Been waiting on this piece since i found that my M75Q Gen2's 4750GE wouldnt work in my ASUS board, but my unlocked Ryzen 6 Pro 4650G would. I was able to verify that the (edit: Pro) 3400GE from the M75Q Gen1 was able to work without issue on the M75Q Gen2, but it did not work in reverse, which isnt surprizing because the gen1 BIOS probably doesnt include microcode (edit: for the 4650GE) Also of note, on both the M75Q gen1 and M75Q Gen2, no notification was given if a non PSB processor was installed. my 3400G non Pro just booted right up, it took a few more seconds, but i was not presented with a notification.
Thanks for the heads up about the 4750GE on an Asus board. Right now, I have a Ryzen 5 Pro 3400GE that I took out of an M75Q Gen1 and it works perfectly in an ASRock X570m Pro 4 board (with ECC memory). I was thinking maybe in the future of the possibility of getting a Pro 4000 or 5000 series GE to upgrade, but now it sounds like it's going to be a challenge if I happen to come across the M75Q Gen2 system 🙁
@@ServeTheHomeVideo And thank you for doing it, i got to see some perspectives that i didnt even consider, not just from ServeTheHome, but also the community.
@@nighthawkvc25a Interesting, i'll have to try to get permission to swap our Lenovo Pro 3400GE into our Alienware computers(would have to temperarily take it out of the esports room). It was my understanding that all of the Pro series came with this emabled by default(starting with the 2000 series), but maybe lenovo made this change with the 4th generation.
if i buy something i pay it and its mine and i can do whaterver i want with it , even set in on fire if i so wish , so i dont see why i have to be forced to use what i buy only as they see fit ............if i want to reuse the cpu i paied on another mobo why shouldt be i be able to ?
Vendor locks should be banned by law. This is anti-competitive behavior par excellence. And I don't buy the "security" aspect at all, the attack surface is tiny and market impact is huge - this basically destroys the secondary market.
Sir, the manufacturers are just following governmental directives. The government isn't going to help you, because it's in their interest if no one owns any type of computer but a phone. You can't be [easily] tracked if you have a desktop running open-source software, sit behind a VPN, and have no camera or microphone attached. It's also not anti-competitive. You will own nothing and you will like it.
@@timramich The industry will collapse before that happens, and I don't think that's exactly in AMD's or Intel's best interest. But please, tell me all about your deep and well researched understanding of buyer-side economics. :-)
And I see that this is a new vector for DoS attacks - brick the computer by changing the conditions for the PSB so that it won't start again and you'd need to replace CPU and BIOS. Basically easier to get a new computer.
@@ehsnils That or a manufacturer pushing a BIOS update that either intentionally or accidentally bricks a whole line of older systems. We thought apple was bad when they started throttling older phones in updates, but you could in theory push an update than auto installs on the next reboot and then bricks the system.
It is, it also cuts off reuse when big corporations are getting rid of their old stuff. The thing is, the security ideas can be okay, but a) Lenovo should not contol the keys, that should be the enterprise admin adding their key to BIOS and turning the feature on first use, b) have some way to disable it again with that same keypair for decomissioning systems (note I can use the key on a different motherboard if it is in this form) . I can key up every unit with it's own key and have a key store database under a master key as an admin easy enough. The whole concepts this is based on are being broken, and MS started it with getting them to embed MS keys for the bootloader stage the idea of that feature again was the admin would set it up with their own keys (some DIY motherboards do actually allow this, OEM, well good luck). It is illegal tying and needs to stop. With this implementation in 5 years time, motherboard gets powersurge and dies, and now the processor has to go with it because lenovo is doing this and no-longer sell those particular boards any more... I would also point out Lenovo has been doing similar with serial number checking of wifi modules in their laptops.
One of the few differentiating factors between something like this computer and a Mac mini is the fact you can change out/replace/repair components when they're old or broken. Way to nerf that feature on this product...
@@gorjy9610 True... I also imply (but not specifically) pulling the CPU out and putting it into something else (I often partially fund my upgrades by selling off the parts I'm replacing ;)
@@JeffGeerling Lenovo is brand to avoid for any somewhat advance user, proprietary this, proprietary that. And now locked CPUs. We can only hope that this is end with Lenovo and no other OEMs would do similar thing.
@@gorjy9610 Its probably not just Lenovo, its just that of our new machines, our Lenovo ones are the only ones with AMD Pro series processors. The rest are either Intel, or non Pro AMD. We have some Dell/alienware and HP desktops with Ryzen, they're just not Pro series, so dont support PSB. We do have some HP laptops with Pro series, but, it would be difficult for me to swap these into Lenovo boards, especially without having to fight a possible warranty battle in the futrure. Of note, i'm not part of the Serve The Home team, i have just been doing my own independent testing
this is the most anti-consumer thing i've seen in computers in more than 15 years now canceled my freshly ordered (personal) X13 - and next week will argue against the Lenovo Servers I was suggesting for a customers location. And probably will go forward to have Lenovo removed form our systems asap - and now have to go with the next f'd up OEM. Or maybe go the custom route...
Good. More large buyers pulling out when the pull shit like this is better. Even more so if you tell them that is precisely why you're cancelling their order.
I am very much against this kind of vendor locking, its anti consumer and should be treated as an anti trust matter, I see no reason why these types of "security" features could not be enabled without the vendor locking. I fully support Patrick's suggestion of a way to do this without forcing the vendor lock in, and im sure there are other ways to do this as well. Vendor locking is something that boils my blood and makes me tempted to write horrible things on public forums about what I think should happen to people who put this vendor locking in place...
i like it, if this was a car, say a expensive mercedes, and i wanted to take the brakes off, and put them on a different mercedes, then this lock would make it so i can not.
