I Broke This CPU on Purpose... Let me Explain

[AlexTheGreatish]

We got a Lenovo ThinkCenter that will lock down any CPU installed in it.. we think. The information is very poor so we need to try it for ourselves.

 

Watch ServeTheHome's video on PSB: https://youtu.be/KAVlHy05XzM

 

Buy ThinkCenter M75s: https://geni.us/qOhlQB

Buy AMD Ryzen 5 5600G: https://geni.us/T9WnVvR

Buy ASUS ROG Strix B550-E Gaming: https://geni.us/QMU2H

Purchases made through some store links may provide some compensation to Linus Media Group.

 

 

 

[DarkSplice]

It's really stupid like if you buy another motherboard it will not work and there goes your money

[Zodiark1593]

Regrettably, I’m no better than Linus when it comes to dropping stuff. So I can’t make fun of him for it. 

[Lightwreather]

AH, how far does the disease go? First droppping stuff by accident, now on purpose!? LMG staff should isolate themselves to prevent the spread of this curse.

/s, If it's not obvious

[BlueChinchillaEatingDorito]

21 minutes ago, DarkSplice said:

It's really stupid like if you buy another motherboard it will not work and there goes your money

Except no one is really buying office surplus machines for their CPUs. Most people who buy these things second hand buy the entire machine as a whole just throw a GPU in it and call it a day. So from an e-waste perspective, this is a non issue. The special form factor PSUs these machines use would be a bigger issue than a locked down CPU as those would be the first to fail or need upgrading. 

[creesch]

2 minutes ago, BlueChinchillaEatingDorito said:

Except no one is really buying office surplus machines for their CPUs. Most people who buy these things second hand buy the entire machine as a whole just throw a GPU in it and call it a day. So from an e-waste perspective, this is a non issue. The special form factor PSUs these machines use would be a bigger issue than a locked down CPU as those would be the first to fail or need upgrading. 

I think you are not taking recyclers into account who buy old semi broken hardware and bulk and strip out all the individual parts that still work as seperate products. Yes the PSU there would also be an issue in that regard, but here you are now also adding to CPU to the situation  in a much more insidious way. As the recycler might boot a PC, see that it works, strip out the "working" parts they can sell where you now have these CPUs being sold to unknowing consumers. 

[micahfocht]

I posted this in the floatplane comments, but I think it's interesting enough to post here too.

 

The idea of a second fuse that can permanently disable PSB seems like a good idea, but it probably won't work. If there's some fuse that can be set that would disable this feature, it would have to have some sort of scary message to inform users that PSB had been disabled. However, what would stop an attacker from modifying the bios, and simply removing this message? The whole point of PSB is to make sure that the bios is trusted, and if it can be disabled, then an attacker could simply disable it and then modify the bios to remove the message and report that the feature was still enabled. If PSB can ever be disabled, then it serves no purpose.

 

So what's a better way to do this that doesn't needlessly break CPUs? I'd propose that, instead of each vendor signing their own firmware and locking CPUs to that key, that each vendor should send their firmware to AMD for them to sign. This would allow for a secure chain of trust, since the firmware is still signed, and cannot be modified, but it would allow for reuse from one system to another. As long as the firmware was signed by AMD, the processor would run in the motherboard. Potentially, every processor could ship from AMD with these fuses pre-set, possibly improving security since an attacker with supply chain access would have to compromise both AMD and the vendor instead of currently where they could just compromise the vendor.

 

This might remove some of the freedom that users have on custom built systems; not allowing for the user to modify their bios, but I feel like this is a trade-off that makes sense.

 

As someone who has modified a bios in the past, I think signature enforcement from AMD is worth it. The types of machines where I would want to modify the bios on are prebuilt systems from the likes of Lenovo. In the past, I actually modified a bios on my Thinkpad t430 to remove the wireless card limitations. This would already be impossible with the given limitations of PSB. Lenovo can lock the bios down and I can't modify it. If other OEMs haven't done this yet, we can be sure they're watching what Lenovo is doing. If they can raise sales even a little by being able to ensure platform security, then they almost definitely will. That ship has already sailed as soon as the first vendor did it.

