Yikes! Lenovo is vendor-locking AMD Ryzen CPUs via PSB

[StDragon]

29 minutes ago, RejZoR said:

Ah, Lenovo just being Lenovo. They do same asshole thing with freaking WIFI cards in laptops. Freaking WIFI cards. I had one Lenovo laptop and it had some shitty WLAN module. Wanted to replace it with better one and service center told me most won't even work. Same was confirmed by users on forum.

I had a similar issue with HDDs on certain Thinkpad or Lenovo laptops too. Had to be from a list of specific FRU part numbers; it's asinine. When you installed anything else, it would complain at POST and you would have to press a key to continue each and every time the system rebooted. There was no way to suppress this at that time. Though after looking online just now, apparently some future BIOS update allowed some form of suppression; but not without a delay in POST and beep code.

 

It's tantamount to chipping an inkjet cartridge for vendor lock-in.

[jagdtigger]

Funny how much ppl are ready to sacrifice for marginal security improvement.....

 

2 hours ago, RejZoR said:

They do same asshole thing with freaking WIFI cards in laptops

And they lock the sata controller in raid/special magic mode.....

[Jito463]

Yet one more reason not to recommend Lenovo to people.

[da na]

19 hours ago, 8tg said:

This is what you get for buying new computer anything.

Burn your RTX 3090, shun windows 11, return to the chad utopia that is basically anything older than kaby lake because everything after kaby lake sucked 

Xeon e5, GTX 980, Windows 10. And it will be that way for years. 

[williamcll]

Is that why most second hand enterprise computers are intel?

[NumLock21]

I'm curious as to if AMD purposely provided Lenovo with those vendor lock capable CPUs or they're just regular CPUs with a built in lock feature, where as any OEM can just buy off the shelf Ryzen and locked them to their specific system. Also is the CPU tied to the motherboard it was installed with, or will the vendor locked CPU still work with another motherboard but the exact same model.

For example you got 2 of the exact same Lenovo ThinkCentre running the same Vendor Locked Ryzen cpu model. When they're swapped with each other, will they still work or not work, because some CPU ID don't because it detect the CPU having a different CPU ID, it was originally paired with.

[creesch]

26 minutes ago, williamcll said:

Is that why most second hand enterprise computers are intel?

No that simply has to do with market share. Intel still dominates in offices and such and many second hand machines you'll find that aren't gaming machines will therefore be Intel.

[NumLock21]

Just now, sexychimichanga said:

 

 

 

 

 

To clarify, they're not perm locked and you can disable this in the bios.  The article is misleading.

I noticed there was a screenshot early today in OP's post showing, the message or feature can be disabled, but it was then edited, to mentioned that message only popup with when a different Ryzen was installed with the board. The Ryzen that originally came with the Lenovo is already vendor locked and it cannot be used on another motherboard.

[LAwLz]

53 minutes ago, NumLock21 said:

I'm curious as to if AMD purposely provided Lenovo with those vendor lock capable CPUs or they're just regular CPUs with a built in lock feature, where as any OEM can just buy off the shelf Ryzen and locked them to their specific system.

It's most likely the latter. That AMD has now started providing this feature on their desktop chips. They have had this feature for quite a while on their server processors, and with all the recent push from Microsoft regarding firmware security it makes sense that it would come to PCs as well.

 

 

 

54 minutes ago, NumLock21 said:

Also is the CPU tied to the motherboard it was installed with, or will the vendor locked CPU still work with another motherboard but the exact same model.

It will work with any motherboard whose BIOS is signed with the same signature it was locked to.

If for example Asus started signing all their BIOSes with the same key, and your chip were to get locked to an Asus board, then that chip would work on any Asus board. It would reject a Gigabyte board however, or an Asus board that wasn't signed (like a motherboard with a modded BIOS).

 

56 minutes ago, NumLock21 said:

For example you got 2 of the exact same Lenovo ThinkCentre running the same Vendor Locked Ryzen cpu model. When they're swapped with each other, will they still work or not work, because some CPU ID don't because it detect the CPU having a different CPU ID, it was originally paired with.

It would work. It doesn't even have to be the same model of motherboard. As long as the BIOS was signed with the same key, it will work. The CPU gets tied to a particular key the OEM uses to sign their BIOS.

During the first boot, the CPU checks this signature and then gets paired to it. 

[PrinnyExplodes]

This would be a very bad idea. It is essentially like selling a used car except your not the original owner so it won't start for you. 

[wanderingfool2]

21 hours ago, leadeater said:

Also FYI to everyone this can be unlocked

 

 

The CPUs are not locked forever and useless.