They should be mandated to use different part numbers when they do this kind of crap. It's basically false advertising since you can typically use this processor in any system unless PSB is enabled.
They do use different part numbers... sort of... that is, I don't think regular ryzen can have that feature enabled, I think it can only be enabled on ryzen pro, hence why they would be OEM only. Then Ryzen pro can have that feature enabled or not. Note that it's not up to AMD to decide whether or not it's enabled.
@@MrPlaneCrashers Only the pro models offer this feature, but me and I think most other users would socket a used 4750g just as readily as any other CPU. That's the problem, at that point it's a gamble.
Just something else that erodes consumer confidence. "Ding", It rings the bell for me to avoid not only these systems but the manufacturer. I would wager that Lenovo does not vendor lock overseas products; like in Europe; especially since it is not marked on the system. Also, having this "un-set" feature available post manufacturing may allow malicious operators to hardware lock contrary to the systems manufacturer, rendering it inoperable. For me, thumbs down all around.
@@SuprousOxide market sorted it out pretty quickly. Epic processors on ebay are listed as 'unlocked' or 'Dell locked' and guess which ones are worth less?
The thing I don't understand is why they say the vendor locking is for security. How is this making the system more secure? - It's not like the CPU is an SSD containing business data. It's just rocks we've convinced to think. They're just trying to harm the secondary market aren't they?
The idea is that it prevents unauthorized firmware to be introduced between Lenovo's factory and where it is deployed. All of the major server vendors are already working on at least some form of this, driven by cloud providers, and now we are seeing it more in endpoints.
the CPU contains the security coprocessor, and is also ensuring that the board firmware isn't compromised. If it's swapped with another CPU where the security processor and/or CPU are compromised, you break the security features of this system and the end user has very little way of detecting this. Harming secondary market is a very secondary thing, nobody is buying these PCs for harvesting the CPU, in most cases the secondary market users will buy the whole system and use it for what it is.
@@ServeTheHomeVideo This would also prevent a malicious actor from loading their own UEFI microcode on the CPU either through physical access or a virus once the system is in production. It would be very difficult or impossible to detect the malicious code on the CPU and it could be impossible to remove it as well. Hardware based advanced persistent threats have been a topic of concern for years, but haven't necessarily been all that prevalent. I wonder if Lenovo is just being proactive here or have these sorts of threats becoming more common.
@@ServeTheHomeVideo But why wouldn't they just include this in the chipset on the motherboard instead? Surely someone able to intercept systems in shipping could still defeat this system by replacing components on the motherboard, change signing keys, sign their own firmware, put on their own chips to bypass verification etc Like once you have physical access I feel all bets are off unless the customer has to install some secure element to the server themselves separately once they get the hardware. I feel like this is just a way to lock people into a platform and making more e-trash. I've seen on ebay already how these locked CPU's go for peanuts while the unlocked ones go for 3-4x the price because people can't use the locked ones outside of the same vendors motherboards.
These types of features should _always_ be exclusive to the end user. Lenovo or Dell doing this is anti consumer. My company has its own PKI. If I want my CPU locked to a signing key, it should be my key, not Lenovo's. Also, please tell me these keys don't have an expiration date. :( I'm also highly disappointed in AMD designing a solution to a problem that exacerbates the ewaste problem and harms the aftermarket. I expect this kind of crap from Intel. I'm beginning to regret transitioning my home and workplace to Ryzen and Epyc.
not only that what about when the system becomes EOL and someone at uni wants to use the cpu in a different board or just a server at home, repurpose this is really bad for chip shortage as well as environment such companies should be boycott so they stop. I will not buy anything Lenovo again.
Yeah agreed this is complete BS. They want to control after sales and this will just screw up the secondary market plus the whole E waste issue. Its deliberate and I'm debating licking Lenovo and Dell from our list of recommended vendors as it will just introduce more complexity in managing assets across the company.
This is a turndown for me, I love Lenovo and their products but PSB will make me think again if our next server upgrades should be a move away from Lenovo :/ Or perhaps we should make it a requirement in any future orders, that all systems delivered to us is not PSB.
I think if theyre going to push this into a consumer platform, it needs to come with a significant upcharge. Companies would think twice of creating more ewaste if it cost them $500-$1000 more per system just to purchase.
lol, nope, this will come with a tax break, full depreciation and thrown away. its literal ewaste production, and they know it. they know it cannot be reused, resold, or have parts salvaged. its 100% intentional, and this will likely come with a discount.
I dont think this is intended for the consumer market. It is for the larger companies that buy 10k units at a time. This was probably pushed by some audit firm. I still think it is a bad idea.
@@hvfd5956 yes, its intended for large corporate customers, who then get a massive tax credit for full depreciation of their equipment every 3 to 5 years with computer stuff.
@@chubbysumo2230 That happens with or without vendor part lock in, that is where a lot of the 2nd user market supply comes from, and where most homelabber kit is sourced. I agree though that this will push a lot more hardware to e-waste earlier than it would have :-(
Instead of saying "Hey are you going to vendor lock your CPU", the warning when you put in a new CPU should be more like "Would you like to permanently damage your CPU, decrease its value, and increase the chances it's going to get tossed in the garbage because someone down the line thinks it's broken?" Way to erode trust in your hardware, AMD. It's wild to think that Lenovo is so concerned that someone is going to put a compromised CPU in their motherboard that they have to permanently damage it. This doesn't even really stop a bad actor this determined because, if they are going to that length, wouldn't they just make a pre-fuse blown compromised CPU to put in this system?
