Something that I have been working on for the past few days is confirming that Lenovo is indeed using AMD PSB or Platform Secure Boot in its AMD EPYC platforms. One of the key reasons was that we had a user report in the STH Forums that they purchased a number of the Lenovo ThinkStation P620’s only to find that the AMD Threadripper Pro CPUs were being vendor locked to Lenovo platforms. We did not have additional CPUs to test the feature when we did our Lenovo ThinkStation P620 review, however we call the Threadripper Pro the “WEPYC” since it is effectively a workstation EPYC. As such, it has the ability for AMD PSB to be used.
What is AMD PSB? Why Should We Care?
AMD PSB has been a polarizing feature on STH, and for good reason. The feature helps establish a hardware root of trust from the CPU to the rest of the system. When one reads about stories with supply chain tampering, this is the type of feature that is designed to help prevent that. The first company we found using this was Dell EMC. HPE initially confirmed, then said it was not using the CPU vendor locking feature while we were in discussions around our HPE Trusted Supply Chain Servers Built in the USA piece. Now we have confirmation from Lenovo.
The benefit of a hardware root of trust will make sense to many of our readers, but there is another side: using AMD PSB vendor locks CPUs to a vendor ecosystem. If one purchases a system with the intent to upgrade later, then the CPUs that come out of a Lenovo system will be locked to that ecosystem. Likewise, one can use a new tray CPU in a Lenovo system with PSB, but cannot use a CPU that had previously been in a Dell EMC server and vendor locked to Dell in a Lenovo server.
So while a server vendor, like Lenovo, can create more secure solutions, it comes at the expense of enabling a circular economy where chips can be repurposed in the future.
Final Words
Lenovo typically focuses its server marketing on getting reviews from less independent sources than STH which is likely why this has not been found previously. The company had asked about getting AMD servers reviewed just before we published the AMD PSB piece. We completely understand why this is a sensitive topic for Lenovo since it offers a great security feature while also bringing up the question of increasing eWaste and limiting a circular economy.
Eventually, we expect more vendors to enable this feature, and it will come to more areas of the server market and potentially expand in the workstation market as well. We simply wanted to post this since it was not something we were able to test in our Lenovo ThinkStation P620 review. We can understand the latest user report in our forums on that system given Lenovo confirmed today that it is enabling the vendor locking feature in its server line that uses a similar processor.
Again, since there are implications to the circular economy, we wanted to ensure our readers are aware of this feature from Lenovo.
More reason to not do business with the Lenovos or Dells of the world. It is vendor lock in, plain and simple.
The whole PSB fusing is just a clumsy and absolutely ridiculous attempt to kill the entire second hand / refurbished hardware market.
AMD used to be the likable alternative to Intel due to their attractive pricing and, at least in the consumer market, upgradability, but they are risking losing that advantage and once again sink into insignificance.
EPYC and Threadripper (Pro) are becoming more and more unattractive:
– Vendor lock / fusing of CPUs without ANY WAY to check! Is the CPU dead? Is it fused? Dust in the socket?
– No proper upgrade paths!
– TR4: AMD straight up lied about the future-proofness of socket TR4 and made a lot of enthusiasts VERY angry by forcing TRX40 for Threadripper 3000. Additionally there is no info at all whether there will be Threadripper 5000 for TRX40, making TRX40 essentially worthless
– sWRX8: No info whether there will be a Zen3 Threadripper Pro
– SP3: The motherboard drama – With very few exceptions, you either get 7001+7002 support or 7002+7003 support on dual socket boards.
I’m very disappointed by AMD.
Actually, we all know that AMD PSB is not going for security. That’s only excuse. It is all about how to continue to charge end user a premium for the same CPU he can get much cheaper elsewhere. It’s also about how to disable a client to buy 2nd server CPU in open market, as was before with server vendor bundling CPU and VRM, CPU and cooler, etc. etc.
Dell, HPE, Lenovo do not do a good job at selling the feature.
