ServeTheHome has just confirmed that Lenovo is fully utilizing AMD's Platform Secure Boot (or PSB) in its server and workstation pre-built machines. This feature locks AMD's Ryzen Pro, Threadripper Pro, and EPYC processors out from being used in other systems in an effort to reduce CPU theft.
More specifically, this feature effectively cancels out a CPU's ability to be used in another motherboard, or at least a motherboard not from the original OEM. If a thief wanted to steal these chips, they would have to hack the PSB hardware and firmware to get the chip functioning in other hardware.
But that would be super difficult to do. AMD's Platform Secure Boot runs on a 32-bit AMD secure ARM SoC with its own operating system. The hardware isolation is another layer of security for the system, as it's nearly impossible to access FSB since the system won't be able to detect the ARM processor in the main operating system.
In theory, this feature is an excellent idea. It effectively makes these chips OEM exclusive, which can help reduce CPU theft. On the other hand, this feature will prevent current owners of these pre-builts from using the chips in other systems down the road.
It's not much of a problem today, but suppose the system gets a CPU upgrade in the future. The old CPU effectively becomes e-waste, unless it ends up in the hands of someone who already has a compatible Lenovo system. Alternatively, if a motherboard fails, it locks the user into using a replacement motherboard from the original vendor.
Thankfully, this feature has to be enabled by an OEM in the first place, so you can still go out and buy an EPYC, Ryzen Pro, or Threadripper Pro CPU/system that isn't using this feature specifically. Still, this feature can be a double edged sword. Most people buying servers aren't going to be swapping chips out and using them in other systems, so this potential issue should be quite rare.
Perhaps more worrisome is that Ryzen Pro processors from the Renoir and Cezanne families also support PSB. Enabling it on that sort of hardware and the resulting vendor lock-in would limit the ability to part out such PCs in the future.
Lenovo doing this to prevent CPU theft sounds about as plausible John Deere locking down their tractors for the safety of farmers. They did this to sell more servers and to reduce the second hand market.
Nobody is walking into a data center wearing a mask, tearing apart a rack of servers, stealing the CPUs out of them, then running out of the datacenter under the cloak of the night.
But then @NightHawkRMX had a great point. Like I'm going to take down a server in a rack and then steal the Epyc CPU and just put it back. Unless you have something else to put back in its place and do it fast pretty sure someone would notice.
Workstations, again people will just steal the whole thing. It’s not like nobody is going to notice you taking a chip out or taking one somewhere to return back unnoticed.
This is simply to block out second hand sales under the guise of security or theft prevention. Hopefully Dell or HP which would probably have more of the US workstation and rack unit market won’t do this. Or if they do, at least those chassis are common enough that you can find a matching pair. It’s just going to put more work on the recycling and refurbishment companies keeping them all separated.
The motherboards are most likely proprietary or non-standard, so even if you buy the CPU with the board included, It won't be able to be used without the rest of the chassis.
The feature has nothing to do with hardware theft. Instead it is meant to bolster security: A malicious actor can't replace the BIOS with their own concoction if the CPU will only accept firmware signed by the correct OEM.
According to the AMD statement quoted in ServeTheHome's article "AMD PSB Vendor Locks EPYC CPUs for Enhanced Security at a Cost" from Sep 8, 2020:
So it physically alters the CPU and is permanent.
After that the CPU will only work with BIOS signed by that OEM, and therefore only their motherboards. A single POST on such motherboard will permanently lock any unlocked CPU. Any CPU previously locked to another OEM will not work at all.