The article made it easy to miss, but that was a hypothetical implementation that he was suggesting (not how it is in practice).  The concept of de-PSB and those bullet points was him making an suggestion of how PSB should work.  In reality that system doesn't exist, so systems that have PSB efuses blown will only work for that vendor.

 

1 hour ago, sexychimichanga said:

Again, they are not perm locked and you can turn PSB off.  From what I remember if you turn PSB off in the bios, and don't use PSB on the next system, it should work.

You can disable PSB so that a new CPU that you put in there won't get it's fuse blown and lock it to Lenovo, but still effectively the OEM CPU and any CPU that you enabled PSB on will effectively be destroyed in the second hand market.

 

22 hours ago, sexychimichanga said:

Then blame AMD?  The thing is AMD is handing it to vendors calling it a security feature.  Lenovo is at least telling you the truth about it.  You don't have to listen to them and press y.  It's worse that you're blaming them when AMD is the one at fault, and it's the user's fault if they click y.  Lenovo isn't forcing you to agree, so blaming Lenovo for it is silly.  Can I blame the Surgeon General for women smoking while they're pregnant?

Blaming AMD won't really do much, yes they should be changing how PSB works but there should be a major blame for Lenovo even thinking of using this feature.  This is a foolish policy by a company that has a sketchy history.  [Superfish].  Systems using PSB's should first be clearly labelled that their system components are locked down.

 

Clicking y, I will concede is the users fault ONLY if there are additional warning and additional user input required during that process.  If it's click y, and it merely goes on blowing the fuses then it's a terrible user interface.  The reason I say this is that their warning message that it will lock the CPU is not up front and present enough.  As the message stands I could see people clicking through the screen without really realizing what is about to happen...because people in general I find have a tenancy to click through those settings (thinking about tweaking later) in order to check that it's booting correctly.  Kind of like how my system if I were to change the CPU it says hardware has changed, and I need to essentially tell it to go.

 

It's true that Lenovo isn't forcing you to agree (except the OEM cpu that shipped with it), but utilizing that on consumer grade equipment just seems wasteful and like they are doing it in not good faith.  If you click n, you have to keep clicking N until you disable PSB in bios...but really the question should be why even have it enabled by default.  People who want to use PSB should be turning it on.  It's like saying phone carriers aren't forcing you to be allow tracking (it's just they make it so that you pretty much are).

 

As for your analogy it's more similar to blaming the driver for drunk driving (and you arguing that it should be the alcohol manufacturers who should be blamed).  AMD has it as a feature, it's Lenovo who chose to utilize it.

[leadeater]

7 minutes ago, wanderingfool2 said:

The article made it easy to miss, but that was a hypothetical implementation that he was suggesting (not how it is in practice).  The concept of de-PSB and those bullet points was him making an suggestion of how PSB should work.  In reality that system doesn't exist, so systems that have PSB efuses blown will only work for that vendor.

Ah right, well that sucks then. Either case even if it could you'd have no real way to know that process has been done and even if you wanted to disable PSB in the BIOS you need a CPU to boot the system to disable it. You can easily get stuck regardless.

[tkitch]

9 hours ago, LAwLz said:

It prevents someone from removing your CPU, booting it on a motherboard with a BIOS that injects malicious code to the security processor, and then putting it back into your system.

if someone has enough unfettered access to a system that they can do all of this work?

 

They can fuck my PC in plenty of other ways that are probably easier.

[Arika]

It will never cease to amaze me how much leniency people give to AMD for the shit they do 

[Middcore]

14 minutes ago, Arika S said:

It will never cease to amaze me how much leniency people give to AMD for the shit they do 

 

Intel was transparently lazy and exploitative during their long period of dominance, so AMD was seen as the savior, although their pro-consumer, value-oriented posturing was transparently only what they thought they had to do to get back in the fight as long as they still couldn't beat Intel outright on performance. When they went back on their promises about AM4 CPU compatibility (or at least tried to), that should have made it obvious to everyone they would be just as anti-consumer as Intel as soon as they were in a dominant enough position that they thought they could get away with it. 

[Spotty]

Thread cleaned. Stay on topic.

[Arika]

5 minutes ago, Middcore said:

that should have made it obvious to everyone they would be just as anti-consumer as Intel as soon as they were in a dominant enough position that they thought they could get away with it. 

Should have, yes.

 

But for some reason, people are still clinging onto that "savior" mentality which makes them blind.

I can easily imagine what this thread's comments would look like if it was Intel or Nvidia instead of AMD

[StDragon]

50 minutes ago, Arika S said:

Should have, yes.

 

But for some reason, people are still clinging onto that "savior" mentality which makes them blind.

I can easily imagine what this thread's comments would look like if it was Intel or Nvidia instead of AMD

I would like to think better of the people that post on this forum; that is to say calling out BS practices by any company. And believe me when I say that AMD, Intel, Nvidia, Dell, Lenovo, etc all deserve to be called out for their bullshit whenever and however it occurs.