 

The bios on a motherboard from an ASUS or an MSI really doesn't need to be modded in the same way. Motherboard vendors aren't locking out certain components like full system vendors are. Maybe hardcore overclockers might be slightly constrained by not being able to modify their bios, but nearly everyone doesn't need to modify their bios, and those that do are likely working with vendors already and could have the vendor send the bios to AMD to be signed. If NVIDIA can do it, surely AMD can manage to come up with a similar solution.

 

This would give AMD more power over what features a vendor can add to their bios. If AMD doesn't want a vendor to allow overclocking on a low end platform, then they could refuse to sign a bios unless the vendor removes overclocking. We've seen Intel make these moves in the past, and while AMD hasn't yet, there's nothing stopping them from doing this. It isn't a perfect solution, but I think that it's better than locking every CPU to a certain vendor and essentially manufacturing e-waste.

[CerealExperimentsLain]

27 minutes ago, BlueChinchillaEatingDorito said:

Except no one is really buying office surplus machines for their CPUs. Most people who buy these things second hand buy the entire machine as a whole just throw a GPU in it and call it a day. So from an e-waste perspective, this is a non issue. The special form factor PSUs these machines use would be a bigger issue than a locked down CPU as those would be the first to fail or need upgrading. 

What are you talking about? The used market is literally tonnes of CPUs salvaged from otherwise 'junk' office hardware, including both desktops and servers.  The CPU is, typically, one of the longest lasting components, so they're the most likely to be salvaged and to go onto the used market.  Whole containers of these things go off to Asia where they are divided up into their resalable parts and that which has to be further processed for recycling.

[Nystemy]

To be fair the whole "Security" system from AMD is a bit laughable to be fair.

 

One of the main things this is supposed to protect again is firmware manipulation.

But since it couldn't rewrite the fuses, but still "magically" supports firmware updates _{(does it have a slew of additional fuses so it can amend for updates? This though is a countdown to "your CPU is bricked in X firmware updates.")}, then it also supports firmware downgrades. And we only really update firmware when security issues is known in the older version. Ie, downgrading is a problem. _{(I have read through any information from AMD on the topic that they have been providing, and to be fair they don't give a good answer. Though, finding whitepapers from AMD is a challenge in itself... Intel at least does this exceptionally well.)}

 

Secondly.

It would have been much better if the CPU just signed its own environment when the security feature is called for. Preventing ALL authorized firmware and hardware changes from taking place without admin intervention with knowledge of some pre shared key. Now, signing one's own environment doesn't prove security, it just protects what we have already validated to be secure through other means. _{(Other means usually being checksums and signatures. Reading BIOS chips in an EEPROM reader is trivial, and they are socketed partly for this reason.)}

 

But in the end, I am with Patric from serve the home, this security feature should be end user removable.

_{(preferably such that it makes it trivial for any application requiring security to be able to validate that the feature is on or off.)}

[SolarNova]

7 minutes ago, BlueChinchillaEatingDorito said:

Except no one is really buying office surplus machines for their CPUs. Most people who buy these things second hand buy the entire machine as a whole just throw a GPU in it and call it a day. So from an e-waste perspective, this is a non issue. The special form factor PSUs these machines use would be a bigger issue than a locked down CPU as those would be the first to fail or need upgrading. 

Just for the CPU ...ur probably right,

But for otherp arts aswell maybe not.

Some of these office machines used to be had really cheap, still can in some cases, and the combination of the CPU + RAM + Storage could be worth more than the price paid.

 

For example, a machine with say a i5 6600, 16gb RAM, and a 1TB HDD or 500gb SSD, could be had for under £200, Thats probably worth it to rip out the CPU RAM and HDD/SSD and maybe reuse the cooler, and put it in a non OEM 'proper' system. 

