Lenovo is Using AMD PSB to Vendor Lock AMD CPUs

  • Thread starter Patrick Kennedy
  • Start date
Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

alex_stief

Well-Known Member
May 31, 2016
884
312
63
38
ELI5: what is the actual security benefit from locking CPUs to a certain vendor?
These articles really pound on that aspect, but I haven't seen an explanation that I can understand.
 

DavidRa

Infrastructure Architect
Aug 3, 2015
329
152
43
Central Coast of NSW
www.pdconsec.net
There's honestly no benefit that I see here in forcing a CPU to be used only with a specific vendor platform. The CPU doesn't have any storage so it's not like you would be able to exfiltrate data. Putting it in another motherboard only enables the other motherboard - it doesn't break security on the original server.

About the only thing it seems to do is enforce wasting a CPU if the underlying machine dies - you won't be able to transplant it into another board/server/workstation unless it's the same vendor. Absolutely pathetic behaviour IMO. Blocks ebay sales and the like.

Unless... OK I just thought of something while writing the above paragraphs.

What if the CPU effectively contains the TPM? That would mean you could pull a CPU and use it to unlock BitLocker or similar on a completely different board. It's still pants-on-head stupid, but it's the only scenario I can conceive at the moment (it enables stealing data by stealing the CPU and disk, and assumes you don't have a Lenovo to transplant into).
 

NablaSquaredG

Layer 1 Magician
Aug 17, 2020
1,320
800
113
Isn't the general rule of thumb anyway:

If an attacker has physical access to your machine, you've lost no matter what?
 

Evan

Well-Known Member
Jan 6, 2016
3,346
598
113
If you lock the CPU to the system then somebody can’t after delivery replace the CPU with a back door built in, seems though such a small risk that I can’t see the justification. I think it’s just vendors trying to control quality and ensure market for their own branded parts.
 
  • Like
Reactions: Patrick

NablaSquaredG

Layer 1 Magician
Aug 17, 2020
1,320
800
113
No, that doesn't work...
The CPU is locked to a specific vendor, but you can always drop new CPUs into the board which are then again fused to the specific vendor.

There might be additional security features that lock a board to a specific CPU, but vendor locking feature from the article just locks a CPU to the vendor.
 

alex_stief

Well-Known Member
May 31, 2016
884
312
63
38
Just to be clear, this wasn't some shady attempt to get a statement out of someone, just to dunk on it immediately. I would genuinely like to know what the security benefit is.

To quote the article:
The benefit of a hardware root of trust will make sense to many of our readers
Judging by the responses so far, the benefit is not as obvious as the article claims. So some clarification might be needed @Patrick
 

NablaSquaredG

Layer 1 Magician
Aug 17, 2020
1,320
800
113
IMHO, this whole PSB vendor locking thing only fixes one attack vector:
Modified / malicious UEFI / BIOS / Firmware.
If the UEFI / BIOS / Firmware is not signed by the vendor, a vendor locked CPU will refuse to boot, whereas a non vendor locked CPU would happily work.

It does not protect against malicious CPUs, as the CPU gets locked to the BIOS / vendor, not vice-versa.

If an attacker manages to put a modified BIOS on to your server, you've got other issues to worry about.
 

kapone

Well-Known Member
May 23, 2015
1,095
642
113
The only reaction to these kinds of situations, that makes sense is...

facepalm-head.jpg
 

FedsAgainstGunS

New Member
Dec 21, 2021
1
3
3
I can confirm this is also present on at least my consumer platform. I have a Thinkcentre M75Q-Gen2 with 4750GE. The OEM CPU does not work in all boards that i've tried. Surprized i didnt get a TDP warning, but when i tried a 4650G I get a prompt to "Press Y to lock the CPU and execute the Platform Secure Boot Process" At least this process is not automatic, that you get the option to skip, and even disable the entollment in the BIOS.
But, again, the main problem is that this processor is burned, cannot be used in anything other than a lenovo motherboard. You might not even be able to use it in different models like Ideacenter
 

Attachments