Yikes! Lenovo is vendor-locking AMD Ryzen CPUs via PSB

[leadeater]

37 minutes ago, LAwLz said:

I know. That's what I said.

Except for a different purpose which is why the complete thing I said mattered.

 

37 minutes ago, LAwLz said:

Well I guess it depends what you define by "system". It is to protect the secure processor. The OS being protected is the result of the secure processor being protected.

From now on I will stop using the word "system" because it can refer to several things. I recommend you do the same.

Every security feature implemented in a CPU or the platform is to protect the running system and nothing else, that is the entire purpose of them. I only refer to system in a single way and that is "the computer" and it's "data".

 

For system security perspective I couldn't care if the CPU did get compromised so long as that doesn't compromise the system and I know that the CPU is now in that compromised state and to be removed.

[leadeater]

1 hour ago, LAwLz said:

It's to protect the secure processor. We don't want it loading untrusted code.

These are already protected from that without this, you cannot make any changes to PSP, IME etc etc that isn't correctly signed, this does not change that.

 

In theory because these management engines and secure processor have exploits.

 

1 hour ago, LAwLz said:

That would not compromise the secure processor because it would not load unless the BIOS on the board was signed with the same key.

CPU Vendor Lock

 

Put CPU in same vendor system/motherboard

 

I'll let you figure it out, you've literally already made the correct statement in this topic so I know you know what this means. There aren't multiple different keys for each vendor, at least far as I know, and if there are it'd be one for EPYC and one for Ryzen Pro but I doubt it.

 

Edit:

I will say this, if people are stealing your CPUs to put in systems they have administrator access to so they can use the PSP exploits that require administrative access to the running OS then you have bigger issues to worry about. One of the known exploits is to disable HVB.

 

Now unless I'm wrong if you disable HVB of a vendor locked CPU it will then boot in any motherboard.

 

The correct way to do this, which actually works, is the way HPE does it however you still have single point of trust but in the same way we all trust all the Root CAs. If only one side, the CPU, is actively part of the security equation then it's doomed to fail. the CPU and the motherboard should both be mutually doing it, again like HPE does so you aren't just hail merry on a single vendor key as to whether or not the CPU allows the boot process to continue.

[LAwLz]

51 minutes ago, leadeater said:

-snip-

I don't feel like doing a repeat of our TPM debate where we spend like 5 pages going back and forth until you realize I was right all along.

Let me ask you this. What do you think is the most likely.

1) You, after having skimmed an article found a massive flaw in this very complex technology that renders it useless.

2) You don't fully understand the technology and it actually does serve a purpose. The purpose being what I have described which aligns with the official statements from AMD and Dell among others.

3) This technology serves a different, hidden purpose and doesn't do what AMD pretends it does.

[leadeater]

7 hours ago, LAwLz said:

1) You, after having skimmed an article found a massive flaw in this very complex technology that renders it useless

I'm not saying it's a massive flaw, I'm saying it simply doesn't offer as much protection as you or Lenovo etc want to portray that it does. It doesn't do "nothing", fine I'll rescind that but it's a very low bar that has been added.

 

7 hours ago, LAwLz said:

2) You don't fully understand the technology and it actually does serve a purpose. The purpose being what I have described which aligns with the official statements from AMD and Dell among others.

I understand it fine, I understand it also does not prevent compromising the Security Processor anyway because I'm not ignoring the known PSP exploits that can be done from within a running OS. You do not need to compromise the BIOS like you said but you can after you've done initial compromise from within the OS.

 

Though to be fair all or the relevant exploits may have been effectively patched so might no longer be possible anymore. I'm just not assuming it can't be achieved again.

[Dash Lambda]

As far as I know, the first rule of cybersecurity is if the attacker has hardware access all bets are off. This seems like an... exceptionally silly security measure to me, the situations in which locking down compatibility between specific CPUs and mobos would help can't possibly be relevant on mass-market consumer machines, right?

[LAwLz]

9 hours ago, Dash Lambda said:

As far as I know, the first rule of cybersecurity is if the attacker has hardware access all bets are off.