 

Personally, I detest fanboy-ism in all its forms.

[Blademaster91]

The PSB feature shouldn't be used at all, and it only creates more e-waste as you can't remove the CPU and use it with another motherboard. I wouldn't recommend Lenovo because of their locking CPU's down to the motherboard.

[LAwLz]

11 hours ago, wanderingfool2 said:

As for your analogy it's more similar to blaming the driver for drunk driving (and you arguing that it should be the alcohol manufacturers who should be blamed).  AMD has it as a feature, it's Lenovo who chose to utilize it.

I don't think that's a good analogy because alcohol and cars were not developed by the same company and everyone strongly discourages the use of both at the same time. This however, was developed by AMD and touts it as a feature. 

 

I can't really come up with an analogy but I think putting this feature in the processors to begin with is the main issue, not that OEMs are using it. I mean sure, you can blame Lenovo for using the feature, but wouldn't it be better if the processors just didn't have the locking mechanism to begin with? 

 

Let's imagine that a mustard manufacturer starts promoting a new type of mustard as "the best tasting ever". Some restaurant starts using it because it tastes good, but then it is discovered that it contains an extremely addictive additive. Do you blame the restaurant because "they shouldn't have used that mustard in their food" or do you blame the mustard manufacture for putting that ingredient in to begin with?

 

10 hours ago, tkitch said:

if someone has enough unfettered access to a system that they can do all of this work?

 

They can fuck my PC in plenty of other ways that are probably easier.

Well that was just one example. You potentially don't have to have physical access either. Malware in Windows could for example infect your BIOS, which in turn can infect your security processor.

Security is also about multiple layers. Just because a burglar can smash your window doesn't mean you shouldn't lock your door when leaving. Same thing here. Just because someone can do X doesn't mean you shouldn't protect yourself from attack Y.

 

 

 

I think the big question here is, is the extra security worth the drawback?

How many people actually swap CPU between motherboards, and how many people will potentially have their BIOS infected with malware?

I completely understand why AMD are doing this. They have essentially a whole other computer inside their CPU, and that computer has access to EVERYTHING. It got higher permissions than ring 0. If that gets infected then you are screwed. Not only would it be next to impossible to detect, it would also survive reinstalls of the OS. Hell, the only way to be sure you got rid of it would be to buy another processor. Being able to verify that the code it runs on is trusted is potentially very important.

The question is, is it important enough to sacrifice the ability to move a CPU from one motherboard manufacturer to another? AMD and Lenovo seems to think it is.

I totally understand it on servers, but I think for home PCs it seems a bit overkill. But then again, it will only negatively impact the PC builder market, which is extremely small compared to all other users. Is screwing over the second hand market for the minority worth it if it means the vast majority gets higher security? Who knows...

[leadeater]

3 hours ago, LAwLz said:

but wouldn't it be better if the processors just didn't have the locking mechanism to begin with? 

I'd say a better implementation rather than not having it, one that is centered around the system rather than the CPU but may or may not utilize a CPU feature to use it. If removed from the system and placed in to another the CPU will still function, the original system however will not, without a secure data recovery or unlock process.

 

I just think the current method just doesn't really achieve any extra security really.

[LAwLz]

19 minutes ago, leadeater said:

I'd say a better implementation rather than not having it, one that is centered around the system rather than the CPU but may or may not utilize a CPU feature to use it. If removed form the system and place another then the CPU still still function, the original system however will not, will a secure data recovery or unlock process.

 

I just think the current method just doesn't really achieve any extra security really.

I think the "problem" is that "the system" that is protected by this feature is inside the CPU. It's not protecting "the system" as in your computer that runs Windows. It protects the system inside the CPU (the secure processor).

This is not meant as protection for Windows or your other OS. This is meant to protect the security processor that is inside the AMD processor. It will not boot, and thus not risk getting infected with malware, if the BIOS has been "tampered" with (and "tampered" in this case means it is an unknown BIOS).

It absolutely does achieve extra security. The question is, are the drawbacks worth it for consumers?

 

Right now I can't think of a good way to achieve a fully unbroken chain of trust between the secure processor and the OS that also allows for resetting. Maybe if they could make the fuses reset-able, and had a type of passcode shipped with every processor? That way it would work the way it does right now, but if you sold something on the second hand market they could provide you with a reset code that restores the CPU to "factory settings". That potentially opens up the risk of someone attacking the "factory reset" function though at which point the chain is broken again.