They should conclude with “Think about the Children!” :-)
@Dario IME it’s the other way around. 7003 series EPYC CPUs tend to be cheaper from Lenovo (especially dual socket) than buying them without a system. Probably why locking them to Lenovo makes sense for Lenovo.
Lenovo makes their money on NVMe/SSD drive mark ups and support contracts.
Isn’t it the wrong way around for security? If you can still put a CPU not signed by Lenovo in the system, and there is no way to tell from the OS that your CPU is signed by Lenovo, what’s the point? Where’s the root of trust?
It would make sense from a security standpoint if the system would also only accept these vendor locked CPUs, and if you can read a pubkey from the OS to verify everything, I always assumed this is how it worked.
If a potential supply chain attacker can just drop in a fresh CPU, what is the point?
The security idea is that no adversary can tamper with the BIOS and use the encryption keys inside the CPU to decrypt data, because the CPU would refuse to work with a modified non-vendor-signed BIOS.
Having the CPU just reset the encryption keys in such a case would be the way if it was *only* about security. Having the CPU refuse to work entirely is clearly a move to wilfully destroy the second-hand/homelab market for Epyc.
1. I don’t really buy into the argument that Lenovo/DELL are just greedy because the market for second hand server CPUs is almost non-existant. The ratio of 2nd hand sales to new sales is much smaller than for desktop CPUs and even that is tiny.
2. The manufacturers should have been more open about this.
I really don’t see how this confers any advantage to the owners. At the very least this should be optional.
Holy crap… “NablaSquaredG” above is spewing some grade A NONSENSE.
“TR4: AMD straight up lied about the future-proofness of socket TR4”
Unlike with AM4, AMD NEVER guaranteed forwards compatibility on TR4 for a set length of time. It’s not AMD, but YOU that are lying here. I get that you obviously bought a TR4 board and felt betrayed because AMD didn’t match AM4’s absurd longevity (despite AMD NEVER saying it would).
And we know EXACTLY why TRX40 exists! Doubling the width of the PCIe connection between the CPU & chipset along with supporting 64-core monsters required a SIGNIFICANT rejiggering of the electrical pin-out. AMD choose to break compatibility so that they could significantly improve the flexibility/expandability of the Threadripper platform. It’s not like it was a Coffee Lake type “we just want you to buy another board” like you are claiming…
And there’s PLENTY of info that Threadripper 5000 is coming to TRX40! Literally EVERY SINGLE leaked AMD roadmap with “Chagall” (Threadripper 5000) on it, has that as the listed platform… You’re an idiot if you think AMD would do ALL that work with TRX40 to abandon it after a SINGLE generation (even TR4 got 2). And if TRX40 gets Zen 3, WRX80 inevitably will as well.
I get that you are seriously butthurt over TR4, but that’s no excuse to spew a bunch of lies & half-truths… -_-
NablaSquaredG is ALSO ridiculously wrong about the reasons for doing this kind of lock-in…. The 2nd hand server & professional workstation market is already practically NON-EXISTANT. It was dead WAY before this ever happened. Enterprise customers DON’T BUY USED COMPUTER HARDWARE!!! The reasons this is done are entirely security focused, but again, because he feels like AMD burnt him with TR4 he obviously feels like everything they are doing recently must be evil/anti-consumer too.
Coee:
Got out of the wrong side of bed today?
AMD confirmed this to me when met them at Embedded World 2018 (Nuremberg). So yes, I am obviously not amused.
Also, there’s no valid technical reason. On AM4 and X370, Ryzen 3000 is supported.
On 1st Gen SP3 motherboards, EPYC 7002 is supported (yes, some got a rev 2, but that’s also due to the 2666->3200 memory frequency support).
On TR4, Threadripper 3000 is not supported.
Given the compatibility on the other two sockets and their statement at Embedded World, the assumption that TR4 will support Threadripper 3000 was perfectly valid and justified.
There would’ve been ways to achieve compatibility if they had wanted it. But they decided against, which is a perfectly valid decision from a sales point of view.
