Yikes! Lenovo is vendor-locking AMD Ryzen CPUs via PSB

[creesch]

Summary

It's basically as the title states, Lenovo is expanding the use of PSB outside of the server markt and to not just EPYC processors but also Ryzen processor lines. PSB allows locking a processor to a specific machine which means it can no longer be used in other machines. 

 

 

 

Quotes

Quote

At STH, we have covered the AMD PSB or Platform Secure Boot feature several times. In the last week or so, we have gotten a few reports that Lenovo is now bringing this technology to the desktop market in its AMD Ryzen (Pro) systems.

 

Quote

The basic premise of the technology is that it blows field-programmable fuses that lock an AMD CPU to the vendor’s system. The concept is to create a permanent platform so the CPU must align with the motherboard for security purposes. Many of our readers are rightfully nervous about this. One cannot tell a CPU has been PSB fused and so purchasing CPUs on the secondary market can be perilous. If, for example, one purchases a fused Lenovo or Dell AMD EPYC CPU and tries to put it in a non-Lenovo or Dell system it should not work.

 

My thoughts

If more vendors start doing this it effectively makes second hand processors a risky bet. In addition to looking out for fake models you now might get a legit processor which still can't be used. 

 

Sources

https://www.servethehome.com/lenovo-vendor-locking-ryzen-based-systems-with-amd-psb/

https://www.servethehome.com/lenovo-vendor-locking-ryzen-cpus-with-amd-psb-the-video/

 

[dizmo]

If this takes gains traction, they're basically supporting eWaste at a huge level. What happens if the motherboard dies? Or something else happens and you want to harvest components? Ridiculous. As much as I like Lenovo, I'd never support then again if they went down this route.

[Guest]

Great.. They get more money, people can't (or won't) reuse CPUs and will end up throwing them away. (Oh, did I mention there's a chip [silicon] shortage?)

Edit: Honestly not happy about how more and more products are moving into the "you bought it but you can only use it the way we intended" territory.

[8tg]

This is what you get for buying new computer anything.

Burn your RTX 3090, shun windows 11, return to the chad utopia that is basically anything older than kaby lake because everything after kaby lake sucked 

[Radium_Angel]

Just now, sexychimichanga said:

Lenovo gets crap all the time when they don't deserve it

Superfish says otherwise.

The US gov't put them on the Do Not Buy list for a long time (dunno if that's been rescinded or not, it's still a standing order in the gov't agency I work for)

They most certainly deserve it.

[TempestCatto]

Idk what PSB actually is. But a human made that, which means another human can crack that. I feel like the "hacker" community could sort this out in a few weeks time.

[GDRRiley]

14 minutes ago, dizmo said:

 What happens if the motherboard dies?

you can swap it into another lenovo board.

 

12 minutes ago, sexychimichanga said:

Well, Lenovo gets crap all the time when they don't deserve it.  So, this "could" be misleading information.  I'd wait for more sources and proof, plus their response.

this is STH, pretty rarely do they get stuff wrong and they aren't one for clickbait. they've been dealing with locking CPUs on servers for years no

 

I really doubt lenvo will respond to this.

1 minute ago, TempestCatto said:

Idk what PSB actually is. But a human made that, which means another human can crack that. I feel like the "hacker" community could sort this out in a few weeks time.

Platform Secure Boot

its not going to be easy to crack.

 

from dell about epycs version

Spoiler

As you rightly point out, the AMD Platform Secure Boot Feature (PSB) is a mitigation for firmware Advanced Persistent Threats. This allows us to establish an unbroken chain of trust from AMD’s silicon root of trust to our BIOS and then from the BIOS to the OS Bootloader using UEFI secure boot. This provides a very powerful defense against remote and local attackers seeking to embed malware into a platform’s firmware.

 

We design PowerEdge servers with security built-in as the security of our products is critical to helping ensure our customers’ data and systems are protected. Given the pervasiveness and increasing sophistication of these ongoing persistent threats, we decided to enable the PSB function that AMD makes available. The tradeoff, as you pointed out, is that the CPU would only be able to operate in another Dell EMC PowerEdge server. However, we feel that’s a rather limited use case for how customers look to decommission old equipment and wanted to err on the side of security.

https://www.servethehome.com/amd-psb-vendor-locks-epyc-cpus-for-enhanced-security-at-a-cost/2/

[creesch]

3 minutes ago, TempestCatto said:

Idk what PSB actually is. But a human made that, which means another human can crack that. I feel like the "hacker" community could sort this out in a few weeks time.

If it was software, yes. But it doesn't appear to be as simple as that. Not to mention that even if this can be circumvented it is something you need to know about and have the ability to fix. Not something a lot of people who might buy these CPUs second hand are likely to have as more often than not they are the people with a limited budget and not necesairly the people with the technical know how. 

[creesch]

29 minutes ago, sexychimichanga said:

Even if this is true, Dell does this too.

https://www.servethehome.com/amd-psb-vendor-locks-epyc-cpus-for-enhanced-security-at-a-cost/

It would help if you went back to the things I quoted specifically.  Because it is not that this is done, but that Lenovo is doing this to CPUs other than Epyc CPUs and therefore outside the server environment. Context is important. 