You have it backwards. It prevents a malicious firmware from being installed on the motherboard, because the CPU will refuse to boot if the firmware is not signed by Lenovo.
@@l-cornelius-dol You do know that if someone has the capacity for firmware attacks, that obtaining manufacturer's keys isn't out of their scope? This doesn't solve jack except the problem of how to make more bank.
@@l-cornelius-dol So, at 6:32 in the video the message sure sounds like it's asking for permission to blow the fuses in the new replacement CPU to vendor lock it to the machine. Otherwise what kind of "vendor lock" is it asking to do? Why would a brand new CPU that's never been in the system refuse to boot if the firmware was replaced?
@@iguanac6466 : OK, you are going to have to at least attempt to look at why this feature exists in the first place. Once the CPU has been locked to the firmware key (at the factory) the firmware cannot be altered or replaced unless the updated firmware has been signed by the vendor’s key. Ergo the firmware cannot be altered by malware which is run on the PC. I’m not saying it’s a great way to solve the problem, but it does solve a security problem. It’s not meant to prevent you from replacing the CPU, it’s meant to prevent unauthorized changes to firmware.
This is one of the few times when I think AMD's typical strategy of not locking out value-add features behind some bespoke SKU like Intel does is a mistake. AMD should sell vendors a unique vendor SKU if they want to have PSB enabled or at least provide a way to disable PSB with physical control over the processor like a solder bridge on the top of the circuit board. PSB provides no real security against APT shipment interdiction attacks anyways, all an attacker needs to do is replace the CPU at the same time as the firmware. If they're already intercepting packages and writing backdoored firmware the price of an additional CPU is peanuts. To my knowledge it's not like the shipment itself is linked to the serial number of the processor and even if it was, no one is going to check that if it never changes through the life of the processor. Quit letting vendors program their keys on their own. Either do it at the factory and give them their own -D, -L, -H SKU to indicate the vendor it's locked to or put it somewhere else on the package out of the die SPD style so it can be programmed with physical control over the CPU if it's not going to be a bunch of different SKUs. "Hook up this $10 USB I2C interface to these pins" is not too onerous for someone who wants to resell these chips on ebay and it's not too difficult to have some POST code that clearly identifies the vendor lock and why the CPU isn't working.
I agree, AMD should sell a unique SKU to vendors/system integrators if they insist on using PSB. But I'd also add: AMD should charge them 3x what they charge everyone else if they want PSB. Fight fire with fire.
Sell any SKU they want and allow it to be locked, but somehow indicate on it externally, that it is a lockable CPU, so when you're buying it second hand you can see it is lockable, and if you're buying 2nd hand in 10 years, most likely has been.
@@kal9001 Here is the thing, ALL cpu sold by AMD allow vendor to sign their own key, so essentially ALL cpu have a chance of being lock down the line, if you put a ''lockable'' warning on all vendor cpu it will render the warning meaningless.
I agree the ability to swap in a new CPU makes the security fuses practically useless. I think a low-level firmware lock would be just as effective by using a hardware write-protected bootblock on the external BIOS flash chip, as is done in Chromebooks. Where I need to disagree with you is in having POST codes which identify the lock. While it would be great, it actually is too difficult. POST codes are generated by the system firmware and the system firmware isn't run when this problem occurs. The alert system would need to be programmed inside the CPU itself and this is impractical because different motherboards have different interfaces.
that should steer you away from dell not a product platform as it's dell's fault not amd's cause if intel offers that feature what do you do then if intel and amd both offer it then your fucked can't buy a computer if you buy dells only
My thought is exactly what you said. It creates a deceptive market that might not even be the fault of the seller. I've helped schools upgrade their systems on the cheap (due to not having any budget, not the management being cheap,) and things like this would certainly hamper such a project. Not green, not friendly, definitely only looking out for the bottom line. Deplorable. And frankly, the protection it offers is a joke if you really think about it. If it's physically compromised, all bets are off and that's it.
@@1mrhamel The same security could be achieved by putting an early-stage bootblock of the firmware inside an external hardware write-protected memory. It may sound like this would add to system cost, but many BIOS flash chips include facilities for hardware locking the first few kilobytes of memory. This is the system used for boot security on Chromebooks.
I have said it before that the PSB feature is just a way for AMD to stifle the second hand market of their CPUs. Since the CPU will work with ANY motherboard that is from the same vendor, then it isn't really implying security, just vendor locking. If AMD wants to wave a flag of security, then PSB is a fairly poor implementation, since it doesn't tie the CPU to a specific motherboard, one can still swap out things under its nose. I wouldn't be the slightest bit surprised if the TPM feature gets combined with the PSB feature in the future, effectively making all Windows 11 systems and others who depend on the TPM feature ending up vendor locked as well. And that would impact the second hand market rather quickly. And the idea at 11:53 is a good one, being able to disable the feature and have a functioning CPU is a good solution. And I agree, if one wants "security", then one obviously shouldn't buy the CPU second hand...
@@DMStern If one blindly trusts a specific vendors firmware, just because it has their signature. Then what stops an attacker from using firmware with known security issues that has the same signature? The vendor could update their signature for the new firmware, but then you need a new CPU. And when do we tend to get firmware updates? Well, when security flaws are found. Therefor it would have been better if the security system provides its own signature for the BIOS chip to store on the motherboard. Tying the CPU to the specific motherboard, and not to the vendors slew of software that has the same signature, where a fair portion of that software is known to have security issues. This would however require the CPU to not be a brick if it detects a mismatch in signatures, but rather provide the lack of security up our boot chain. And a decent way to implement the security would be if the CPU scanned the BIOS ROM, hashed it, and provided a signed hash to the BIOS ROM. The signature here would be some unique encryption key that only our CPU knows. It can be symmetric encryption as well, since it at no point has to leave the CPUs internals.
