Andy Burns wrote:
Yousuf Khan wrote:

If you install an Epyc processor into certain servers from vendors
like HP or Dell, that processor will lock itself into that vendor and
never work on any other manufacturer's system again.

Maybe AMD think it'll cut down second hand CPU sales, but what security
does that offer anyone?

Intel has this too. If this is the feature I think it is.

It's available on a "per-CPU-lot" basis.

If Tyan were to build 10,000 systems, it would say to Intel
"Hey, Intel, I need a Tyan-only signature stamped on this CPU".

If this is the feature being referred to, it only allows a
Tyan-signed BIOS to work on the motherboard. If you had
say a "CoreBoot" OpenFirmware BIOS, it would not boot on
your "Tyan-lot" processor.

This can be done on any processor, I don't think it's restricted
to just server processors. If you check the Intel Ark site, you
can see whether a given processor supports it. If support is
present, a company still has to order the processor with a
signature in it, to make it "armed and dangerous". You can
still have the feature on a processor with no signature loaded,
and the processor behaves "normally" and loads any BIOS.

Most processors aren't likely to have it, but if you buy
second-hand processors, after a certain year, it could be
present as a feature. If you were buying Core2 Xeons for
example, it's not likely to affect you. But say a 10th generation
chip, out of some Dell, well, who knows really. They could
put it on an Optiplex (a machine that supports Management Engine).

Intel probably has some minimum lot size for purchase
of this feature. If Tyan issues a BIOS update for its board
with that kind of CPU in it, then the Tyan BIOS tool signs
the executable portion, and then the BIOS when it loads,
the Intel processor checks the signature. POST will stop
if the signature doesn't match.

Something like that.

It mainly sticks a fork in CoreBoot type activities. And
since not a lot of progress is possible there, maybe not
that many people are affected. I would hope such processors
are BGAs and *soldered* to their motherboard, as socketed
CPUs which could be separated from the motherboard, this
would be a bad thing.

I could see some "unhappy Ebay activity" because of this.
We'll just have to wait until that generation comes off-lease
to hear the howls as the odd person gets burned on a purchase.
A responsible company would *only* do that for soldered
processors, but how many of those companies are like that
exactly ? AMD doesn't offer all its processors in solder-down
versions. And a lot of Xeons have been sold, by plucking them
out of motherboards, so the history of the topic is, it's
very easy for a "I got burned" scenario to arise. Now,
how often would a Tyan or Mitac product do that ? Dunno.
But I think it *has* shipped that way, so it's not a zero-uptake
feature. It's out there. They've used it.

If you were shopping for second hand processors, you
probably wouldn't have the correct motherboard in any case.
The motherboard might cost $800 to $1000, and if the
people parting these out are grinding up the Tyan motherboards,
there'd be no "platform" for you to use the processor
anyway. Only a person clever enough to buy an empty
motherboard today, then wait five years for part-out,
only that individual would get burned on an Epyc. It
would take real skill and cunning to run into the problem.

It would be low-end processors where the problem would
be more pernicious. $4000 processors at bargain Ebay
prices as pulls, you're not likely to have the $800 mobo
on hand for it. If they grind up the (unbranded) motherboards,
they won't be floating on Ebay. Who it might screw over,
is some shoestring SOHO outfit, hoping to score a fat
upgrade for their gutless server. And considering the
OS license fees (per core based), I really don't
see the economics of doing this. The OS license fee
will swamp out any sweet profit from buying Ebay processors.
If you have that much money to waste, you might as well
buy brand new kit.

Is it a bad idea ? Yes, of course. It's intended as
a profit center, couched as a security feature. Like
the NSA puts bugged BIOS in FEDEX shipments or
something... :-) That would never happen. Never.

Paul