That is certainly not the first rule of cybersecurity. It's not even true. A well designed and secured system will be secure even if someone gets their hands on it.

 

9 hours ago, Dash Lambda said:

the situations in which locking down compatibility between specific CPUs and mobos would help can't possibly be relevant on mass-market consumer machines, right?

It could. I am not sure how wide-spread it is, but this is designed to protect the hardware from getting infected with malware. We don't want to end up in a situation where downloading the latest Spider-Man movie will result in you getting a bitcoin miner installed inside your CPU, that can't be removed even if you format Windows for example.

Since AMD are putting it inside their consumer products I would think that they believe it is a real threat. Whether or not it is worth screwing over the second hand market is debatable though.

[leadeater]

39 minutes ago, LAwLz said:

Since AMD are putting it inside their consumer products I would think that they believe it is a real threat

Isn't it only a Ryzen Pro and Threadripper Pro feature? (other than EPYC). The feature is on the Pro technology marketing page and also on the Ryzen/TR Pro product pages (with links to the technology page) but the regular Ryzen makes no mention of it.

 

It'll be there because they are all the "same" anyway but it sounds like it's only able to be used on the Pro products, at least for now.

[LAwLz]

42 minutes ago, leadeater said:

Isn't it only a Ryzen Pro and Threadripper Pro feature? (other than EPYC). The feature is on the Pro technology marketing page and also on the Ryzen/TR Pro product pages (with links to the technology page) but the regular Ryzen makes no mention of it.

 

It'll be there because they are all the "same" anyway but it sounds like it's only able to be used on the Pro products, at least for now.

Oops, yeah you're right. It has only happened on their pro-line as of the time writing this.

I wouldn't be surprised if this comes to the regular consumer stuff as well though. Microsoft and others are very much pushing hardware based threat mitigation with stuff like TPM and Pluton. This seems like a pretty logical extension of that.

And like I said, how big is the second hand market really compared to all the users it would help protect? Is it worth lowering the security for everyone just to make the 1% who swap/sell CPUs happy? My guess is no, if you ask Lenovo/AMD/Microsoft/others.

[leadeater]

3 minutes ago, LAwLz said:

Oops, yeah you're right. It has only happened on their pro-line as of the time writing this.

I wouldn't be surprised if this comes to the regular consumer stuff as well though

The thing about it is that only Ryzen Pro CPUs were tried far as I've seen, I don't actually know if it's "only" a Pro feature. I'd have to read the STH article again but I don't think they mentioned they tried a non-Pro CPU in the Lenovo computer.

[mr moose]

I Still don't see the reason for this on consumer/domestic products.  What would locking a CPU to a motherboard do for security that TPM, encryption or other techs haven't already?

[leadeater]

7 minutes ago, mr moose said:

I Still don't see the reason for this on consumer/domestic products.  What would locking a CPU to a motherboard do for security that TPM, encryption or other techs haven't already?

The PSP in the AMD CPUs is a crypto engine and also a key store so it's probably a good idea that malicious code, persistent or not, isn't able to be run on the PSP to read out the keys and influence the crypto engines functions.

[mr moose]

7 minutes ago, leadeater said:

The PSP in the AMD CPUs is a crypto engine and also a key store so it's probably a good idea that malicious code, persistent or not, isn't able to be run on the PSP to read out the keys and influence the crypto engines functions.

If someone has hold of your CPU then you have either thrown out your PC without due diligence for cleaning it or your data is likely already toast as there was someone in your house stealing shit.

[leadeater]

5 minutes ago, mr moose said:

If someone has hold of your CPU then you have either thrown out your PC without due diligence for cleaning it or your data is likely already toast as there was someone in your house stealing shit.

The PSP is always there running and is accessible from within the OS. It's supposed to be protected and only secure and allowed interactions with it but that's been broken in to before. That means if you do get your system compromised and that flows through to the PSP then anything that uses the fTPM or Crypto engine may be leaking all your data and is perfectly readable by them. Browsers can use the PSP, Bitlocker, Memory Encryption, VM Encryption etc (bunch of other stuff I can't be bothered to try and remember). Anyway the concern is the here and now not when you stop using the computer and any residual data on it.