@@todayonthebench The scheme you describe *is how the PSB works today*. The only difference is that the system vendor programs the key into the CPU. The alternative would be that AMD would have to vet and sign every firmware release for every vendor. AMD has features protecting against firmware downgrade attacks, but I don't know the specifics of how it's implemented.
@@DMStern I personally think AMD has a poor implementation. It should be the motherboard that stores the proof generated by the CPU. But most importantly, a CPU shouldn't effectively brick itself just because it finds an untrusted firmware. Considering that they rely on OTP memory to store the credentials, it isn't much they can do to stop downgrading. Unless they have a lot of extra OTP for such "alterations" over time, but then they still have the issue that the CPU will become worthless junk after sufficiently many firmware updates. (And OTP fuse arrays takes a fair bit of room, so they won't be wasting tons of silicone on this, I am surprised if it is more than 1-2 k bits in total.) "The alternative would be that AMD would have to vet and sign every firmware release for every vendor." Isn't the only other alternative. There is plenty of ways to ensure security in a larger system. The system I described won't on the other hand tolerate firmware updates nor downgrades, or any change to be fair. But this is why it needs some secure state where firmware updates can be performed and signed (likely in BIOS). To start this feature, we likely use a user defined key stored in OTP to open that option. Preferably we should have an 8 or more character, case sensitive alphanumerical key that can only be accessed after x minutes after system start. (The timmer after start is so the CPU's security system only accepts 1 attempt per power cycle, and the timmer is just looking at the 100 MHz system clock, and from there it is a simple 35 bit hardware counter.) This is to prevent anyone having KVM/hardware access from just flashing in some new firmware and have it instantly trusted. Though, considering how we also want to be able to make a CPU "unsecure" again, even if we don't know the user password. Then we need some way to validate that the CPU is secured or not. Here simple hashing and checksums is our friend. Just store a AES-256 key in the CPU's OTP array, have it decode something for us, if it does it correctly, it is trusted. If it doesn't, then we can't trust it. (If the security system is turned off, this OTP key should obviously be erased.) Reason for the symmetric encryption is that any application in need of hardware backed security can just send its data through the validating function to have the "this needs validation" version of it. And symmetric encryption is simpler to handle. And this is safe since the key never leaves the CPU's internals.
Stop buying hardware from vendors who close source and lock 🔐 you out of their firmware... FPF needs a indicator or software to display status. I'd say a law should be passed that only end users can blow the FPF on their systems... Just like furniture tags. Seller can't remove them.
Seller can remove furniture tags, but not those tags required by law that declares certain content. Its pretty clear, if seller could just remove any labels/tags informing of dangerous content or other tags required by law, the labelling law would have no effect. So basically, its a law protecting another law. Seller CAN remove other tags on furniture, for example tags that prevent the return of the furniture, or manufacturer warranty tags or similiar, to "screw" the customer. Its basically, a seller is not allowed to paint over the food declaration on a can of food either, because then sellers would just paint over anything that has with fat and sugar to do and just sell it as sugarfree superhealthy fat-free food. Since the FPF isn't mandatory by law, you cannot pass a law prohibiting sellers from blowing it, because then you could easily construct the lock so it auto-blows the fuse upon inserting it into a system "Marries by the first vendor it sees" meaning same effect would be made - customers power on system for first time and CPU instantly locks to it, meaning it wasn't seller that blew it, it was the customer that did it by powering on the system for first time. To pass a law prohibiting sellers from blowing it, you would need to pass a law how the feature should be implemented first.
@@sebastiannielsen Lets be real, no legislation like this will never come to be. That said, auto-FPF or FPF preformed by the manufacter or seller could be banned. Just need to say that generalized components can not have irreversible changes made to them by the manufacturer or seller of systems without end user approval.
This just seems like a vulnerability waiting to happen. So if you have a non-blown cpu, a malicious actor can blow the fusewith arbitrary vendor code and brick your machine?
maybe you need special AMD-sanctioned code. not something that cant get into the hands of bad actors, but difficult and I don't know how to monetize that
Hopefully someone actually does that, so we can see the end of this half-assed bullcrap. If a few of these vendors would have to suddenly warranty couple tens of thousands of these CPUs and have their trust shaken, things would quickly change...
the theory is that if you want to deploy this (and it's not enforced) you want your hardware to fail as soon as possible if you get compromised. But this need to be at the discretion of the company, and it need a way to be unlocked.
@@kharkin0 I highly doubt that, you probably get a vendor ID from AMD that you can hash for each mobo, so the leak would have to occur pretty high up in the chain. I doubt even state-sponsored operations can get at that, and anyway I don't see the motivation for them to do so, if it's bricked it's bricked, and blowing the fuse would probably require a reboot, so it's hard to exploit
They could just implement enabling/disabling the feature with a hardware jumper or a special resetting system that requires taking the CPU out of the machine.This one time programmable bullshit almost feels like intentionally purposed for vendor lock in. Maybe it was the easiest solution to implement in a rush.
They can leave their stupid fuse however they want, but just let me disable PSB entirely. At that point, it doesn't matter what the CPU is locked to. Either way, this is a ridiculous solution to an imagined problem and all it'll do it create lots of e-waste when these systems leave the datacenters and enterprises in a few years. Also, if Dell and Lenovo are reading this: I'm not buying your crap until there's a satisfying solution to this problem.
