Manufacturers push the term "gray market" to imply that resold goods are somehow bad and people who sell them are participating in something like an illegal black market. Reselling equipment is a normal part of doing business. There's nothing gray about it.

There is no separate market for new products that have been bought from manufacturers and resold. It's just one market. We don't need to refer to something that doesn't exist, so we don't need a special term for it.

The term "gray market" is linguistic manipulation to benefit manufacturers at the expense of customers, society, and the environment. Let's stop using the term.

For products that have been used, we have a "second-hand market".

So this basically seems like the AMD equivalent of Intel Boot Guard, except that the keyfusing seems to be done on the CPU, not the PCH.

What I'm hearing here is that Dell, HP, etc. are designing their firmware to keyfuse any unfused CPU it sees to their firmware automatically, silently, and without any prompting whatsoever. And that AMD apparently has no problem with this.

In no way, shape or form is this a reasonable design. A boot prompt before basically quasi-destroying (for many purposes) a CPU would be the only reasonable thing to do. "This operation is irreversible and will render the CPU unusable in other machines", etc.

I'm wondering if Dell etc. could be sued for this.

>Outside of x86, IBM POWER10 is making a push for enhanced security, so the will need to have a silicon root of trust to enable their security feature set.

If this were true, this would make POWER10 dead-on-arrival in terms of being something Raptor is willing to ship. Comments made by Raptor don't suggest this and suggest they will be able to ship POWER10 eventually, so it doesn't seem likely.

Keyfusing is an excessively brittle technology, can't support key rollover (you're stuck with one key forever, or at best can change it only a couple of times, depending on the size of OTP), and is basically unusable for owner controlled (not vendor controlled) secure boot.

The "this is for security" argument would make sense if they only locked CPUs that were sold by the vendor together with the motherboard, or if they had an action that an administrator could affirmatively take to lock the CPU.

But automatically, permanently "poisoning" any CPU that's inserted into the socket after a single boot? That sounds like it's being done for economic reasons.

They want to turn the used CPU market into a sketchball market for lemons so that everyone is so scared that they only buy board+CPU combos directly from the vendor rather than trying to save a few pennies here and there.

Its not really vendor locking by design. It locks to a signing key. That key COULD be shared between vendors or even a single vendor could have multiple incompatible keys.

It provides a mechanism to prove the entire boot process hasn't been tampered with, but I wish AMD provided a way to run these fused processors in a generic way without the security chain, with it just reporting that there isn't a secure root of trust. However I assume they are afraid of that allowing malicious code to fool deeper parts of the system without the system administrator knowing.

So good for security, but bad for e-waste and second hand sales.

If I put a cpu in a server (Dell, HP, whatever), and that CPU then doesn't function in other equipment, than that cpu is broken. That's not an exaggeration in any way.

So, the server maker then owes me a new cpu (of the same model obviously) that does work.

It'll be interesting to see the legal fallout from this, as purposely breaking customer owned gear is not going to end well.

I am beyond sick of this "security" justification being used for everything. At the end of the day, the only thing really being secured are the greedy vendor's profits.

These kind of DRM-like 'security' features starting being implemented first with phones and consoles and then has spread throughout the entire industry like a cancer.

Many of the features of the AMD PSP could be implemented as hardwired logic, no need for a CPU for that. And thus no chance of malware being able to run undiscovered.

It's like Orwellian doublespeak, in fact the Platform Security Processor might well be making the entire system less secure. Because we cannot inspect the content of the eFuse ROM how do we know if a state level adversary has placed code in there to weaken the system security?

Note: On the nVidia Tegra platform the eFuse ROM can contain executable code to patch the boot-up process, as Nintendo has done with the Switch console. It's likely that AMD has such similar functionality.

So the PSP could be cracked, and then CPUs can be eFused with malware before shipping the server, and nobody would know that there's an easily exploitable vulnerability now present.

I guess one of the real purposes of the PSP is to protect AMD's security and prevent the user from unlocking disabled cores, boosting clock frequencies, retrieving HDCP keys, etc. on both CPUs and GPUs. So it's partly to prevent the owner from doing what they want with the hardware.

How many exploits/breaches in the wild due to open s3 bucket, default admin passwd to database, poorly written webshit code, plaintext password, etc. ? And how many prevented by secure boot, boot guard, memory encryption, ME, PSP etc. ? Other than obvious money reasons for Dell, people seem to be vastly overestimating their threat models. And even for the secure chain of trust, there are ways to do so where the owner has the key, not the vendor. See heads for example.

