Lenovo is Using AMD PSB to Vendor Lock AMD CPUs

  • Thread starter Patrick Kennedy
  • Start date

alex_stief

Active Member
May 31, 2016
724
231
43
36
ELI5: what is the actual security benefit from locking CPUs to a certain vendor?
These articles really pound on that aspect, but I haven't seen an explanation that I can understand.
 

DavidRa

Infrastructure Architect
Aug 3, 2015
283
128
43
Central Coast of NSW
www.pdconsec.net
There's honestly no benefit that I see here in forcing a CPU to be used only with a specific vendor platform. The CPU doesn't have any storage so it's not like you would be able to exfiltrate data. Putting it in another motherboard only enables the other motherboard - it doesn't break security on the original server.

About the only thing it seems to do is enforce wasting a CPU if the underlying machine dies - you won't be able to transplant it into another board/server/workstation unless it's the same vendor. Absolutely pathetic behaviour IMO. Blocks ebay sales and the like.

Unless... OK I just thought of something while writing the above paragraphs.

What if the CPU effectively contains the TPM? That would mean you could pull a CPU and use it to unlock BitLocker or similar on a completely different board. It's still pants-on-head stupid, but it's the only scenario I can conceive at the moment (it enables stealing data by stealing the CPU and disk, and assumes you don't have a Lenovo to transplant into).
 

NablaSquaredG

Active Member
Aug 17, 2020
282
102
43
Isn't the general rule of thumb anyway:

If an attacker has physical access to your machine, you've lost no matter what?
 

Evan

Well-Known Member
Jan 6, 2016
3,252
559
113
If you lock the CPU to the system then somebody can’t after delivery replace the CPU with a back door built in, seems though such a small risk that I can’t see the justification. I think it’s just vendors trying to control quality and ensure market for their own branded parts.
 
  • Like
Reactions: Patrick

NablaSquaredG

Active Member
Aug 17, 2020
282
102
43
No, that doesn't work...
The CPU is locked to a specific vendor, but you can always drop new CPUs into the board which are then again fused to the specific vendor.

There might be additional security features that lock a board to a specific CPU, but vendor locking feature from the article just locks a CPU to the vendor.
 

alex_stief

Active Member
May 31, 2016
724
231
43
36
Just to be clear, this wasn't some shady attempt to get a statement out of someone, just to dunk on it immediately. I would genuinely like to know what the security benefit is.

To quote the article:
The benefit of a hardware root of trust will make sense to many of our readers
Judging by the responses so far, the benefit is not as obvious as the article claims. So some clarification might be needed @Patrick
 

NablaSquaredG

Active Member
Aug 17, 2020
282
102
43
IMHO, this whole PSB vendor locking thing only fixes one attack vector:
Modified / malicious UEFI / BIOS / Firmware.
If the UEFI / BIOS / Firmware is not signed by the vendor, a vendor locked CPU will refuse to boot, whereas a non vendor locked CPU would happily work.

It does not protect against malicious CPUs, as the CPU gets locked to the BIOS / vendor, not vice-versa.

If an attacker manages to put a modified BIOS on to your server, you've got other issues to worry about.
 

kapone

Well-Known Member
May 23, 2015
1,006
573
113
The only reaction to these kinds of situations, that makes sense is...

facepalm-head.jpg