This will not affect me now but like my dislike for anti-consumer Apple, you have to stand up for consumer rights or eventually it will be your problem too. Just canceled the Lenovo Thinkpad AMD I wanted and switched to a like HP. The similar 15" HP was $200 less anyway and although I love Lenovo and have had 1 Intel idea pad and a Thinkpad over the years the HP is also fine and I sent another HP as a gift to my Mother in law a few months ago and thats working out fine. Also HP's accidental drop and mess up warranty is great when you have a lot of kids around. I worked for a fairly large school district troubleshooting PCs in computer labs and Dells are such junk. It's a shame Lenovo is doing this as I really like their Laptops. I make all my desktops and will continue to use AMDs as I switched from a decade of Intel's after the 3000 series really has it together. I Built a 5700G for my wife and she runs 2 Monitors off it with the built in graphics as she uses it for business not gaming. Used a Asus 570 and it a DP and HDMI connectors on the MB and it configured her vertical monitor and the other perfectly. only 1080 but if she wants new higher res we can always add a card. We run Win 10 and Xubuntu and Manjaro in our various devices.
it is going to cause enough problems in the new product market, let alone the second hand market - Retailer sells a CPU, purchaser installs the CPU into a system that v-locks it, purchaser then decides to return the CPU using whatever consumer laws are in place in their region. Lets hope this does not become a common feature of general motherboards. A system that converts $600 consumer focused CPUs into nothing more than potential e-waste on first use is not a great idea.
I'm not sure he said if the system itself blows the fuses and vendor locks any CPU put in it. If it does, then this is SOOOO much worse, and it's already pretty bad.
I really think there should be some clear automated indication that this CPU is vendor-locked. Like when you blow the fuses to write the key there is a spot on the board that changes color so end users can see if the CPU has been vendor locked or not, even if they don't know to what vendor
yeah well there should be but people are stupid so that wouldn't do much in the long run cause a stupid person could pull it from a dell or lenovo sell it and the buyer puts into a non dell or lenovo motherboard and it's fucked
Patrick, thanks to you and all at STH for bringing the good and potentially not-so-good points of server-related tech to the masses, even if most of what you talk about I will never directly touch (or sometimes even fully comprehend - I'm just a humble home enthusiast). The enthusiasm and professionalism you bring to this channel are appreciated.
vendor locking like this isn't about security. its about depreciation more than anything. a company can buy these knowing that there is no salvage value in the parts after, so there is less incentive and worry about them ending up in the second hand market. this means that in 3 to 5 years after these are purchased from lenovo, the company that bought them can say they have fully depreciated in value and claim their full purchase prices as a tax incentive to buy new ones. part of that "full depreciation" accounts for second hand market resale value, and being that these are vendor locked parts and not going to work in any other systems, and no other processors are likely to work in the motherboard, it costs them less to "dispose" of them, and still get their certification of destruction. this is much like you see less and less second hand server stuff like the R700 series dell servers, because to get full depreciation, they have to ensure there is no second hand market value(thus, they get destroyed). there was a tax law change about 4 years ago that added this requirement, thus, ewaste "recyclers" have to verify destruction of the device else they can be on the hook from the IRS for the second hand market value. this is why apple stopped that company that was recycling their broken parts into working phones, because it left apple on the hook for that value to the IRS.
It's about keeping hobbyists from obtaining these second-hand. They don't want people having desktops, they sure as hell don't want people having their own servers. Do you really think the shortages are because of some alleged pandemic? It's all planned. Windows 11 is crap, no one can make chips. The unintended side effect is that it's affecting auto makers, too. But maybe that is intended, so they can squeeze everyone into cities and take their cars. You will own nothing and you will like it.
Sounds like a very stupid, possibly evil, 'loophole' in the system then. I frankly couldn't care less about a company's depreciation concerns when a). they already dodge taxes and b). this strategy creates more ewaste and makes the world a generally worse place. Fuck 'em.
@@timramich amazon paid zero dollars in us federal or state taxes in 2020. And yes, they just landfill their old stuff because they told the IRS it lost its full value to be able to claim its value as a tax incentive to continue paying no taxes. If those parts end up in the second hand market, and the IRS finds out, not only do they lose that tax incentive, but they then get penalties and fees, and then get put under a microscope for other stuff.
Hmm, this definitely de-values a ryzen cpu from a lenovo machine and consequently, since there is no way to detect if a cpu has been psb-ed, it potentially devalues all 2nd hand AMD Ryzen CPU's. I'll be very wary of buying a 2nd hand AM Dryzen from now on and I'm also slightly annoyed by this, simce I just got myself a 5700G which I now feel is worth less due to this. Of course Lenovo is free to do whatever they want to these CPU's but they better mark them very well. BTW, the proposal as described by Patrick is a very good proposal. It's the best of both worlds.. Hope someone can make that happen.. .
As an end consumer / home labber, I absolutely hate these features. they destroy the second hand market, which promotes e-waste, and raises the barrier to entry. I would be more tolerant of it, if they did the 'blow all fuses' option. I want to see that in epyc cpu's too.
this is intentional. this way the company who buys it can get full depreciation value on their taxes after 3 to 5 years and not have to worry about them ending up being salvaged in the second hand market by paying a company to shred or wreck them. they can just toss them ewaste and no one can reuse them. companies do this kind of shit because it makes them more money. this kind of vendor locking would never happen if there wasn't a monetary incentive to do so.
