Do EPYC Milan CPUs even exist for sale?

gsrcrxsi

Active Member
Dec 12, 2018
199
61
28
So I have a 7443P finally. After my last post, I cancelled that order with BLT and ordered the HPE upgrade kit instead. I got that last week. I had some issues getting it to boot, but it turned out to be a faulty ram module. Swapped it out with another I had (same part number), and it booted fine. Waiting on a satadom as the one I got was 7-pin power, and I guess supermicro only supports 8-pin.
Where did you order from?
 

AugustaLemke

New Member
Sep 6, 2021
15
1
3
So I have a 7443P finally. After my last post, I cancelled that order with BLT and ordered the HPE upgrade kit instead. I got that last week. I had some issues getting it to boot, but it turned out to be a faulty ram module. Swapped it out with another I had (same part number), and it booted fine. Waiting on a satadom as the one I got was 7-pin power, and I guess supermicro only supports 8-pin.
There is no way that worked in a Supermicro board.

https://www.servethehome.com/amd-psb-vendor-locks-epyc-cpus-for-enhanced-security-at-a-cost/

That processor is vendor locked to HPE (which is why it is being sold as an HPE upgrade kit). I have to call BS on this one.
 

DRW

New Member
May 1, 2021
19
6
3
There is no way that worked in a Supermicro board.

https://www.servethehome.com/amd-psb-vendor-locks-epyc-cpus-for-enhanced-security-at-a-cost/

That processor is vendor locked to HPE (which is why it is being sold as an HPE upgrade kit). I have to call BS on this one.
It's spelled out in the same article you linked:

Edit: 2020-09-09 – HPE clarified that they are doing this in a different manner than Dell after initially confirming that they were using the AMD PSB feature. After this went live, HPE sent us the following:

HPE does not use the same security technique that Dell is using for a BIOS hardware root of trust. HPE does not burn, fuse, or permanently store our public key into AMD processors which ship with our products. HPE uses a unique approach to authenticate our BIOS and BMC firmware: HPE fuses our hardware – or silicon – root of trust into our own BMC silicon to ensure only authenticated firmware is executed. Thus, while we implement a hardware root of trust for our BIOS and BMC firmware, the processors that ship with our servers are not locked to our platforms. (Source: HPE)
The HPE supplied processors are not vendor locked.
 

ectoplasmosis

Active Member
Jul 28, 2021
119
51
28
There is no way that worked in a Supermicro board.

https://www.servethehome.com/amd-psb-vendor-locks-epyc-cpus-for-enhanced-security-at-a-cost/

That processor is vendor locked to HPE (which is why it is being sold as an HPE upgrade kit). I have to call BS on this one.
This is not how the ‘vendor lock’ works; no need to ‘call BS’ on anyone.

I am running several HPE upgrade kit EPYCs on self-built Asrock board based servers with no issues.

As has been already mentioned, even with Dell OEM EPYCs, the fuses that lock the CPU to a particular board don’t get blown until that CPU is booted in a Dell motherboard. If they’re box-fresh, they can be used in any board without a problem.
 
  • Like
Reactions: dfi

AugustaLemke

New Member
Sep 6, 2021
15
1
3
I just got off the phone with my HPE rep and they said that there are no efuses being blown in the 7001/7002 EPYCs which corresponds with when that article was written. Starting in the 7003 EPYCs they started blowing efuses and that they are now vendor locked.
I am running several HPE upgrade kit EPYCs on self-built Asrock board based servers with no issues.
Zen 1, 2, or 3?
 

ectoplasmosis

Active Member
Jul 28, 2021
119
51
28
I just got off the phone with my HPE rep and they said that there are no efuses being blown in the 7001/7002 EPYCs which corresponds with when that article was written. Starting in the 7003 EPYCs they started blowing efuses and that they are now vendor locked.

Zen 1, 2, or 3?
The fuses don’t get blown unless the CPU is booted by a motherboard that commands it to blow its fuses.

This has always been the case.
 
  • Like
Reactions: DRW

AugustaLemke

New Member
Sep 6, 2021
15
1
3
The fuses don’t get blown unless the CPU is booted by a motherboard that commands it to blow its fuses.

This has always been the case.
I would assume they do factory testing of the processor in a board to ensure it works?

Besides QA, you also break the chain of custody if you don't cryptographically sign it before it ships to the customer.
 
Last edited:

ectoplasmosis

Active Member
Jul 28, 2021
119
51
28
I would assume they do factory testing of the processor in the boards, no? By not doing it, you also break the chain of trust.
No.

The CPUs are factory fresh direct from the manufacturer (AMD). When the fuses are blown, they are then tied to a particular individual mainboard. If this occurred before them being shipped, they wouldn’t work at all except in the board they were tested with.

There are many of us using HPE upgrade kit EPYCs in non-HP systems. I have 6x 7302 and 2x 7443P HPE kit CPUs running happily in DIY Asrock ROMED8-2T based machines.

