At STH, we have covered the AMD PSB or Platform Secure Boot feature several times. In the last week or so, we have gotten a few reports that Lenovo is now bringing this technology to the desktop market in its AMD Ryzen (Pro) systems. This makes sense, but let us quickly take a look at what is going on.
Lenovo Vendor Locking Ryzen-based Systems with AMD PSB
The first time we covered AMD PSB and the impact it can have is in our AMD PSB vendor Locks EPYC CPUs for Enhanced Security at a Cost back in 2020. That was focused on the server market, and Dell was an early adopter of this vendor locking technology as you can see in the accompanying video:
The basic premise of the technology is that it blows field-programmable fuses that lock an AMD CPU to the vendor’s system. The concept is to create a permanent platform so the CPU must align with the motherboard for security purposes. Many of our readers are rightfully nervous about this. One cannot tell a CPU has been PSB fused and so purchasing CPUs on the secondary market can be perilous. If, for example, one purchases a fused Lenovo or Dell AMD EPYC CPU and tries to put it in a non-Lenovo or Dell system it should not work.
In April 2021, we covered that Lenovo is Using AMD PSB to Vendor Lock AMD Ryzen Threadripper Pro CPUs. This means that Lenovo is expanding its AMD PSB use beyond the server market. One could rightfully argue that the Threadripper Pro is basically a Rome-based EPYC in a workstation guise. Still, it was the first we saw of expanding that beyond the server line.
Now we have confirmation that it goes beyond the EPYC-based CPUs, and it seems like Lenovo is enabling this feature on its Ryzen (Pro) lines as well. We did our Lenovo ThinkCentre M75q Gen2 Tiny Review and a question we have gotten is whether one can upgrade the CPUs. We generally advise against this practice as part of Project TinyMiniMicro, but we understand the reasoning.
The PSB locking behavior is now present on the M75q Tiny Gen2 as reported to STH on Twitter. Here is the screenshot warning when putting a new CPU into the Lenovo system from Dee on Twitter:
— Dee (@FedsAgainstGunS) December 22, 2021
There is also apparently an option to turn this behavior off with Lenovo:
Forgot to add, that on the consumer platform it gives you the option to turn this off for future CPUs, but the OEM CPU is definately vendor locked, swapped the 4750GE out for a 4650G to get this message, but 4750GE would not post in 4650G motrherboard pic.twitter.com/8JhnyXoJ5j
— Dee (@FedsAgainstGunS) December 22, 2021
There are a few things to be clear of here:
- Vendor locking CPUs using AMD PSB is an optional feature. Many vendors do not lock CPUs
- Lenovo seems to have committed to using the vendor locking feature across its line, including not just servers and high-end Threadripper Pro workstations like the Lenovo ThinkStation P620, but also the ThinkCentre M75q Tiny Gen2.
- A vendor-locked CPU can be installed in another system from the same vendor, but not swapped to a motherboard from a different vendor.
- We advise our readers to both disclose when they are selling a vendor-locked CPU so as not to have issues with the next user trying to use the vendor-locked CPU in another type of system
- We also advise our readers to be careful when attempting to upgrade a Lenovo AMD platform because of the AMD PSB use and potential to generate e-waste from the exercise
- Some online have said that the lock is between a specific motherboard and CPU. That clearly has challenges when a motherboard needs to be replaced, especially in the server market when a motherboard may cost $600 and the two CPUs may cost $10,000. As a result, AMD PSB locks to a vendor’s firmware signature key, not to a specific motherboard.
That is a lot to cover, but it is important that our readers get through all of those points.
Final Words
A quick thanks to Dee for posting this information on Twitter and being active in our TinyMiniMicro series. It is important that our readers know that Lenovo has chosen to implement this vendor-locking feature across its AMD range. We urge our readers, especially those looking at these machines as part of the Project TinyMiniMicro series, to share this with others so we can spread the word that Lenovo’s AMD systems are vendor-locking CPUs to platforms.
We have a Ryzen 5000 series M75q Tiny Gen2 inbound and will cover this when that arrives.