[creesch]

14 minutes ago, sexychimichanga said:

Your missed the point.  You, the user, have to agree to it.  They don't do it automatically.  AMD is also the one who created it, not Lenovo.  Lenovo is getting blamed for something AMD gave them to use.  Plus, I'd be more annoyed over an Epyc than your common desktop CPU due to the cost differences.

No, I did  not miss the point, in fact I am fairly sure you are. 

This being enabled for consumer CPUs means that any second hand CPU on the second hand market becomes suspect as you can no longer rely on it working even though it is the correct CPU for your motherboard. It is a bad development for consumers in general.  Not to mention that if this feature is being enabled in the way as is shown in the screenshot it will likely be enabled by many people not fully realizing what it does, locking them out of future repairs in case they ever need to replace a motherboard later in the life cycle (where lenovo no longer supports it officially) and other shenanigans. 

 

This feature being actively enabled in consumer products is simply not healthy in a market that is already plagued by chip shortages and where increasingly focus is put on reducing e-waste. 

 

Also, to be clear, it isn't bad that Lenovo specifically does this, it is bad that this is done at all. So you really don't need to defend Lenovo's honor here as far as I am concerned, as I would have posted the same article if it had been any other pc vendor. 

 

Edit: 

Also, it appears that in some cases Lenovo is currently selling systems with already locked CPUs. Which is just outright bad news for consumers. 

 

[IkeaGnome]

11 minutes ago, sexychimichanga said:

AMD gave them to use

I think the blame is shared. AMD implemented it. I don't like that. 

Lenovo is choosing to use it. What other vendors have chosen to do this?

If Ford or anyone else makes a car that will go over a 30kph speed limit, who gets blamed when the car is speeding? 

[creesch]

Just now, sexychimichanga said:

Then blame AMD?  The thing is AMD is handing it to vendors calling it q security feature.  Lenovo is at least telling you the truth about it.  You don't have to listen to them and press y.  It's worse that you're blaming them when AMD is the one at fault, and it's the user's fault if they click yes.  Lenovo isn't forcing you to agree, so blaming Lenovo for it is silly.  Can I blame the Surgeon General for women smoking while they're pregnant?

 

It's worth noting that there are A LOT of features made available by both AMD and Intel that are purely aimed at the server market and never make it to the consumer market for a variety (and sometimes obvious) reasons. This appears to be in my view one of those features that could and should have stayed in the server space of computers and should not cross over to the consumer market for obvious reasons. Calling out that this is happening and explaining why it is bad is generally a good thing and part of reporting on developments. It is not the tit-for-tat blame game you seem to insist making out of it. 

 

I am also just going to quote myself, as it seems you did overlook a rather specific part of what I said earlier. 

 

7 minutes ago, creesch said:

Also, to be clear, it isn't bad that Lenovo specifically does this, it is bad that this is done at all. So you really don't need to defend Lenovo's honor here as far as I am concerned, as I would have posted the same article if it had been any other pc vendor. 

 

 

4 minutes ago, sexychimichanga said:

You don't have to listen to them and press y

Just to be clear, I added some additional screenshots which came from the linked articles you might also want to read. The original CPU that system came with was already vendor locked. The screenshot of the confirmation screen is of someone swapping in another CPU and having that presented to them. The original CPU that came in the PC was not working in other motherboards. 

 

 

 

[StDragon]

With Pluton being embedded in next gen AMD and Intel CPUs, this fusing practice should be rendered moot. And fuck IBM!

[dizmo]

2 hours ago, GDRRiley said:

you can swap it into another lenovo board.

That still doesn't make this completely unnecessary step warranted.

[leadeater]

1 hour ago, sexychimichanga said:

Well, I can agree with the original being a problem, if true.  The second one is the user's fault.  I'm more curious if AMD made them use it or Lenovo did it on their own. 

Lenovo choose to, AMD isn't telling anyone they have to or forcing them to do this and PSB does more than just this.

 

HPE does not vendor lock EPYC CPUs and never will since they have their own security features built in to iLO and their system platform firmware that offers equivalent security measures as well as more. HPE's implementation can detect if hardware has been changed, even different CPU model, that shouldn't have been and refuse to boot the system. Utilizing AMD's PSB feature to vendor lock CPUs cannot offer this. 

[leadeater]

Also FYI to everyone this can be unlocked

 

Quote

A CPU that has gone through the de-PSB process cannot be used again with the PSB feature but can be used in any system with PSB disabled

 

The CPUs are not locked forever and useless.

[LAwLz]

If this happened on Intel my bet is that this forum and Youtube would be full of "Intel screws over customers, again!"...

Good thing it happened on AMD so that people didn't instantly assume malice. Maybe we can have a level headed discussion about what is happening, why and what can be done about it.

 

  

6 hours ago, StDragon said:

With Pluton being embedded in next gen AMD and Intel CPUs, this fusing practice should be rendered moot. And fuck IBM!

