The problem is the AMD PSB functionality in itself. It should be considered malware like the Intel managament engine and thus refused by users. It's a second processor that runs a proprietary firmware signed by the vendor (that the user cannot modify or substitute entirely with a FLOSS alternative) that vendors can use do harm to the user.

The AMD PSB can also be used to lock down a processor to enforce secure boot and thus don't let you run an unsigned operating system, i.e. no longer allowing you to run Linux on your machine that comes out of the factory with Windows preinstalled. That would be a very very bad thing.

Unfortunately both for Intel and AMD you don't have choices these days. I'm hoping someone develops a processor based on the RISCV architecture (a free architecture that doesn't include that shit) to be used in a computer entirely under the control of the user (hardware and software) and not the corporation that makes it.

There are a couple of issues I see with this.

First, the security argument is nonsense in my opinion. This "feature" only prevents an attacker from flashing a modified, malicious BIOS on to the server.

But: If an attacker manages to flash a new BIOS to your server, you're already lost. That either requires physical access (which is bad), or access to the OOB / BMC / IPMI (which is equally bad, because those usually have a remote KVM feature, so you could e.g. boot the OS into recovery mode)

It does not prevent any other attacks, because you could still swap out the CPU. The servers usually just quietly burn the CPUs, so you wouldn't notice if the CPUs were replaced by an attacker.

Second, this produces a lot of unnecessary e-waste. About 99% of all hardware (except HDDS) from datacenters is sold on the second hand market. Locked CPUs are essentially worthlese, especially if buyers or sellers don't know and throw the CPU away because they think it's defective.

Third, this opens up a MASSIVE attack surface. Imagine if somebody finds a bug im the PSP (Platform Security Processor, a CPU inside the CPU that handles the locking thing amon g other things) and is able to burn arbitrary keys into the CPU. The attacker would randomly generate a key and burn them into the CPU. You could permanently kill an entire datacenter with that within seconds.

Or if somebody manages to write a malicious BIOS version and flash it to servers which usually don't have a locked BIOS. This BIOS version would also burn a random key into the CPU with the same result: You can easily permanently destroy an entire datacenter.

I think this is just AMD's greediness again in the cloak of "improving security"

This different article from STH explains what the AMD PSB is, without having to watch a video: https://www.servethehome.com/amd-psb-vendor-locks-epyc-cpus-...

> An OEM who trusts only their own cryptographically signed BIOS code to run on their platforms will use a PSB enabled motherboard and set one-time-programmable fuses in the processor to bind the processor to the OEM’s firmware code signing key. AMD processors are shipped unlocked from the factory, and can initially be used with any OEM’s motherboard. But once they are used with a motherboard with PSB enabled, the security fuses will be set, and from that point on, that processor can only be used with motherboards that use the same code signing key.

Basically, the CPU once in that mode will only work with the same signing key, and cannot be put on a motherboard from another brand (or potentially another model from the same manufacturer).

How is it not illegal to do this without at least first ASKING the user for confirmation? I'd be annoyed but find it 'merely anti-consumer' rather than 'intentional destruction of property' if the BIOS refused to finish POST without the user confirming that yes, they want to sacrifice this CPU and make it (p)owned by $CORP.

If you buy a Lenovo, then the CPU dies and you replace it with an unlocked retail one, will the motherboard blow the fuses in the new one and lock it too as soon as you power it up?

Could it be AMDs doing behind the scenes? I don't see the motivation for Lenovo here but I do see AMD asking vendors to do this to prevent OEM CPUs completing with retail CPUs.

All in the name of "security" of course.

lenovo again.. when it's not shipping with rootkits (they did it twice!) and bloatware, it's about limiting HW

a company to boycott

Remember lenovo white listed wifi cards. I wouldn't be surprised if they locked the keyboards to their computers or the power supplies.

I hate it when an article goes on without ever mentioning what an acronym stands for. PSB = Platform Secure Boot

Isn't Lenovo the problem? CPU vendors have to implement a secure enclave somehow to fulfill requirements from the content industry for quite some time now. But there never was a nefarious actor like Lenovo in this case to my knowledge.

I understand from this case that my reasonable course of action is to inform my (non-IT-focused) peers and friends that they should avoid Lenovo by explaining the reason behind it (your device is worth less, since you won't be able to install linux or a Mac Clone!) to them.

Can't we just bridge the connection with a lead pencil like on the old CPUs haha

undefined

I wonder if it is possible to return such a system to the vendor based on a claim that the lock is irreversible decreased it's consumer value?

I'm not up on CPU terminology. I read the article and I don't know what this means.

What is "locking" in this context?

What is the "AMD PSB" ?

So to "protect" us from APTs, they've gone the same way that Intel did with their "Management Engine". In other words, you are pretty much fucked when a nation state uses the secret built-in exploits to pwn your system.

undefined

undefined

undefined

undefined

Someone still buys Lenovo?