[mr moose]

10 minutes ago, leadeater said:

The PSP is always there running and is accessible from within the OS. It's supposed to be protected and only secure and allowed interactions with it but that's been broken in to before. That means if you do get your system compromised and that flows through to the PSP then anything that uses the fTPM or Crypto engine may be leaking all your data and is perfectly readable by them. Browsers can use the PSP, Bitlocker, Memory Encryption, VM Encryption etc (bunch of other stuff I can't be bothered to try and remember). Anyway the concern is the here and now not when you stop using the computer and any residual data on it.

How is locking a CPU to a motherboard going to prevent that?

[leadeater]

Just now, mr moose said:

How is locking a CPU to a motherboard going to prevent that?

One of the ways to attack the PSP is through malicious BIOS and "Vendor Lock"/PSB/HVB is supposed to cut that attack vector off. Since you can modify the BIOS and even flash a completely new one and it gets staged for next boot the computer would fail to boot because the vendor key would no longer match.

[mr moose]

1 minute ago, leadeater said:

One of the ways to attack the PSP is through malicious BIOS and "Vendor Lock"/PSB/HVB is supposed to cut that attack vector off. Since you can modify the BIOS and even flash a completely new one and it gets staged for next boot the computer would fail to boot because the vendor key would no longer match.

Which means someone has broken into your house and has access to your computer.    Not that I can think of a need for the average domestic user to need it, but if you do need that much security aren't there better options already available like TPM, apple whatever it is, or an enterprise/government grade solution?

[leadeater]

2 minutes ago, mr moose said:

Which means someone has broken into your house and has access to your computer.

No you can modify the BIOS from the OS.

[LAwLz]

16 minutes ago, mr moose said:

How is locking a CPU to a motherboard going to prevent that?

The goal of this feature isn't to lock a CPU to a motherboard. That's the unfortunate consequence of how the technology works.

The PSB has a feature that makes it so that it only runs trusted code, and it only trusts code that is signed with the same key that it was first "keyed" to.

 

 

If you put a Ryzen/Threadripper Pro CPU into a motherboard that has PSB enabled, the CPU will look at the key used to sign that BIOS and go "okay, from now on I will only trust code signed with this key".

If your BIOS was updated with code written by anyone other than the motherboard manufacturer/BIOS-developer, the key will no longer match and the CPU will deem this "untrusted" and thus not boot.

 

The purpose isn't to lock CPUs to motherboards. The purpose is to make it so that the PC doesn't boot with a malicious BIOS, but the way they achieve that is by locking the CPU to the key it first encounters.

 

 

10 minutes ago, mr moose said:

Which means someone has broken into your house and has access to your computer.

8 minutes ago, leadeater said:

No you can modify the BIOS from the OS.

Even if it wasn't possible to do from the OS (which as you said, it is), it would still be be a good idea for things like laptops. Laptops are constantly in near proximity of other users that may or may not have malicious intentions. We don't want to have to assume that a computer is infected with untraceable and unremovable malware with higher than system/admin/root privilege just because we happened to forget it in some conference room for half an hour.

[leadeater]

2 minutes ago, mr moose said:

Not that I can think of a need for the average domestic user to need it, but if you do need that much security aren't there better options already available like TPM, apple whatever it is, or an enterprise/government grade solution?

Put it this way. You are now running Windows 11, you will most likely have fTPM and Secure Boot enabled (because you have to make the effort to not have to), your OS now has a Secure Key Store, applications such as browsers can automatically utilize an initialized and working Secure Key Store to store your saved passwords, you go to your Bank website and login and click save password, you do something dumb and get malware on your computer, this malware cannot access your browsers saved passwords. Excellent Microsoft's security and grand plan has worked, but wait the PSP got exploited and now your Bank internet password can be read, well that sucks.

[mr moose]

2 minutes ago, leadeater said:

No you can modify the BIOS from the OS.

So someone can find a way to remote into your PC, modify the BIOS so on the next start you can access their secured data? 