1) I don't see how Pluton would change anything about this.

2) Before throwing around "fuck IBM" or any other company, it's a good idea to actually look up if your hatred is aimed at the right company. IBM has nothing to do with this, unless you count the 37.8% of stock IBM owns in Lenovo. Lenovo basically bought IBM's PC and x86 server business using their own stock. That's essentially the only connection IBM and Lenovo shares. The only two parties that are involved in this CPU/Mobo locking are Lenovo and AMD. Not IBM.

[leadeater]

43 minutes ago, LAwLz said:

Good thing it happened on AMD so that people didn't instantly assume malice. Maybe we can have a level headed discussion about what is happening, why and what can be done about it.

No need to worry, I'm betting Intel will offer a similar feature that also allows this functionality. The fire is setup and ready to burn and Intel is on the way with a match.

 

Silicon Root of Trust is a hot ticket area in IT security for the last few years, I just cannot see Intel not playing in this field.

[creesch]

25 minutes ago, sexychimichanga said:

 There's more to it thann that, but I'm half awake.

You should go to bed Tensor and cuda cores have next to nothing to do with AMD CPUs or desktop CPUs for that matter and are a completely different subject

[StDragon]

5 hours ago, LAwLz said:

1) I don't see how Pluton would change anything about this

This is stupid. Why else would Lenovo fuse-lock the CPU to the MB? Is it because the BGA variant wasn't available? Because if it was, they should have just rolled with that instead. I don't see any enhanced security with fuse-locking that couldn't also be accomplished with Pluton from an end-user security standpoint.

[LAwLz]

32 minutes ago, StDragon said:

This is stupid. Why else would Lenovo fuse-lock the CPU to the MB? Is it because the BGA variant wasn't available? Because if it was, they should have just rolled with that instead. I don't see any enhanced security with fuse-locking that couldn't also be accomplished with Pluton from an end-user security standpoint.

I don't really understand why you think Pluton would change anything.

I don't have that much info about Pluton, but I wouldn't be surprised if it also includes a similar feature where you can bind the CPU to the motherboard. If it does then this will just become MORE widespread as Pluton rolls out. If Pluton doesn't have that feature then I wouldn't be surprised if AMD just keeps shipping processors with the PSB in addition to Pluton.

 

This CPU and motherboard locking is something vendors like AMD and Lenovo wants. It is necessary to create an unbroken chain of trust between the BIOS and the root of trust, which is inside the CPU.

The reason this is needed is because otherwise you could modify the BIOS to inject potentially malicious software into AMD's security subsystem (their "Secure Processor"). 

 

From what I know, HPE accomplishes a fully unbroken chain of trust because they do not use AMD's security subsystem. Instead they have built their own using what they call a baseboard management controller.

 

[StDragon]

1 minute ago, LAwLz said:

I don't really understand why you think Pluton would change anything.

My point is that binding the CPU to the MB for enhanced security is a red herring. It does bupkis in this regard as it binds to the vendor, not that specific MB.

 

Let me spell it out clearly - This is designed to prevent used CPUs from hitting the secondary market under the auspices of "security" which is treated like some buzzword!

Pluton would actually address the security issues being touted here. Again, which renders this fusing practice entirely moot.

 

6 minutes ago, LAwLz said:

From what I know, HPE accomplishes a fully unbroken chain of trust because they do not use AMD's security subsystem. Instead they have built their own using what they call a baseboard management controller.

Dell and HPE use BMCs for event gathering and management via the IPMI bus. For extended administrative functionality beyond that, you're looking at iDRAC or iLO respectfully.

[LAwLz]

19 minutes ago, StDragon said:

My point is that binding the CPU to the MB for enhanced security is a red herring. It does bupkis in this regard as it binds to the vendor, not that specific MB.

It prevents someone from removing your CPU, booting it on a motherboard with a BIOS that injects malicious code to the security processor, and then putting it back into your system.

It makes sure that if the CPU boots, it does so on a motherboard with firmware it can trust. That's why you want it to be tied to the vendor rather than a specific motherboard, because otherwise you wouldn't be able to for example do a BIOS upgrade. The CPU gets coded to the vendor's signature, because the vendor knows that the code they sign is safe.

 

20 minutes ago, StDragon said:

Dell and HPE use BMCs for event gathering and management via the IPMI bus. For extended administrative functionality beyond that, you're looking at iDRAC or iLO respectfully.

Dell EMC also fuses their processors to motherboards. At least on some of their EPYC servers.

HPE does not because their root of trust is in their BMC rather than the processor. HPE doesn't use AMD's PSB. The BMC and motherboard and tied to each other in the same way Dell and Lenovo tie the CPU to the motherboard.

[Doobeedoo]

Yikes indeed.

[RejZoR]

Ah, Lenovo just being Lenovo. They do same asshole thing with freaking WIFI cards in laptops. Freaking WIFI cards. I had one Lenovo laptop and it had some shitty WLAN module. Wanted to replace it with better one and service center told me most won't even work. Same was confirmed by users on forum.