@@chubbysumo2230 there are valid security reasons for doing this, and valid cynical reasons for it too. I don't think lenovo gives a rat's ass about the resale value of amd cpu's, unless they're getting a kickback for enabling the mandatory ewaste feature. I feel lenovo enabling this, is to sell the security, and AMD not providing a way to kill PSB on a used CPU, is an ewaste for profit choice.
@@chubbysumo2230 Sure about the depreciation? In Germany where I live, the depreciation rules for taxation are fairly simple for such things. Perhaps to limit bureaucracy. After a certain time (5 years?), the device is legally fully depreciated. Even if you don't scrap it. I think you still need to pay taxes if you earn money from reselling the old stuff, but that is money you would not have otherwise at all.
What kind of tampering does PSB locking protect against though? With physical access, you could just swap the CPU after swapping/tampering with the bios chip. You could sign your tampered bios, and blow the corresponding fuses in your new CPU. Or is this meant to protect against some kind of remote attack where the bios could otherwise somehow be compromised anyways?
The later. Several proof of concept persistence attacks via UEFI exist, and it's only a matter of time before they make their way into malware as a service chains. Adding so much preboot complexity was always a dumb idea, but sadly UEFI won out over concepts like coreboot. The problem is real. This solution is terrible.
@@michaelkreitzer1369 Imagine what would happen if attackters indeed infiltrate the service chain. Or what happens when the signing key gets compromised? Then Lenovo would have to replace their signing key and would brick all systems that do a service firmware upgrade. It would effectively kill the firmware update service chain for existing systems. Yikes.
its because the processor has fTPM built-in - a processor-based TPM solution. The processor checks the firmware to prevent a malicious firmware to be jacked in which would capture bitlocker drive encryption keys.
Spot on, blown fuse idea makes the most sense. As a home testing and learning lab, it's a big pain in the bum to be able to find the cost around a CPU and then to have to match it to the vendor motherboard. Keeping in use is some where in the three R's reduce, , recycle.
AMD should have *never* put this into Ryzen, or any other desktop CPU. Data centers may like stupid lock downs, marketed as "security" features, but this should not be in a pc that normal people can buy. Just to be safe *don't* *buy* *Lenovo.*
Your solution appears quite logical. An issue with it would be if the processor could then be put back into the original system to unlock its files assuming that PSB serves some function other than branding the CPU to the system manufacturer.
If you have physical access you could just read the drives with... Another motherboards!!! Imagine that! If your PC is physical compromised your security is a joke
This is going to cause a wave of potential headaches for even experienced PC technicians who have NO IDEA about what AMD PSB is and its implications, because nobody really gave it the attention it deserves.
So… Cellphones are locked to a service provider, CPU’s are locked to a vendor…. Who OWNS these things. The people paying for them, or the manufacturer?
Boycotting these companies for this reason is certainly valid, however, the real problem is that you can't knowingly boycott them on the secondary market if they still exist.
This isn't about security, devaluing the processor wasn't the primary goal, forcing you to pay them several thousand dollars for a security patch and firmware updates is the goal. Hence the "nearly given away" server referenced in this video. This has existed in the server space for a while, but charging for security patches at the Workstation level is a one way ticket to failure.
This doesn't really fix supply chain attacks though right? Someone doing a supply chain attack by, say, flashing a backdoored firmware, could just also get a fresh CPU and PSB mark it with different signatures corresponding to what was used to re-sign the modified firmware. Everything would still seem to work on the compromised system. A customer would need to open up an potentially compromised OEM system + swap in a non-compromised CPU from the vendor to test for a supply chain attack...
Lenovo has a history of locking out hardware. They did this to Lenovo laptops that came with 16GB Optane modules. If you found a crazy cheap 32GB module on Ebay and wanted to upgrade, the Lenovo BIOS would lock it out as a disk acceleration device. We asked support on this and they confirmed that only the 16GB module would work.
@@LiEnby I love motherboard makers that have flashback functionality to flash modified BIOS. That should be industry standard. Only people that know what they are doing would ever even know the functionality existed.
In hindsight, AMD Platform Secure Boot maybe mitigates against 2023 logoFail vulnerability in uefi-bios . . . or worse locks in the exploit if somehow PSB precludes future firmware updating. Yikes! Great video 👍 Kindest regards, neighbours and friends.
I like how the Atmel/Microchip arm processors have a "erase" pin. You pull the pin high and it erases everything. Since eFuses are generally flash based these days they could provide a "erase" pin. Of course the pin might need 12 volts though so that would require taking it out of the system to erase it. So they might be able to make a way to clear it.
I'm pretty sure it is not that simple. These things act like real fuses, essentially a burnt trace. Same tech is used to internally customize basic ICs (not just CPUs or Microcontrollers) during factory production cycle.
@@RmFrZQ they may act like real fuses, but a real old school Fuse would be huge and take a lot of die space. that's why I am guessing a EEProm type cell is used. But it might lack the charge pump to get the voltage to clear it.
@@LaserFur they are not huge. It is basically a short trace between two points. You can find videos on YT where people dissolve casings of ICs and use acid etching to see how a die looks internally, layer by layer, under a microscope. They usually comment on what is shown on the screen.
I wouldn't buy a system that I knew contained vendor locked parts. Sounds like a monopolistic practice to me. This kind of crap ought to be illegal for consumer grade systems.
This is for enterprise/pro customers. If I were an enterprise manager who had a problem with people stealing cpus, this would make sense. I can't otherwise fathom why you would want this as a consumer.
It's blowing my mind that this video currently has 1.5k views and more than 0.5k comments. Clearly this is getting a rather strong reaction from the community. I hope AMD will take notice and look at some options that are less anti-consumer.
