Since it is a holiday weekend in the US, we have a quick story today. As you may have read previously on STH, Lenovo is vendor locking AMD Ryzen CPUs in its systems. This is something we have seen previously on SP3 CPUs (even Threadripper Pro ones), but we ran into factory vendor-locked CPUs as part of our Project TinyMiniMicro series on Socket AM4.
Lenovo Vendor Locking Ryzen CPUs with AMD PSB the Video
Here is the video on Lenovo vendor-locking AMD Ryzen CPUs using the AMD PSB, or platform secure boot feature:
We always suggest watching this in its own window, tab, or YouTube app for the best viewing experience.
One thing added compared to theĀ Lenovo Vendor Locking Ryzen-based Systems with AMD PSB piece a few days ago is my suggestion for how PSB should work in the future:
- AMD ships chips with fuses not blown
- Vendor sets PSB to ensure no post-factory tampering from the factory to the customer
- Have the ability to de-PSB CPU (perhaps by blowing all field-programmable fuses)
- A CPU that has gone through the de-PSB process cannot be used again with the PSB feature but can be used in any system with PSB disabled
- All systems should allow PSB enabled or disabled with an indication on which is being used
The above steps would allow CPUs to be used on the secondary market for those who are simply trying to upgrade or for those in lower per capita income areas where purchasing full-price new CPUs is not always possible, especially a few years after purchase. Once a CPU has moved system to system, then having the PSB feature validating that the hardware has not been tampered with seems like it would be less useful since there was indeed purposeful tampering.
Doing the above would decrease the amount of e-waste Lenovo is generating by enabling the PSB feature on its chips, while at the same time enabling an up-cycling opportunity for those who cannot afford to purchase new systems.
Final Words
AMD PSB is a game-changing feature for the second-hand market. We are starting to see some vendors disclose when AMD chips have been vendor locked to Lenovo and Dell systems, but primarily on the EPYC side. This impacts Lenovo Threadripper Pro systems like theĀ Lenovo ThinkStation P620 as well. The challenge is that with AMD Ryzen and AM4, there are a lot more consumers and enthusiasts that can potentially be impacted as the volumes and market segment is different than it is for servers and high-end workstations. We hope AMD and its customers take these suggestions.
i think it would be better if AMD hadn’t implemented such a feature.
the cause of this “evil” is AMD, not the vendors like Lenovo, Dell, etc etc.
AMD is causing e-waste !!!
Since this is an anti-recycling and anti-self-maintaining feature, this particular security feature should come with additional e-waste fees at the time of purchase, unless as you say they make it opt-in and opt-out.
They were doing this before with the Epyc chips – and it’s played out exactly as I expected – they are now moving to all chips. Hopefully someone will crack the Platform Security Processor that’s behind all this nonsense and we’ll have completely unlocked CPUs that way.
Now I know my next CPU is going to be an Intel one. No AMD, this is completely unacceptable.
Patrick, you should probably link to the original PSB article at the beginning for context, since as some of the above comments indicate, there’s certainly some misconceptions about whats going on.
Till then for people just reading the comments – (or you can check out patrick’s full article on the context which he links in the word ‘Epyc’ in the conclusion of this article):
– the vendor lock is a firmware signing security feature to prevent systems from working with firmware that doesnt match the key burned in the fuses
– intel implements this feature as well.. in the IME which is located not on the CPU but rather the PCH, which is soldered on the board anyways and thus eliminates the whole ewaste/reuse problem
– AMD chose to put the PSP on the cpu die not the chipset, because the cpus are designed to be useable as SoCs without an additional chip (ex epyc boards, or ryzen 300 (chipsetless) boards)
– the security feature was requested by customers of dell/lenovo/etc, who then requested it of AMD
– AMD should be held accountable for half-baking a feature in such a short-sighted way, but its hardly at the level of ‘being evil’
– pester your representatives to support smarter designed, re-use friendly hardware. Right to repair has been gaining significant traction, and this should be able to ride along with it. I’ve previously sent out emails to the departments for my representatives about this and related topics.
Syr I added a few links for you. Good idea.
@Syr: Dell/Lenovo etc. say it was requested by customers. I have yet to see evidence for that. And why was this anti-feature enabled for everyone, not just the customers in question?