Get a B150/250 motherboard ..a 'new' tier C+ PSU, a cheapo case, and trade a kidney for a GPU and ur sorted for maybe £400... + 'a kidney'

 

Getting all the separately would like cost more., or maybe a similar price and be more a hassle buying from multiple sellers.

~£50 for a i5 6600

~£50 for 16gb DDR4

~£40 for a 480gb SSD

Ok so yea thats not quite £200, but ur also getting , while crap, a motherboard, CPU cooler, PSU , and case, and likely an OS that may or may not be transferable.

 

And ofc u always will have those systems that no longer work and are sold for parts, more often than not the motherboard or PSU is borked, but the CPU could be fine.

 

So at the very least i'd say it not ..not worth it.

 

[xtremeqg]

I signed up just to post this.

 

Vendor locking CPUs and vendor locking in general has nothing to do with security but instead has everything to do with money. In this case, AMD is providing Lenovo a (substantial) discount for this particular CPU. This is fairly normal practice but can come with negative side-effects, like one we are seeing here. The reason CPUs are locked to specific motherboards is to prevent resale at MSRP of the (heavily) discounted CPU, nothing more, nothing less. By vendor locking the CPU it is now worth a whole lot less as it is now inseparable from Lenovo's proprietary motherboard.

 

Apple's been doing the exact same thing in order to "persuade" customers into buying a brand new phone just because the home button stops working. The claim is that the fingerprint reader otherwise may otherwise be compromised. In reality all it takes is $0.02 worth of cello-tape...

 

The security part is just tacked on as marketing fluff to make buyers feel better.

[Nystemy]

2 minutes ago, xtremeqg said:

I signed up just to post this.

 

Vendor locking CPUs and vendor locking in general has nothing to do with security but instead has everything to do with money. In this case, AMD is providing Lenovo a (substantial) discount for this particular CPU. This is fairly normal practice but can come with negative side-effects, like one we are seeing here. The reason CPUs are locked to specific motherboards is to prevent resale at MSRP of the (heavily) discounted CPU, nothing more, nothing less. By vendor locking the CPU it is now worth a whole lot less as it is now inseparable from Lenovo's proprietary motherboard.

 

Apple's been doing the exact same thing in order to "persuade" customers into buying a brand new phone just because the home button stops working. The claim is that the fingerprint reader otherwise may otherwise be compromised. In reality all it takes is $0.02 worth of cello-tape...

 

The security part is just tacked on as marketing fluff to make buyers feel better.

Except the PSB feature comes from the server market.

And it is intended to be a Hardware root of trust on top of TPM.

 

Vender locking of chips in the way you described is however still a thing, especially common on network cards in servers...

But currently we are in a bit of a chip shortage and AMD's FAB allocations don't grow on trees, they won't be looking for ways to sell their chips at a discount to anyone at the moment, especially when perceived as "the high end" option on the market. And this is the main thing against that stance.

[Zodiark1593]

21 minutes ago, micahf said:

I posted this in the floatplane comments, but I think it's interesting enough to post here too.

 

The idea of a second fuse that can permanently disable PSB seems like a good idea, but it probably won't work. If there's some fuse that can be set that would disable this feature, it would have to have some sort of scary message to inform users that PSB had been disabled. However, what would stop an attacker from modifying the bios, and simply removing this message? The whole point of PSB is to make sure that the bios is trusted, and if it can be disabled, then an attacker could simply disable it and then modify the bios to remove the message and report that the feature was still enabled. If PSB can ever be disabled, then it serves no purpose.