I work at a Lenovo dealership and this is the first I'm hearing about it... I repair Tiny's on a weekly basis along side Lenovo laptops for residential customers, but I've never needed to salvage a Ryzen cpu from a Tiny, it's just never come up yet.
I picked up An m75q gen 2 with a 4350ge at the end of 2020 and it was vendor locked already, so they've been doing this for a while. The only reason I bought the system was because they were marking those chips as OEM only, and I went with Lenovo because of brand reputation (won't make that mistake again). What makes me suspicious (tinfoil hat moment) is that Lenovo was the one vendor that had these chips readily available. Even now when you look up these 5000 pro chips which AMD now claims are being made available at retail, you still find none available at retail but you DO get results for the Lenovo boxes using these chips. If I was a betting person, I'd say AMD is sending the bulk of these chips to the vendors willing to take on the bad press of tanking the secondary market while keeping their hands "clean."
Wouldn't that make the value of ALL used AMD CPU drop as sellers might be unaware or lie about it ? Maybe even steer some people towards until instead ?
@@ServeTheHomeVideo Maybe the solution is engrave the key on the processor so that users can enter it into bios? Not really possible with the length of a good key, but an idea that still requires physical access to the processor.
This is very informative. Thanks. I have a bunch of the first gen m75q systems at work and now I know that these processors may not be swappable to another like model.
This situation REALLY upsets me... Who owns the hardware; the manufacturer or the consumer? The companies in between seem to think they do. These big companies are the first ones to complain about government regulation but then create reasons for people to want them to be regulated. I can't see ANY benefit to the actual hardware or software. This is nothing more than the Dells, HPs and Lenovos of the world trying to control the world of consumers. What they really want is to shorten the life of machines instead of there being a secondary market. Microsoft is just as much 'in bed' with this philosophy too. I find AMD's fusible technology this just as shady as Intel's Management Engine.
Wow..just got one of these and was going to swap CPU with my desktop. Thanks for saving me the aggravation ! It's the kind of thing that makes one avoid a brand. The security reasons are not very compelling for most.
I liked my Lenovo notebooks, I recommended them to others that wanted good price/performance and solid build quality. Looks like I had bought my last Lenovo product ever without knowing it.
Thank you for doing this video here's my suggestion, after 3 years through bios update from vendor, the bios will disable the PSB. This applies to all vendor, I think 3 years is enough for such unit to go into reuse recycle phase.
Absolutely agree with everything said. There should be a way to unlock it, but in the process you invalidate the security and it wipes, or renders inaccessible any stored keys/certificates so it can never be used in a secure system again but doesn't drop the ass out of the used market. How you do that, maybe something in the BIOS that you set and it sends a special instruction to the CPU to wipe itself and unlock the security. Maybe such a thing does exist already but AMD aren't documenting it.
I hate this stuff, the reason we love PCs is the fact we can do what we want with these systems, build em up, upgrade em,play with em. Ryzen was an awesome kick to intels butt, gives the little guy 4-16 cores to play with 4 generations of CPUs on one socket, ryzen was a blessing,got me back into building pcs, but this sucks, I hope they don't keep this up, even in the server space, homelab guys are gonna hate this too. It feels like such an apple thing to do,idk. I hate it tho
I am ok with vendor locking in some circumstances. And provides value to the customer (customer is not end user). The end user doesn't need to buy a Lenovo. However! It shouldn't be hidden from the end user. Some circumstances the end user does want the secure supply chain (that's the idea of secure boot). But we shouldn't be guessing trying to find a non vendor locked processor. It should be clearly defined or at least buried in the laser etched sku "5950-psb" the same way they do with the mobile processors. I get the idea that vendor blowable fuses simply is a feature that doesn't need to be used. But including it on every die makes it easier to streamline manufacturing. Amd has some decisions to make. They will probably not care what end users want like always...
I really like your solution, and i personally will never buy product that are designed to be e-waste from the factory. That's against my value as a person and i will go out of my way to order from another brand if this show up "mandatory" in the following gen of lenovo server. it's not about the tech, it's about the waist
Wow, I'm glad I canceled my order of M75s Gen 2 back in late 2020. No more Lenovo for me, forever. HP is already on my black list, so, well, always build my own. I also own an M715q (Ryzen 3 PRO 2200GE). I bought it back in 2018, just to obtain a *PRO* APU. I'm using the PRO APU on an AsRock motherboard with ECC memory (had one ECC error in almost 3 years of 24/7 operation). I also revived the M715q using a retail Athlon 200GE, and it's still working fine. So Lenovo was good back then, but not any more.
OK. PSB is stupid (especially for ryzen consumer level systems). But if they really want to keep it this way, then sell sku's with a model number indication that says that they can be locked and sku's with a model number indication that say they can't be locked. That way if you come across a CPU on the secondary market, you just need to know if it can be locked (regardless of whether it is locked or not) so that you can avoid purchasing it.
Maybe they're trying to create the perception that all Pro versions of these chips will probably be locked, forcing you to go with an OEM to avoid wasting time and money getting one 2nd hand that's locked.
Regarding the claim: "Vendor sets PSB to ensure no post-factory tampering" I'd say this is not a valid claim where physical access to the device is possible. Consider this: An attacker tampers with the firmware (e.g. during shipping) of a device. As the process of burning in the fuses for new CPUs is part of the firmware, the burn-in-process can also be removed from the firmware while modifying it. If this is done the device will no longer boot anymore with its original CPU - all as intended. But after the replacement of the CPU with a brand new one (that is not vendor-locked) the device will work again. As PSB is effectively disabled now the new CPU will not get vendor-locked. And no one will know it has been tempered with. Therefore the PSB feature just raises the cost for attacks: you need to provide a non-vendor-locked CPU (but in return you get a locked one back). As said earlier, this only works with physical access.