This is bullshit. Unless it clearly says at boot 'continuing will permanently prevent your CPU from being used in a non Dell computer y/n?' they are asking for a lawsuit for damaging hardware

It should be illegal to lock devices like that. Pure corporate greed. It is sad that as soon as AMD restored its glory they gone for a cheap cash grab. It should be easy to tell that device is running unsigned boot loader without blocking it (e.g. a jumper on the motherboard). If attacker is able to switch a jumper, then you have bigger problems than a boot loader. Community should nip this in the bud and out AMD.

This may well be a case of the vendor does this, they get a better price as removes all aspects of reselling the CPU's on and the whole grey market risk - https://en.wikipedia.org/wiki/Grey_market

Large vendor, such details may mean a few dollars saving on the CPU's and that will add up. For many it won't be an issue, more a gotcha for the second hand market upon those thinking they can buy and part it out. So down the line, this is going to make some second hand CPU's a real gotcha unless these chips have identifiable visible marking.

That seems absurd, why not just clear the secure area (or make it inaccessible until cleared) if the processor detects a different firmware instead of not booting?

Looks like they might be doing this intentionally to get some sort of financial gain: perhaps the plan is that this would lead to less used AMD chips being resold and thus more AMD chips bought from AMD itself and more profit for AMD?

Even then, why would Dell play along? Is AMD contractually forcing them to create a firmware that locks the chips? What about the massive liability of customers demanding refunds or suing them because the Dell firmware irreparably damaged their CPUs?

If this was about actual security, not destroying the secondary market, the obvious solution for this would be providing a way to "factory reset" the CPU using a pin that is normally physically disconnected.

An attacker that breaks into your datacenter to physically reset the CPU could also swap it, so once you have physical access, the security argument doesn't hold. OEMs/recyclers could simply plug each CPU into a testing/resetting jig that has this connected, or mainboards could have a jumper for it.

Disgusting.

Edit: I wonder if this will enable a new category of ransomware. "Pay us (half the current value of your CPUs) to get your firmware signed with the key that we just locked all the CPUs in your fleet to".

Why does this require to blow fuses? Just store a secret into the CPU that can only be unset if the same secret is provided again. It could be totally reversible, as long as you know the secret, that way the lock could be removed when decommissioning the system.

With a tiny bit more fancy crypto one could also generate per-system unlock keys so that a vendor doesn't have to reveal his master lock or something like that.

Unlocking bootloaders is a solved problem on android. Why introduce a worse solution that creates vendor lock-in?

I don't understand what this secures, with the exception of Dell's profit.

If it locks the CPU to a certain manufacturer, all an attacker has to do is get an identical new system and swap the CPUs.

Besides, what matters is the data on the storage. Is it encrypted with keys stored on the CPU? If it's not, how does this help?

I honestly don't see why the CPUs couldn't from the factory contain a public key from AMD, and from there AMD issues certificates to firmware vendors to sign their firmware with. This would allow the CPU to 'verify' the certificate chain of the firmware that is being used without locking it to a specific vendor. This decreases security a little because the leakage of a single signing certificate means you can malicious firmware on any device but it seems like its much more consumer friendly.

Does this defend against any additional attack surface that wasn't already defended by the UEFI Secure Boot standard?

This sounds reasonable. I mean to bypass this lock our criminal would have to ... replace the CPU and continue attack like nothing happened. Totally infeasible, inconceivable even! proving this was introduced for safety and not Vendor_lock-in!!!1

I can think of two scenarios where this security feature is helpful.

First, somebody breaks into a server room, replaces the motherboard with a compromised one, and notices mid replacement that they forgot a processor. (Since the processor locks during first boot, it is of no use if the supply chain is compromised before the first boot. On the other hand, I would imagine somebody willing to break into a data center to replace a motherboard would also be willing to do all kinds of other shenanigans, like bringing another processor.)

The second scenario is, somebody thinks about buying a used instead of an new processor.

I'm not as sketched out about this as if it were single socket workstation ryzen/threadripper CPUs. In the market from $1000 to $6000 workstation desktops where enthusiasts and people with specific requirements (or just 10, 15, 20 years of experience building x86-64 PCs themselves) would want to build their own desktop from individual components ordered off Newegg.