My opinion is this kind of vendor self regulation is likely to lead to government oversight to reduce e-waste–not only must every mobile phone use the same USB charger but all CPUs must use the same socket type and be interchangeable between all computer systems.
The moral of the story is that if vendors err by making things unnecessarily incompatible, government might step in with a regulation to make things unnecessary compatible.
I will not be buying any more Lenovo stuff.
Cannot see how this enhances security in any real sense.
That is absolutely terrible behavior on Lenovo side that should not and wont be tolerated by tech enthusiasts community.
Whatever fears over secure boot and TPM were – they were substantiated as these technologies are used to limit the user’s freedom and choices over his own hardware.
Lenovo = e-waste
> We have a Ryzen 5000 series M75q Tiny Gen2 inbound and will cover this when that arrives.
I warned about this already in an April 2021 comment on the Ryzen 4000 M75q Gen2 article. A Japanese review had found that the vendor-locking practice was extended to desktops. I asked STH back then if they could confirm, but Patrick would rather not try.
https://www.servethehome.com/lenovo-thinkcentre-m75q-gen2-tiny-review-amd-changes-the-game/#comment-473639
The Japanese review (with subtitles):
https://youtu.be/JYHXzBAdSLY?t=385
Lenovo’s CEO is a retard who used to laugh at Elon Musk, how he’s just a moron with unjustified salary.
Maybe we should flood Lenovo facebook so they explain this e waste approach?
Just one more reason to avoid Lenovo. Already prefer Dell and HP (and heck, Supermicro and ASRock) for much better support.
“Rather not try” chithanh? We just did not have the parts/ a second unit so I did not want to tell folks that we had tried if we did not.
Also, on most of the TMM nodes, I recommend not upgrading CPUs anyway since it usually costs more to do so once they hit the secondhand market.
Why are you calling it a “feature”?
It’s just awful news that this is becoming the norm, and I’m pretty appalled at AMD for creating such a wasteful feature – CPUs may be very cheap for them but sadly they aren’t for most of us.
My previous desktop started with a Pentium anniversary edition, before going up to an i5, then an i7 scavenged from dead dell desktops at work – what a shame that such chips might now be going to waste.
This is the same hardware”tattooing” that HP got sued for and lost back in the days of windows XP. The only difference is that back then customers didn’t have a choice and we had to get creative with programming to get around it, and it seems Lenovo is giving the choice to hardware lock your system or not. The only scenario I can see this as a feature is in a corporate/retail environment such as work stations that the company doesn’t want their property sold second hand or stolen and used. Other than that for the regular consumer market this is not something that would be used and it would be highly frowned upon. The other question is if the hardware lock can be undone later on, mainly so that when a company does decide to upgrade they would be able to sell the parts and systems in order to recoup some of the costs of the new systems.
What could the actual benefits be? That so.eone wont come into your warehouse, open server cases and just steal the CPUs? Even for deployments that strictly use Lenovo hardware, this would prevent future upgrades to an alternate vendors products. If Lenovo thinks this will help with customer retention, i believe they may have made a grave error.
Great write up, cant wait for the 5000 series, tried to get a sneak peak of the performance by using a 5700G and 5600G in my Gen2 but it wouldnt post, guess the BIOS just lacks the microcode because the 3400G worked fine.
I would love to chat with an expert on PSB because i see a few possible problems.
If PSB can be disabled, or in my case, PSB doesnt seem to do anything or notify you if you install a nonPSB processor, then why have vendor locking? In theory all an attacker would need to do is buy a cheap in-vendor motherboard, throw in a non-PSB processor, compromize the motherboard, and use that to compromize and seed PSB enrolled processors.
Also, there is a simple bypass to the issue of used markets, and disclaimers to machine recyclers that will also make PSB more secure in the process, protected against the above proposed attack. Any time a PSB processor goes into a new motherboard, even if it hasnt been enrolled in PSB, then fuse off part of the FPGA to say that this processor has lost its chain of trust. It can still boot, but it wont work with PSB, and ideally wouldnt boot in machines where it is enabled.
Anyone who believes the primary basis is not simple avarice is fooling themselves.