@@zacker150 I would not say easy to this. But yes, they could do so, but who will test a brand new system if there is zero indication for a compromised system? Also: the test only works if they have a CPU that they can be absolutely sure about that the CPU they're testing with has the correct PSB key burnt in. In the end this comes down to the problem Patrick already mentioned in the video: There is no way to tell if there is any PSB key burnt into the CPU other then testing it in different systems, that we "hope" to use the correct PSB key.
You would know if the CPU has been replaced, that’s the entire point. Yes, you can tamper with the CPU by replacing it, but your system won’t boot if imaged from the factory because the trusted chain won’t match anymore.
@@GuruEvi Nope, you got PSB completely wrong. Replacing the CPU in a standard PSB protected system is not a problem at all - as long as the new CPU is vendor locked by the same vendor or not yet vendor locked.
@@swatty2009 I don’t know about the AMD, but Intel has a similar feature and Dell and HP uses it, I can guarantee you, that thing will let you know and won’t boot an encrypted secure boot environment if the CPU or BIOS settings have been tampered with, you do need a signed CPU from the vendor. Basically if the CPU has to be replaced with an unsigned CPU and you haven’t been able to unlock the secure boot before (you basically give Dell/HP a signed disk image from your end, so the idea is that during shipping it can’t be tampered with) the thing won’t boot. Yes you can use unsigned (unlocked) CPU but the boot chain won’t validate anymore. Only if you get an original Dell CPU that hasn’t been tampered with can you continue. It’s useful in some cases to know your hardware isn’t compromised. You can even give Dell your own keys to “fuse” the CPU with so your CPU’s are company-locked.
It's not the vendor locking that worries me as much as preventing me from patching the boot firmware. If it can be modified, then it should be modifiable by the owner. I'd be fine with your solution, for the most part, as long as application software can't tell if the CPU is unvendorlocked. Malware that refuses to work if it detects a developer or security researcher's machine is a problem when you can't hide that from userspace / virtual machines. Edit: The processor will happily accept a known-buggy vendor signed firmware, but not a user-provided one. This is not well thought out, if it's supposed to be a security feature.
Or they could add verification in the UEFI, if the cpu PSB is not set or set to another vendor then warn you that the computer is "not secure" or "tampered". I don't think they doing it to protect the customers but to prevent the reuse of old parts -> sell more new computers.
I am old school I have just replaced the keyboard membrane & upgraded the ram to 16k on my zx 81( I have no idea how I am going to use 16k) but I have been repairing upgrading computers of all types (although not vacuum tube) & this is the WORST IDEA EVER & SHOULD BE BANNED. I have unlocked cup's using ( pencil or conducive paint/glue) & have built computers using parts from all types ( home/ servers/ clusters) this will kill any recycling or reuse & kill my fun.
Absolutely ridiculous if I purchase any hardware I’d like to be able to use it as I please. If I purchase multiple systems from different vendors am I not allowed to swap parts around even if just for troubleshooting.. I fail to see how that can be an issue for security !!
I reluctantly use a notebook, because I still don't feel like I own the hardware. With desktop computers, I can replace parts at will, fix it at will, install any operating system at will. *I really like hardware that respects my freedom*. I'm glad that you have let everyone know of this practice of Lenovo. All that these corporations understand is money, so we must simply abstain from giving money to them and give money to those that do respect our freedom. I'm glad we have more initiatives nowadays of hardware that even has open source BIOSes and allows users to have true ownership of it.
11:53 I suggested something similar, but i'd argue that either non PSB processors should not work in the motherboard, or there should be a motherboard lock for PSB with a pre-POST splash screen provided by the ARM procerssor that basically says if you continue to boot, PSB chain of trust will be perminantly broken. Because if i can compromise a PSB enabled motherboard, with a non PSB processor, and then turn around and compromise vendor locked PSB processors, is it really that secure.
@@LiEnby right, or there is a slash screen that allows you to disable PSB on whichever part has it enabled, this should require the BIOS password to be entered
Looks like AMD built this feature to provide motherboard level OS security. Not so corporations could hold hardware hostage for anti-trust level parts branding and monopolizing. So AMD should have no problems providing users with a CPU back door boot option that ops out of this security feature. Otherwise this is massively unethical.
Back when Epyc Rome first came out I scored a second-hand CPU for $600. Now they're all $1,500+ and most are vendor-locked. Wish I would have just bought a second one back then.
I want to support this motion too, but then what vendor do you suggest? HP? Dell? With Lenovo out, there is only HP left who doesn't hide specifications and maintenance/disassembly manuals from customers and keep them publicly available.
knowing this there is literally no way i would ever buy hardwar like this, not even at a hefty discount. if anything psb has to be fully reversible on the device via a bios setting. everything else is a flat no buy from me.
It's just clearly anti-consumer when it cripples the secondhand market like that. Worse, it generates tons more e-waste because of greed. Let's face it, that "security" song and dance excuse is not the first time we hear it and it's just as deceptive as in all the other cases in the electronics market. It's just programmed forced obsolescence.
Good to know, but why does it matter? I'm not going to buy a brand-new Lenovo ThinkCentre just so I can pull out the CPU and put it into a different computer. That would be a waste of money.
Aftermarket CPUs can be less expensive than the upgrades from a vendor (very common in servers as an example) so people configure lower-end CPUs, then replace them assuming they can sell the original CPU for some value. This is not common in the primary market (large corporations) but does happen on these both when they are new and on the secondary market.