 

 

 

 

 

Good thing I don't store any important passwords/data on my PC in anyway.   When I use internet banking and I have to type the whole fucking password out manually because I do not trust browsers or key folders with that.

 

 

[mr moose]

11 minutes ago, LAwLz said:

The goal of this feature isn't to lock a CPU to a motherboard. That's the unfortunate consequence of how the technology works.

The PSB has a feature that makes it so that it only runs trusted code, and it only trusts code that is signed with the same key that it was first "keyed" to.

 

 

If you put a Ryzen/Threadripper Pro CPU into a motherboard that has PSB enabled, the CPU will look at the key used to sign that BIOS and go "okay, from now on I will only trust code signed with this key".

If your BIOS was updated with code written by anyone other than the motherboard manufacturer/BIOS-developer, the key will no longer match and the CPU will deem this "untrusted" and thus not boot.

 

The purpose isn't to lock CPUs to motherboards. The purpose is to make it so that the PC doesn't boot with a malicious BIOS, but the way they achieve that is by locking the CPU to the key it first encounters.

 O.K.   I can see the exploit and I can see how this prevents it,  but I am still having trouble understanding why this is necessary, it seems like taking a 20pound sledge hammer to fix a picture hook.  Why not just have it require a previously generated passcode to re-enable the PSP or choose to delete all keys in the PSP?  That's what happens when you replace a TPM isn't it?

 

 

EDIT: I.E, someone hacks your system and modifies the BIOS,  upon boot you get a screen telling you the bios has changed would you like to delete all the keys or enter a code to continue or cancel and reflash the bios,  it could even include a warning about malicious code. 

[leadeater]

9 minutes ago, mr moose said:

 O.K.   I can see the exploit and I can see how this prevents it,  but I am still having trouble understanding why this is necessary, it seems like taking a 20pound sledge hammer to fix a picture hook.  Why not just have it require a previously generated passcode to re-enable the PSP or choose to delete all keys in the PSP?  That's what happens when you replace a TPM isn't it?

How do you know the PSP has been compromised and how do you do anything about it when the PSP itself is what controls the boot/POST process of the computer? This prevents it from getting compromised rather than a mechanism about it if it has been which it can't do anything about if this protection has/can be bypassed.

 

If there is malicious coding running on the PSP then it's essentially too late, it may well be safer to shoot the CPU with a shotgun than try and re-flash the PSP which you'll never truly know actually did anything.

 

This is the reason why I don't like the feature so much because it's a one sided verification, the motherboard doesn't do anything to check the CPU is what it claims to be and hasn't been compromised. It's not supposed to be able to and this PSB feature is there to prevent one of the ways from that happening but personally I'd rather a two-sided implementation than a one-sided however to do that is vastly more complex and costly and thus far requires yet another embedded BMC system which means another thing that could be compromised. 

 

iLO/iDRAC/IPMI are all really nice targets to attack because of what they are and how much control and access to the overall system they have, especially iLO and iDRAC, iLO has the most.

[mr moose]

9 minutes ago, leadeater said:

How do you know the PSP has been compromised and how do you do anything about it when the PSP itself is what controls the boot/POST process of the computer? This prevents it from getting compromised rather than a mechanism about it if it has been which it can't do anything about if this protection has/can be bypassed.

How do we know anything really,  For all intents and purposes I am just a pleb who want's to know why one infection pathway is more important than another if both are viable.  And does the CPU reallyt need ot be locked in order to do this,  can't we just put the CPU in another motherboard and let it bomb the contents of the PSP in order to run again?

[mr moose]

I mean, surely AMD or intel have a way to program their own CPU's from running until a "BOMB PSP/TPM" command is given at which point it only allow to reboot once the PSP/TPM is formatted?

 

By the way I am drinking my whiskey straight tonight and it seems to be effecting my communication,  excuse the errors.

[Elijah Kamski]

Here's to hoping that Windows Fast Boot will skip this!
 

If not, please make it a thing! XD

Somehow, idk XD

Maybe we can get a Windows Universal BIOS? XD