The CPUs themselves appear to be identical to the non-HPE-sourced OEM tray units I also have.
 

AugustaLemke

New Member
Sep 6, 2021
15
1
3
No.

The CPUs are factory fresh direct from the manufacturer (AMD). When the fuses are blown, they are then tied to a particular individual mainboard. If this occurred before them being shipped, they wouldn’t work at all except in the board they were tested with.

There are many of us using HPE upgrade kit EPYCs in non-HP systems. I have 6x 7302 and 2x 7443P HPE kit CPUs running happily in DIY Asrock ROMED8-2T based machines.

The CPUs themselves appear to be identical to the non-HPE-sourced OEM tray units I also have.
I don't think it's tied to a particular motherboard. The article says vendors store the public key associated with the private key that they use to sign their firmware.

Motherboards only have the public key and the private key is typically stored on an airgapped network and used (by HP or Dell) to securely sign BIOS updates. At the very least it's never shipped with the motherboard since that would allow anyone to sign BIOS updates if they got ahold of that private certificate. The motherboard is only validating the signature, it doesn't do any code signing.

Also, it would make no sense from a security standpoint to blow the efuse at the customer site. If the customer already has a compromised BIOS or BMC (before the processor gets installed), the malware can simply choose to not burn the efuse OR just burn their own custom certificate. I'm not saying they don't do that (especially if you said you had success). I just think that's dumb from a security standpoint.
 
Last edited:

ectoplasmosis

Active Member
Jul 28, 2021
119
51
28
I don't think it's tied to a particular motherboard.

Also, it would make no sense from a security standpoint to blow the efuse at the customer site.
From the article you linked:

AMD processors are shipped unlocked from the factory, and can initially be used with any OEM’s motherboard. But once they are used with a motherboard with PSB enabled, the security fuses will be set, and from that point on, that processor can only be used with motherboards that use the same code signing key.

I don’t think the mechanism in question works the way you think it does.

It was developed by cryptographers with a far greater understanding of the topic than us.

Regardless, as I keep trying to explain; both from experience and AMD’s own description, this mechanism is not a ‘vendor lock’ from the factory, and all EPYC CPUs are shipped unlocked. There are no special HPE/Dell etc SKUs.
 

AugustaLemke

New Member
Sep 6, 2021
15
1
3
How do warranties work with HPE/Dell processors?

Say you had these in your ASRock or Supermicro boards and the processor dies and you need the processor replaced. Or you purchase it and you're getting all sorts of issues that point to it being a processor problem and you need to get it exchanged.

If you bought it as an OEM tray, you can go to AMD. In this case you have to go to Dell or HPE and they will want to know your service tag (of the HPE or Dell server you don't own) or have you run diagnostics that you can't run.

How would that work? Are you essentially purchasing these processors with no warranty?
 
  • Like
Reactions: Keith Myers

ectoplasmosis

Active Member
Jul 28, 2021
119
51
28
How do warranties work with HPE/Dell processors?

Say you had these in your ASRock or Supermicro boards and the processor dies and you need the processor replaced. Or you purchase it and you're getting all sorts of issues that point to it being a processor problem and you need to get it exchanged.

If you bought it as an OEM tray, you can go to AMD. In this case you have to go to Dell or HPE and they will want to know your service tag (of the HPE or Dell server you don't own) or have you run diagnostics that you can't run.

How would that work? Are you essentially purchasing these processors with no warranty?
I’ve never had a CPU fail in 25 years of building systems.

If one of our HPE EPYCs do develop a fault, I’ll attempt to claim via the warranty, but our budget allows for just purchasing a replacement.

Any risks associated with us buying HPE upgrade kits were more than offset by the fact that we were able to procure the CPUs we needed to get our systems online via this method, amongst a chronic worldwide drought of EPYC CPUs, especially 3rd Gen.
 
  • Like
Reactions: DRW

AugustaLemke

New Member
Sep 6, 2021
15
1
3
Now that it has been almost a month, has anyone who ordered from Provantage gotten their processor yet? I took the plunge a few days ago and purchased one and there is no delivery date yet.

I'm just trying to get a feel of how long it took to get.
 

DRW

New Member
May 1, 2021
19
6
3
Now that it has been almost a month, has anyone who ordered from Provantage gotten their processor yet? I took the plunge a few days ago and purchased one and there is no delivery date yet.

I'm just trying to get a feel of how long it took to get.
I think it was about 2 weeks. I never got a shipping notice. In fact, they still showed it as unshipped for another couple weeks after I received it. There are other threads more focused on the HPE kits, e.g. https://forums.servethehome.com/ind...yc-rome-cpu-via-hpe-upgrade-very-cheap.26877/
 

AugustaLemke

New Member
Sep 6, 2021
15
1
3
I think it was about 2 weeks. I never got a shipping notice. In fact, they still showed it as unshipped for another couple weeks after I received it.
It looks like they do dropshipping with HP. Was a signature required or was it just left at your doorstep?