[MetEishYa]

Seems this is a feature available on all Ryzen 4000 Pro and 5000 PRO CPUs

 

https://www.amd.com/en/technologies/pro-security

 

Quote

1. An OEM who has enabled the AMD Secure Boot feature grants permission for their cryptographically signed BIOS code to run only on their platforms using an AMD secure boot enabled motherboard. One-time-programmable fuses in the processor bind the processor to the OEM’s firmware code signing key. From that point on, that processor can only be used with motherboards that use the same code signing key.

 

 

[leadeater]

34 minutes ago, LAwLz said:

I think the "problem" is that "the system" that is protected by this feature is inside the CPU. It's not protecting "the system" as in your computer that runs Windows. It protects the system inside the CPU (the secure processor).

The actual security protection they are looking to prevent is firmware/microcode changes of the CPU and/or embedded exploit in the security processor, however this is to protect the system not the CPU. Vendor locking the CPU in no way prevents the CPU from being attacked, it prevents the system booting after it has been, in theory.

 

You can compromise the CPU while it's running, you can compromise the CPU by taking it out and putting it in to another same vendor system board. Vendor locking does not stop the CPU being attacked.

 

34 minutes ago, LAwLz said:

Right now I can't think of a good way to achieve a fully unbroken chain of trust between the secure processor and the OS that also allows for resetting.

Well I would expect this to be used in conjunction with data encryption so if the system initiates an "unauthorized" boot the data cannot be unlocked to be read. At least in regards to the second hand market every boot would be "unauthorized" for a vendor locked CPU but at least it would work and could be used you just couldn't utilize anything more than PIN based Bitlocker without Secure Boot (this is supported).

[LAwLz]

13 minutes ago, leadeater said:

The actual security protection they are looking to prevent is firmware/microcode changes of the CPU and/or embedded exploit in the security processor

I know. That's what I said.

 

13 minutes ago, leadeater said:

however this is to protect the system not the CPU.

Well I guess it depends what you define by "system". It is to protect the secure processor. The OS being protected is the result of the secure processor being protected.

From now on I will stop using the word "system" because it can refer to several things. I recommend you do the same.

 

14 minutes ago, leadeater said:

Vendor locking the CPU in no way prevents the CPU from being attacked, it prevents the system booting after it has been, in theory.

The way I understand this, it does protect the secure processor.

Before the secure processor loads and code it checks the signature of the BIOS and if it doesn't match, it doesn't load anymore. That way, only trusted BIOS:es can interact with the secure processor. That will prevent an attack on the secure processor. It's not about protecting the OS. It's about protecting the secure system. It's to prevent it from loading on unknown and untrusted code. That's why it gets attached to the CPU rather than the motherboard. Because it's the CPU that needs to be protected and only work in safe systems. The motherboard doesn't give a crap about which CPU you put in. You can take whichever CPU you want with whatever code on the secure processor you want, and put it in any motherboard.

 

What's more likely, that AMD, Dell, Lenovo, and so on have done a colossal fuckup and implemented a feature that doesn't do anything, or you have misunderstood the purpose of the feature?

It's to protect the secure processor. We don't want it loading untrusted code.

 

 

25 minutes ago, leadeater said:

You can compromise the CPU while it's running

When you say "CPU" do you mean the secure processor or the CPU? They are two very different things.

I'd like a source on the AMD secure processor being changeable while the BIOS or OS is loaded. My understanding is that it isn't. Even IF a BIOS was flash-able without a reboot, while the system was running, then we still don't know what checks the secure processor does against the BIOS while it is running. It might do continuous checks whenever the secure processor is accessed.

 

27 minutes ago, leadeater said:

you can compromise the CPU by taking it out and putting it in to another same vendor system board.

That would not compromise the secure processor because it would not load unless the BIOS on the board was signed with the same key.

The secure processor simply does not boot unless the BIOS is signed to be trusted. If you were to modify the BIOS on a Lenovo motherboard then the processor will not boot. It will only boot if the code on the BIOS is 100% signed by Lenovo. As soon as you touch even a single bit in the BIOS code the signature check will fail and the secure processor will not load any code.

It doesn't matter that the board is from the same vendor. A CPU locked to a Lenovo motherboard might not necessarily work on another Lenovo motherboard. It's the cryptographic key that matters. 

 

32 minutes ago, leadeater said:

Well I would expect this to be used in conjunction with data encryption so if the system initiates an "unauthorized" boot the data cannot be unlocked to be read. At least in regards to the second hand market every boot would be "unauthorized" for a vendor locked CPU but at least it would work and could be used you just couldn't utilize anything more than PIN based Bitlocker without Secure Boot (this is supported).

I don't understand what you mean.

What exactly would be encrypted?

What do you define as an "unauthorized boot" and how would that be checked according to you?

What data are we talking about? The data on storage drives? This feature doesn't exist to protect that data.