Skip to main content

Lenovo Using PSB on Threadripper and EPYC Systems To Reduce CPU Tampering

Data center
(Image credit: Shutterstock)

ServeTheHome has just confirmed that Lenovo is fully utilizing AMD's Platform Secure Boot (or PSB) in its server and workstation pre-built machines. This feature locks AMD's Ryzen Pro, Threadripper Pro, and EPYC processors out from being used in other systems in an effort to reduce CPU theft.

More specifically, this feature effectively cancels out a CPU's ability to be used in another motherboard, or at least a motherboard not from the original OEM. If a thief wanted to steal these chips, they would have to hack the PSB hardware and firmware to get the chip functioning in other hardware.

But that would be super difficult to do. AMD's Platform Secure Boot runs on a 32-bit AMD secure ARM SoC with its own operating system. The hardware isolation is another layer of security for the system, as it's nearly impossible to access FSB since the system won't be able to detect the ARM processor in the main operating system.

In theory, this feature is an excellent idea. It effectively makes these chips OEM exclusive, which can help reduce CPU theft. On the other hand, this feature will prevent current owners of these pre-builts from using the chips in other systems down the road.

It's not much of a problem today, but suppose the system gets a CPU upgrade in the future. The old CPU effectively becomes e-waste, unless it ends up in the hands of someone who already has a compatible Lenovo system. Alternatively, if a motherboard fails, it locks the user into using a replacement motherboard from the original vendor.

Thankfully, this feature has to be enabled by an OEM in the first place, so you can still go out and buy an EPYC, Ryzen Pro, or Threadripper Pro CPU/system that isn't using this feature specifically. Still, this feature can be a double edged sword. Most people buying servers aren't going to be swapping chips out and using them in other systems, so this potential issue should be quite rare.

Perhaps more worrisome is that Ryzen Pro processors from the Renoir and Cezanne families also support PSB. Enabling it on that sort of hardware and the resulting vendor lock-in would limit the ability to part out such PCs in the future.

  • velocityg4
    That's horrible. Old CPU's pulled from three year old servers and workstations was a great way for people to do powerful DIY workstations and servers on the cheap. Just more ewaste. Because manufacturers don't believe people own the products they purchased. Nor do they have the right to tinker with or repair them. They'd all be as locked down as an iPhone if they thought their customers would put up with it.

    Lenovo doing this to prevent CPU theft sounds about as plausible John Deere locking down their tractors for the safety of farmers. They did this to sell more servers and to reduce the second hand market.
    Reply
  • NightHawkRMX
    Lenovo, nobody is going to believe you.

    Nobody is walking into a data center wearing a mask, tearing apart a rack of servers, stealing the CPUs out of them, then running out of the datacenter under the cloak of the night.
    Reply
  • drtweak
    How about they make it in a way where you can unpair the CPU and Motherboard but in a secure way so that you still can't just take them out?

    But then @NightHawkRMX had a great point. Like I'm going to take down a server in a rack and then steal the Epyc CPU and just put it back. Unless you have something else to put back in its place and do it fast pretty sure someone would notice.
    Reply
  • kal326
    For rack servers this is absolutely ridiculous. Nobody is going to break into a datacenter to steal just the chips. Any other along the supply line theft they would just steal the whole unit.

    Workstations, again people will just steal the whole thing. It’s not like nobody is going to notice you taking a chip out or taking one somewhere to return back unnoticed.

    This is simply to block out second hand sales under the guise of security or theft prevention. Hopefully Dell or HP which would probably have more of the US workstation and rack unit market won’t do this. Or if they do, at least those chassis are common enough that you can find a matching pair. It’s just going to put more work on the recycling and refurbishment companies keeping them all separated.
    Reply
  • hotaru.hino
    drtweak said:
    How about they make it in a way where you can unpair the CPU and Motherboard but in a secure way so that you still can't just take them out?
    This is the same thing as adding a backdoor. Once the attackers figure out how to do it, welp.
    Reply
  • cryoburner
    As far as second-hand sales go, it sounds like the CPU could still be resold, just along with the original motherboard.
    Reply
  • NightHawkRMX
    cryoburner said:
    As far as second-hand sales go, it sounds like the CPU could still be resold, just along with the original motherboard.
    Yes, but no.

    The motherboards are most likely proprietary or non-standard, so even if you buy the CPU with the board included, It won't be able to be used without the rest of the chassis.
    Reply
  • spongiemaster
    kal326 said:
    For rack servers this is absolutely ridiculous. Nobody is going to break into a datacenter to steal just the chips. Any other along the supply line theft they would just steal the whole unit.

    Workstations, again people will just steal the whole thing. It’s not like nobody is going to notice you taking a chip out or taking one somewhere to return back unnoticed.
    Correct, they would steal the whole unit. But they aren't about to sell a pallet full of stolen Lenovo servers. How easy would that be to track? It's like car theft. The stolen car is usually stripped and sold for parts making it much more difficult to trace and more profitable. If the CPU requires the whole system to work it becomes much less attractive to someone trying to steal the system and part it out.
    Reply
  • Gillerer
    I don't think the writer of this piece even read the original ServeTheHome article.

    The feature has nothing to do with hardware theft. Instead it is meant to bolster security: A malicious actor can't replace the BIOS with their own concoction if the CPU will only accept firmware signed by the correct OEM.

    drtweak said:
    How about they make it in a way where you can unpair the CPU and Motherboard but in a secure way so that you still can't just take them out?

    According to the AMD statement quoted in ServeTheHome's article "AMD PSB Vendor Locks EPYC CPUs for Enhanced Security at a Cost" from Sep 8, 2020:

    An OEM who trusts only their own cryptographically signed BIOS code to run on their platforms will use a PSB enabled motherboard and set one-time-programmable fuses in the processor to bind the processor to the OEM’s firmware code signing key.

    So it physically alters the CPU and is permanent.

    After that the CPU will only work with BIOS signed by that OEM, and therefore only their motherboards. A single POST on such motherboard will permanently lock any unlocked CPU. Any CPU previously locked to another OEM will not work at all.
    Reply
  • Co BIY
    Maybe server theft for crypto mines is a serious problem in China ?
    Reply