 

So what's a better way to do this that doesn't needlessly break CPUs? I'd propose that, instead of each vendor signing their own firmware and locking CPUs to that key, that each vendor should send their firmware to AMD for them to sign. This would allow for a secure chain of trust, since the firmware is still signed, and cannot be modified, but it would allow for reuse from one system to another. As long as the firmware was signed by AMD, the processor would run in the motherboard. Potentially, every processor could ship from AMD with these fuses pre-set, possibly improving security since an attacker with supply chain access would have to compromise both AMD and the vendor instead of currently where they could just compromise the vendor.

 

This might remove some of the freedom that users have on custom built systems; not allowing for the user to modify their bios, but I feel like this is a trade-off that makes sense.

 

As someone who has modified a bios in the past, I think signature enforcement from AMD is worth it. The types of machines where I would want to modify the bios on are prebuilt systems from the likes of Lenovo. In the past, I actually modified a bios on my Thinkpad t430 to remove the wireless card limitations. This would already be impossible with the given limitations of PSB. Lenovo can lock the bios down and I can't modify it. If other OEMs haven't done this yet, we can be sure they're watching what Lenovo is doing. If they can raise sales even a little by being able to ensure platform security, then they almost definitely will. That ship has already sailed as soon as the first vendor did it.

 

The bios on a motherboard from an ASUS or an MSI really doesn't need to be modded in the same way. Motherboard vendors aren't locking out certain components like full system vendors are. Maybe hardcore overclockers might be slightly constrained by not being able to modify their bios, but nearly everyone doesn't need to modify their bios, and those that do are likely working with vendors already and could have the vendor send the bios to AMD to be signed. If NVIDIA can do it, surely AMD can manage to come up with a similar solution.

 

This would give AMD more power over what features a vendor can add to their bios. If AMD doesn't want a vendor to allow overclocking on a low end platform, then they could refuse to sign a bios unless the vendor removes overclocking. We've seen Intel make these moves in the past, and while AMD hasn't yet, there's nothing stopping them from doing this. It isn't a perfect solution, but I think that it's better than locking every CPU to a certain vendor and essentially manufacturing e-waste.

I feel that this feature enabled by default would be better served coupled with a BGA cpu, rather than socketed. Along with reduced package size and cost, you reduce risks of second hand customers being burned, and you present a strong physical obstacle to tampering. 

 

25 minutes ago, SolarNova said:

Just for the CPU ...ur probably right,

But for otherp arts aswell maybe not.

Some of these office machines used to be had really cheap, still can in some cases, and the combination of the CPU + RAM + Storage could be worth more than the price paid.

 

For example, a machine with say a i5 6600, 16gb RAM, and a 1TB HDD or 500gb SSD, could be had for under £200, Thats probably worth it to rip out the CPU RAM and HDD/SSD and maybe reuse the cooler, and put it in a non OEM 'proper' system. 

Get a B150/250 motherboard ..a 'new' tier C+ PSU, a cheapo case, and trade a kidney for a GPU and ur sorted for maybe £400... + 'a kidney'

 

Getting all the separately would like cost more., or maybe a similar price and be more a hassle buying from multiple sellers.

~£50 for a i5 6600

~£50 for 16gb DDR4

~£40 for a 480gb SSD

Ok so yea thats not quite £200, but ur also getting , while crap, a motherboard, CPU cooler, PSU , and case, and likely an OS that may or may not be transferable.

 

And ofc u always will have those systems that no longer work and are sold for parts, more often than not the motherboard or PSU is borked, but the CPU could be fine.

 

So at the very least i'd say it not ..not worth it.

 

Outside the top end for a given platform, Intel CPUs don’t hold value especially well. likely owing to EoL motherboards being the primary constraining factor. 

[micahfocht]

22 minutes ago, Zodiark1593 said:

I feel that this feature enabled by default would be better served coupled with a BGA cpu, rather than socketed. Along with reduced package size and cost, you reduce risks of second hand customers being burned, and you present a strong physical obstacle to tampering. 

I agree, but we're kinda past that point.  The cat is out of the bag with Lenovo, and I have no doubt that other vendors will be following the example that Lenovo set.  