This will be fun to watch when someone figures out how to make a system believe it is vendor locked out while it shouldn’t. And a lame excuse for recycling a bad idea like some DRM implementations. E.g. the Canon ink cartridge chips https://www.golem.de/news/canon-der-endgueltige-beweis-dass-drm-weg-kann-2201-162308.html https://www.heise.de/news/Chipmangel-Canon-verkauft-Tonerkartuschen-ohne-Identifikationschips-6322816.html
https://www.bleepingcomputer.com/news/legal/canon-sued-for-disabling-scanner-when-printers-run-out-of-ink/
https://www.infotrends.com/news/editors-desk/2021/october/canon-usa-hit-with-class-action-lawsuit-for-disabling-mfp-scanfax-features/?alttemplate=editordeskitem
Whatever the original noble (?) intentions, only the end result counts IMHO.
AMD PSB as now used by Dell, Lenovo, etc smells like the printer manufacturers do by putting some firmware in their ink cartridges and abusing the original intention of the DMCA to make it a felony to make 3rd party cartridges bypassing or copying the firmware.
It’s also interesting that the expression “DRM implementation” has replaced “copy protection” as it was called up to the early 90’s. Just make it sound better and more noble I guess?
Looks also these days about the INTEL 12th Gen killing support for honest users playing copy protected 4K BlueRay by dropping SGX.
Or SONY who at some point made its CDs unplayable in an attempt to copy protect them.
Or 800-pound gorilla network switch manufacturers making their switch booting linked to some PSU firmware. So you can only replace the PSU with the “brand”. Obviously the “noble” reason is to include the PSU into the health testing of the switch. The other consequences are just colateral. Right?
When applying different “protection” on different technologies, the result is always the same: make things incompatible and obsolete, destined to the e-waste heap. End users at the end of the commercial chain are always the ones who suffer from it.
AMD PSB is now destined to be hacked some day so that you can still buy used EPYC and Threadrippers from eBay and have them work on another used mobo bought on eBay or elsewhere. Vendors on eBay or equivalent will quickly learn their lessons: recurrent buyers returning the goods and screaming for reimbursement because they don’t work. After sometime most vendors will stop reselling these things which will eventually be dropped into the landfill. Only a few smart vendors will be educated enough to guaranty the CPU + mobo couple. Buyers will be then forced to buy either a CPU or a mobo that was not their first choice.
Users (me included) buying used data center hardware is a drop in an ocean of corporate buyers, so who cares?
I believe copyrights, patents, laws like the DMCA are good for protecting people working hard on creating new products, new solutions and making $ out of it. They will be abusers. It is supposed to be a balancing act. Large corporations donate $$$ to congress members, you as an individual can’t match that. So the system has the tendency to lean toward the former, not the latter.
So yes, while waiting for laws preventing the abuse of “protection/security” schemes which will never be enacted, either you don’t buy the used products, either you hack them (usually with solutions created and donated freely by people smarter than you.)
Second-hand buyers are nobody’s concern. E-waste is a bigger concern, but as usual, that’s somebody else’s concern that today’s decision makers can kick down the road.
Right now, this is a supply-chain concern for buyers. When you buy next-business day warranties and your vendor cannot deliver replacement parts for a week, it’s important to have alternate sources for spares. This reduces that supply.
This is such a minuscule portion of potentially available CPUs in the grand scheme of things that the outrage is out of proportion.
AFAIK, this is a Ryzen Pro only feature so affects only machines bound for the enterprise. Same enterprise that recycles their units. Recyclers sell 100% of working units. So that leaves you with CPUs from dead parted out enterprise units.
Lets look at some 3-4 year old Ryzen Pros to get an idea what we will be missing out on when these CPUs hit the market.
Three… Ryzen Pro 7 2700 sold on eBay the last 90 days in North America. Over 100 non-Pro in the same period of time.
Those three Ryzen Pro 7 2700 sold on eBay are more expansive, harder to get, have lower TDP, have lower base and boost clocks, and can not be overclocked compared to the Non-Pro model. Who would actually want them exactly?
Come on people. The outrage machine needs to check itself.
The feature, is CPU level Root trust and helps keep the BIOS secure. By the time these CPUs come up in second hand markets, the feature will trickle down to the Non-Pro CPUs and just like TPM 2.0, probably be required in the next version of Windows.
Now that I know AMD is allowing this to happen with desktop CPUs, I am going to make sure that my next CPU will be an Intel one. It absolutely should not be possible for a CPU, installed in a motherboard, to blow any one-time-programmable fuses. This should be only possible in a manufacturing environment (with a suitable voltage applied to the VPP pin, for example). There is *NO WAY* it should be possible in a standard motherboard. AMD, by doing so, you are enabling malware authors to physically render CPUs inoperable.