I still don’t understand this “hardware root of trust” business. If I’m really in the “super spooky” contingent, the last thing in the world i’m going to trust is firmware in concert with hardware I cannot validate in grear detail. The recent network security supply chain disaster is living proof. To (approximately) borrow from Mr Scott after he sabotaged the *Excelsior*,
“The more complex they make it, the easier it is to gum up the works!”
Just more seekreet sheeeeite that will eventually get outed after The Smartest Guys in the Room once again are discovered to have had an embarrassing accident with the punch bowl.
This is the kind of thing that will drive people to the Risc-5.
Okay, point taken. I will absolutely AVOID LIKE THE PLAGUE any used AMD Ryzen or similar processor listed as coming from any Lenovo machine on eBay and Amazon going forward. Thanks Patrick Kennedy for this alert. Once again, I’m being forced to question the reasoning for the continued use of PSB, especially when using processors that are socketed and clearly designed to be swapped/replaced/upgraded. If they’re gonna vendor-lock the CPU, why the hell bother using the Socket AM4 parts then? Just solder the chip to the mainboard using Socket FP6 and call it a day if you’re THAT worried about “security”. Laptop processors currently can’t be upgraded because they are soldered on the board, so I don’t reasonably expect PSB to disappear from AMD-based laptops any time soon (barring the government forcing some sort of legal action to demand that it be done away with, that is). But for socketed chips this should be illegal lock, stock and barrel. Once again, right to repair and the environment taking a massive back seat to fake “security” issues that don’t really exist, all to grift more money from the hapless buyer-user.
I wonder if an OS level virus could interfere with PSB and cause CPUs (unlocked or even already locked ones) to blow random fuses thus bricking the CPU for good.
This is a terrible feature in an age that we are trying to reduce e-waste, and I am going to boycott all AMD and Lenovo products until this “feature” is totally removed, not just “switched off”. Especially as there seems to be no good explanation for it, other than to increase sales and therefore e-waste.
I wasn’t planning to buy Lenovo anyway but at this point I’d be fine with them just going out of business. It should be a requirement for them to be etched on the lid if they’re crippled like this. No idea why it’s even used at all.
Patrick,
> “Rather not try” chithanh? We just did not have the parts/ a second unit so I did not want to tell folks that we had tried if we did not.
What for would you need a second unit? Do you have any other AM4 mobo that has the the Ryzen PRO 4750GE in its CPU compatibility list? An example would be the ASRock Rack X570D4U which STH reviewed in late 2020:
https://www.asrockrack.com/general/productdetail.asp?Model=X570D4U#CPU
So you could install it there to see whether it works, and report that to your readers.
We often do not have hardware for 7 months, plus STH moved in 2020 so by April the goal was to get everything back to vendors and not take on new products that we would have to move.
We also would have needed at least two more AM4 platforms that support the CPU for a control experiment, and at least one more CPU that was unlocked. We also would have wanted a second Lenovo system to test that.
I know things may sound simple, but we cannot test everything immediately.
I have ~250 M75t with AMD Ryzen™ 7 PRO 5750G incoming. So the CPU might be locked, I will test it in a few days. Is there any chance that this only affects Ryzen PRO and not the non-PRO?
Update:
I) Using a new CPU works if a) PSB is disabled or b) if you “lock” the new CPU if you want to use PSB
II) The shipped CPU (Ryzen 7 Pro 5750G) cannot be used in any other retail motherboard. I checked several vendors and chipsets. I haven’t checked if the locked CPU can be used in other Lenovo systems.
Conclusion: This is some sort of “killer feature” but in a bad sense…
This is BULLLLLLLL Lenovo, SHAME ON YOU!!! I can’t tell you how many low income families we have helped by making PC’s affordable to them using components off the second hand market. All this does is keep people from upgrading and pushes back “Right to repair” into the dark ages. STOP DOING THIS! Other vendors, just know the enthusiast community will always piece-meal something together before buying some locked down non-upgradable crap! They also speak very loudly to friends and family members when it comes to “What not to buy” Have a good day! ;)