There are improvements, yes, but like I said: You can also use Ryzen 3000 CPUs on chipsets from three(!) different generations. I repeat: There would’ve been ways to achieve compatibility if they had wanted it.
You’re saying that there are leaks about Threadripper 5000, which is true. But leaks are not official information and given the current situation and their previous decisions, they might as well decide to abandon TRX40 and sWRX8 in favour of Zen4, given that leaks also say that AMD is / was planning to release Zen4 (with DDR5, which will need new motherboards anyway – but it’s a valid excude this time) in 2021.
Unless there is an official announcement regarding Threadripper (Pro) 5000, there is absolutely no certainty that there will be Threadripper (Pro) 5000.
Cooe that’s not the way to do PR :p
@Lasertoe
Of course greed is also a factor here. Server/workstation OEMs want to discourage customers from buy a low-spec model and upgrade to a better CPU right away (as the cost delta is sometimes larger than the street price). Customers then sell the low-spec CPU to recover some of the cost, but that is now effectively blocked. So now OEMs can get away with even more egregious upgrade prices.
Wait the Chinese vendor is doing something that’s bad for the environment? Do tell.
I’d love (or not) to see someone implementing a working trojan that burns fuses on all AMDs chips. With tons and tons of RMAs, loss of sales, public riots and wide AMD management buttsmokes.
PS: stop using reCaptcha, write your own!!
The observation that it might be possible for malware to disable a CPU by burning the OPT fuses so it fails to recognize the BIOS anymore seems significant.
For example, a state-sponsored WannaCry-style attack could disable significant parts of another country’s computing infrastructure in a way that would take a long time to recover from. This kind of hacking has already been correlated to real military operations as demonstrated, for example, by the shutdown of the local train services in Mumbia a few months ago.
Mumbai
The observation that it might be possible for malware to disable a CPU by burning the OPT fuses so it fails to recognize the BIOS anymore seems significant.
For example, a state-sponsored WannaCry-style attack could disable significant parts of another country’s computing infrastructure in a way that would take a long time to recover from. This kind of hacking has already been correlated to real military operations as demonstrated, for example, by the shutdown of the local train services in Mumbai a few months ago.
I’m am waiting for Right to Repair to pass in my country so all this crap is made illegal! IT CANNOT COME FAST ENOUGH, IT SEEMS!! >:-(
Re: circular economy where chips can be repurposed in the future
Patrick has struck a nerve quite close to my chest, that still pains me whenever I think about it.
I may be the one and only one IT Enthusiast who is running an extended experiment
to see just how long 2 x Windows XP workstations can function without errors.
I truly hate the prospect that either would end up in some solid-state landfill,
merely because the powers that be now regard them as “obsolete” [sic].
Many hours went into tuning a compatible set of system and application software,
and that effort paid off in many ways with huge amounts of reliable productivity.
Most recently, we’ve been exploring 2.5GbE PCIe adapters: please note well that
the raw clock rate of an x1 PCIe 1.0 slot is 2.5GHz — identical bandwidth!
Guess what?
The Realtek RTL8125 has drivers for currently “supported” operating systems,
but nobody has been willing to give me a straight answer about the availability,
or lack of availability, of a Windows XP device driver for that controller.
I did get an email message from ASUSTOR’s Tech Support last week with vague advice to “find a friend who speaks Chinese”, but there was no further advice for my friends who do
happen to speak Chinese!
I must presume that the “CONFIGURE” tab in device “Properties” is written in Chinese; but, without knowing where to find that driver, I can’t know for sure.
NOW HEAR THIS: Realtek’s website has a DOWNLOAD section which lists a .zip file with device drivers for “WinXP” — both x32 and x64 versions. BUT THEY DON’T WORK!!
@Cooe: second hand server CPU market non-existent? Every single working CPU gets resold on every level, from the smallest to the largest cloud providers, exactly none will get rid of old servers/CPU if they can still make a profit from them. These move by the hundreds or more all the time. These lots generally don’t go via Ebay if that’s what is confusing you.