I doubt more than a single digit percentage of 'serious' dual socket (64-128+ core) rackmount server customers are going to be buying their own barebones motherboards and CPUs and assembling it themselves. They're going to buy it from a Dell, HP or a Supermicro integrator or similar. If you're buying a $12,000+ server with 128 cores and 512GB to 4TB+ of RAM and some fast NVME storage it's highly unlikely you're putting it together yourself.

Any massive hosting/cloud scale operations that want to DIY their own EPYC systems from pieces will be doing it through a Taiwanese integrator, such as those that supply the ecosystem components for open compute platform server motherboards. And as such they'll also not encounter any technical issues or procurement issues with this. At the point where you have two $3000 CPUs on a motherboard that costs $1200, the full firmware/motherboard/CPU integration and qualification process is very different than putting a $399 ryzen into a $300 board.

This would be better if there were a physical-only method to factory reset the CPU, instead of blowing fuses.

What problem is this trying to solve? Is there that much of a black market for data center CPUs?

I felt a great disturbance in the Force, as if millions of voices suddenly cried out in terror and were suddenly silenced. I fear something terrible has happened.

Sorry to be blunt, but am I correct that this is a measure against tampering with servers by Chinese intelligence during the customs process? In that case, are the CPUs themselves signed or could they be replaced after modifying the motherboard?

Because otherwise it's really hard why the website would claim that every end user would be enthused about these lock-ins. Sort of weird statement.

I thought this type of system would provide a way to revert to factory defaults with a side effect of erasing all keys. So the processor would no longer be secure, but would at least still boot. Maybe this clearing can be done through the BIOS/UEFI on the original Dell system.

One time programmable fuses are rather terrible. I'd rather have an old UV resettable fuse that would also clear the key space. Or perhaps a set of contacts to reset the fuse, like a jumper or lands that should be connected with a pencil.

The article was updated with new info from HPE:

"HPE does not use the same security technique that Dell is using for a BIOS hardware root of trust. HPE does not burn, fuse, or permanently store our public key into AMD processors which ship with our products. HPE uses a unique approach to authenticate our BIOS and BMC firmware: HPE fuses our hardware – or silicon – root of trust into our own BMC silicon to ensure only authenticated firmware is executed. Thus, while we implement a hardware root of trust for our BIOS and BMC firmware, the processors that ship with our servers are not locked to our platforms. (Source: HPE)"

Is there any way to “fix” the processor afterwards? Maybe send it to AMD to be reset? If I’m buying a multi thousand dollar processor, I’d feel better if I could reuse it in other systems if needed.

This is just waiting to be abused. No software or firmware (or even silicon!) is 100% secure; if at any point someone figures out a way to flip a fuse (maybe something like creating a short by overloading two adjacent fuses or abusing reads via power supply gliching) and then make the CPU unusable for everyone...

Hell, next step might be ransomware that fuses your CPU and unless you pay them they will reboot them so you can't use them any more until you buy their signing key.

TL;DR: Put an Epyc cpu in a Dell once, and it will never work again in any other vendor's motherboard? Is that right?

Some enterprising enthusiasts will find a way around this i hope

Amidst all the hype for firmware security, one point missing in these discussions is how many points of failure these guys have added. 1) Intel/AMD for ME/PSP 2) Dell for bios signing keys 3) MS for secureboot keys 4) American Megatrends, Phoenix, etc., companies that people don't even know exist, who actually write the bios code. If the threat model is nation state attacks, there is plenty of surface area here in the circus.

I'm looking forward to the malware/ransomware that permanently locks CPUs to an attacker-signed BIOS.

This will be an interesting mess on eBay.

"Vendor-Locks" perhaps?

I get why its done, but all this locking down of modern systems is making me rapidly lose interest in computing.

So where are all the AMD fans "will never buy either Intel nor NVidia" now?

I didn't read the article. I felt like the author had an assignment to make it a certain length and is filling it with useless sentences.

If you dont provide this, Enterprise Vendor wont be buying AMD CPU, and AMD lose. ( They desperately need those EPYC Sales )

If they do, lots of people, whether they will buy it or not, will complain and make a big fuss about it. If they are going with Vendor lock they might as well go back to Intel.

Looks like AMD just cant Win.

The title as submitted to HN is super clickbaity. Overall this doesn't seem 'bad', aside from some questionable defaults that other commenters said about it being enabled by default.

Honestly I see this as a net positive. It increases the security of the server, which is good for everyone. The secondary market will adjust accordingly, probably by selling the processor/motherboard/barebones server together. The only issue I can see is that there is no way to distinguish a locked processor from an unlocked one.