[hishnash]

Personally it think vendors like Lenovo for these pro hardware platforms should have opted to use an auxiliary security solution.

namely have a seperate die on the motherboard that acts as the security chip, have this power on before the cpu, have it provide only signed validated bios images to the cpu and have it act as the TMP etc security chip and more.  This would cost them more for sure but would in fact let them build a most secure solution as it would let them init AMD-v and AMD-vi before the PCIe buss is powered on thus protecting the bios from PCIe based DMA attacks against the bios code. (typically Vi and VT-d are enabled after PCIe is powered own resulting in a wall crafted and timed PCIe device being able to DMA and modify the running bios code before it inits VT-d) if you have an auxiliary chip handle the power-on it can provide a read only memory tables for the BIOS to run from so when PCIe devices are powered on they are unable to modify the running bios (this is what the T2 chip does). 

But such a solution would cost more! 

the alternative would be for AMD to make it possible to re-set the bios signature lockout but when doing this also clear all keys stored in the TMP, so if you do load a malformed bios the result would be the hard drives would not be decryptable.  But doing this correctly and ensuring when you clear one key the other one is cleared on a socketed cpu is not easy since people do all sorts of voltage and timing attacks against hardware to trick this type of system (key kill power just at the right time so it clears 1 key but not the other). 

[RejZoR]

This makes absolutely no sense. What do you protect by locking CPU? It's not like you can modify software on CPU itself and put back in modified one. The issue is motherboards can have their BIOS modified. Yet Lenovo doesn't prevent that. They prevent it doing it the other way around.

 

To me this reeks of same shit Lenovo has been doing for years. Whitelisting components to their systems so you can't even swap a god damn WLAN module in a Lenovo laptop because the factory one sucks donkey ass (and it often does). No no no, you have to either hand it over to Lenovo service center or try to somehow find out which WLAN module is whitelisted and compatible and do it yourself.

 

Bottom line is, just don't buy Lenovo. For the love of god, just don't. Ever. They are an asshole company with greatly overhyped "quality" status. Only thing this does is create more e-waste all while protecting NOTHING.

[hishnash]

6 minutes ago, RejZoR said:

This makes absolutely no sense. What do you protect by locking CPU? It's not like you can modify software on CPU itself and put back in modified one. The issue is motherboards can have their BIOS modified. Yet Lenovo doesn't prevent that. They prevent it doing it the other way around.

There is not easy way to provide the BIOS from being modified without spending a LOT of money (see T2) since the bios chip can be easily removed and replaced.  The main issue with a modified bios is if when the bios is modified the TPM is not reset. AMD could have come of up with a solution the re-sets the TPM if you boot with a different bios signature. 

[RejZoR]

Yeah, but Lenovo doesn't have T2 chip like Apple does. And in case of Apple, it actually does make sense. They have everything soldered down and T2 ensures even if you go the length of desoldering and replace components using hacked bits that would grant you access somehow, you're not getting any data from any of it. Which is a compelling argument when you want a secure system that will keep your data secure and it actually makes sense, even if repairing such device makes it incredibly difficult because replaced components won't work here or anywhere else. That particularly involves storage mediums, not CPU which stores nothing at all.

 

Here, I honestly have no idea what you're protecting by making CPU and CPU only useless in any other system than this. And I'd ask LTT to go further and check if this particular CPU locked on this particular system would even work in ANOTHER system made by Lenovo. Why do I have a suspicion this locked CPU wouldn't work in any other Lenovo system either and it's not a "Lenovo only systems" thing but literal locking of CPU to this exact system. I'll ask @AlexTheGreatish and see if they have any other Lenovo system around and see if they can try booting up that other Lenovo system with this locked CPU. I mean, what do you benefit from all this exactly? You're not protecting any of the data stored on said system, but you prevent CPU from being used anywhere else. Stinks of intentionally and unnecessarily locking people into Lenovo systems and nothing else.

