo fuse-lock the CPU to the MB? Is it because the BGA variant wasn't available? Because if it was, they should have just rolled with that instead. I don't see any enhanced security with fuse-locking that couldn't also be accomplished with Pluton from an end-user security standpoint.

Link to comment
Share on other sites

Link to post
Share on other sites

32 minutes ago, StDragon said:

This is stupid. Why else would Lenovo fuse-lock the CPU to the MB? Is it because the BGA variant wasn't available? Because if it was, they should have just rolled with that instead. I don't see any enhanced security with fuse-locking that couldn't also be accomplished with Pluton from an end-user security standpoint.

I don't really understand why you think Pluton would change anything.

I don't have that much info about Pluton, but I wouldn't be surprised if it also includes a similar feature where you can bind the CPU to the motherboard. If it does then this will just become MORE widespread as Pluton rolls out. If Pluton doesn't have that feature then I wouldn't be surprised if AMD just keeps shipping processors with the PSB in addition to Pluton.

 

This CPU and motherboard locking is something vendors like AMD and Lenovo wants. It is necessary to create an unbroken chain of trust between the BIOS and the root of trust, which is inside the CPU.

The reason this is needed is because otherwise you could modify the BIOS to inject potentially malicious software into AMD's security subsystem (their "Secure Processor"). 

 

From what I know, HPE accomplishes a fully unbroken chain of trust because they do not use AMD's security subsystem. Instead they have built their own using what they call a baseboard management controller.

 

Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, LAwLz said:

I don't really understand why you think Pluton would change anything.

My point is that binding the CPU to the MB for enhanced security is a red herring. It does bupkis in this regard as it binds to the vendor, not that specific MB.

 

Let me spell it out clearly - This is designed to prevent used CPUs from hitting the secondary market under the auspices of "security" which is treated like some buzzword!

Pluton would actually address the security issues being touted here. Again, which renders this fusing practice entirely moot.

 

6 minutes ago, LAwLz said:

From what I know, HPE accomplishes a fully unbroken chain of trust because they do not use AMD's security subsystem. Instead they have built their own using what they call a baseboard management controller.

Dell and HPE use BMCs for event gathering and management via the IPMI bus. For extended administrative functionality beyond that, you're looking at iDRAC or iLO respectfully.

Link to comment
Share on other sites

Link to post
Share on other sites

19 minutes ago, StDragon said:

My point is that binding the CPU to the MB for enhanced security is a red herring. It does bupkis in this regard as it binds to the vendor, not that specific MB.

It prevents someone from removing your CPU, booting it on a motherboard with a BIOS that injects malicious code to the security processor, and then putting it back into your system.

It makes sure that if the CPU boots, it does so on a motherboard with firmware it can trust. That's why you want it to be tied to the vendor rather than a specific motherboard, because otherwise you wouldn't be able to for example do a BIOS upgrade. The CPU gets coded to the vendor's signature, because the vendor knows that the code they sign is safe.

 

20 minutes ago, StDragon said:

Dell and HPE use BMCs for event gathering and management via the IPMI bus. For extended administrative functionality beyond that, you're looking at iDRAC or iLO respectfully.

Dell EMC also fuses their processors to motherboards. At least on some of their EPYC servers.

HPE does not because their root of trust is in their BMC rather than the processor. HPE doesn't use AMD's PSB. The BMC and motherboard and tied to each other in the same way Dell and Lenovo tie the CPU to the motherboard.

Link to comment
Share on other sites

Link to post
Share on other sites

Yikes indeed.

Ryzen 7 3800X | X570 Aorus Elite | G.Skill 16GB 3200MHz C16 | Radeon RX 5700 XT | Samsung 850 PRO 256GB |Mousepad: Skypad 3.0 XL | Mouse: Zowie S1-C |Keyboard: Corsair K63 MX red | OS: Windows 11

Link to comment
Share on other sites

Link to post
Share on other sites

Ah, Lenovo just being Lenovo. They do same asshole thing with freaking WIFI cards in laptops. Freaking WIFI cards. I had one Lenovo laptop and it had some shitty WLAN module. Wanted to replace it with better one and service center told me most won't even work. Same was confirmed by users on forum.

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share


×