[Nystemy]

50 minutes ago, RejZoR said:

This makes absolutely no sense. What do you protect by locking CPU? It's not like you can modify software on CPU itself and put back in modified one. The issue is motherboards can have their BIOS modified. Yet Lenovo doesn't prevent that. They prevent it doing it the other way around.

 

To me this reeks of same shit Lenovo has been doing for years. Whitelisting components to their systems so you can't even swap a god damn WLAN module in a Lenovo laptop because the factory one sucks donkey ass (and it often does). No no no, you have to either hand it over to Lenovo service center or try to somehow find out which WLAN module is whitelisted and compatible and do it yourself.

 

Bottom line is, just don't buy Lenovo. For the love of god, just don't. Ever. They are an asshole company with greatly overhyped "quality" status. Only thing this does is create more e-waste all while protecting NOTHING.

It isn't Lenovo that came up with any of this.
PSB is an AMD specific feature that have existed in the server space for a long time.

 

Lenovo is just "the first" manufacturer that decided to enable the feature on their non server products, for the reason that it "provides security."
Though, the CPU does store a signature of what the BIOS is.

 

However, it only stores a signature of who has signed the firmware, so it will accept any other firmware by the same vendor. Be it brand new firmware with the latest security patches, or a really old one known to have security issues left and right. The CPU don't care and will run as long as it is signed by the same vendor.

 

A better solution would have been if the CPU hashed the BIOS contents, made a signature of this hash, and then stored that out in BIOS _{(in an area that isn't part of the hash, since if one modifies the signature it won't be valid regardless)}. Effectively putting a lid on top of what we have "secured" already. Then it is just up to us as "security conscious" users to validate that we in fact have the correct firmware. Usually by taking out the BIOS chip, putting it in an EEPROM reader and writing in the firmware we can actually trust. Though, only organizations that are really serious about security would actually do this.

 

But in the end, AMD has decided that security is achieved through vendor locking.
It isn't Lenovo at fault here.

[RejZoR]

So, bad guys just have to be sure to use another Lenovo system to do bad things. Still don't understand what's even the "security" aspect of this feature. It literally protects nothing. Other than Lenovo sales anyways...

[tkitch]

8 minutes ago, RejZoR said:

So, bad guys just have to be sure to use another Lenovo system to do bad things. Still don't understand what's even the "security" aspect of this feature. It literally protects nothing. Other than Lenovo sales anyways...

by locking the CPU to a cryptographic key, if someone modifies the bios illicitly, that key (should) be changed by the modifications.

 

Thereby making the system not boot anymore.  

[dogwitch]

linus dropping some beats... wait i mean cpus.... wait is it gpus?

[SkyHound0202]

AMD should distinguish their OEM product by adding a vendor code somewhere (maybe laser etch it onto the IHS), and permit booting a tempered Pro series processor on consumer board with PSB associated features disabled. Samsung does this to their client SSD all the time, i.e., Lenovo's Samsung PM981 SSD (OEM equivalent of 970 EVO Plus) has a 000L2 suffix. While you can boot the drive on any other systems, only Lenovo firmware can be used to upgrade the drive.

[GodAtum]

17 hours ago, BlueChinchillaEatingDorito said:

Except no one is really buying office surplus machines for their CPUs. Most people who buy these things second hand buy the entire machine as a whole just throw a GPU in it and call it a day. So from an e-waste perspective, this is a non issue. The special form factor PSUs these machines use would be a bigger issue than a locked down CPU as those would be the first to fail or need upgrading. 

You forget about sellers taking the CPU out and scamming people. I've bought these CPUs on Ebay thinking they'll work but the didn't. The seller refused to refund me.

[Ubersonic]

Playing devils advocate here, but the machine in the video is a business PC designed for customers who will either use it until the 5 year warranty expires then send it for disposal or carry on using it until it fails out of warranty then send it for disposal.  The only people this should really inconvenience are thieves who steal the PC or parts from it.