An area where AMD server processors are more secure than Intel, thatwe pray never comes to desktop!

On 09/12/2020 11:04 AM, Andy Burns wrote:
Yousuf Khan wrote:

If the CPU is locked, then you can't even run tools that can modify
the firmware.

Surely you can if you leave the original cpu in the server, or how do
you ever upgrade the bios?

I have an MSI Tomahawk Max (Ryzen) motherboard which can flash its BIOS
without a CPU or RAM installed. It only needs a power supply connected.

Corvid wrote:
On 09/12/2020 11:04 AM, Andy Burns wrote:
Yousuf Khan wrote:

If the CPU is locked, then you can't even run tools that can modify
the firmware.

Surely you can if you leave the original cpu in the server, or how do
you ever upgrade the bios?

I have an MSI Tomahawk Max (Ryzen) motherboard which can flash its BIOS
without a CPU or RAM installed. It only needs a power supply connected.

I have an Asus motherboard (Intel CPU), with the same feature.
Board does not need a CPU or RAM, to upgrade the BIOS.
Place a BIOS file on a USB stick, plug in USB stick,
push the button, it flashes up the BIOS chip. The USB
slot has a white tab, indicating it is different than the
slots above it.

https://i.postimg.cc/5ycg0V3V/biosflash.gif

Paul

On 9/13/2020 1:25 AM, Corvid wrote:
On 09/12/2020 11:04 AM, Andy Burns wrote:
Yousuf Khan wrote:

If the CPU is locked, then you can't even run tools that can modify
the firmware.

Surely you can if you leave the original cpu in the server, or how do
you ever upgrade the bios?

I have an MSI Tomahawk Max (Ryzen) motherboard which can flash its BIOS
without a CPU or RAM installed. It only needs a power supply connected.

Very unlikely that a server motherboard would make their BIOS this easy
to hack.

Yousuf Khan

Corvid wrote:

Andy Burns wrote:

Yousuf Khan wrote:

If the CPU is locked, then you can't even run tools that can modify
the firmware.

Surely you can if you leave the original cpu in the server, or how do
you ever upgrade the bios?

I have an MSI Tomahawk Max (Ryzen) motherboard which can flash its BIOS
without a CPU or RAM installed. It only needs a power supply connected.

Yep, and every server motherboard worth the name has a baseboard
management controller that could handle locking it down, without
involving the cpu.

Paul wrote:
Corvid wrote:
On 09/12/2020 11:04 AM, Andy Burns wrote:
Yousuf Khan wrote:

If the CPU is locked, then you can't even run tools that can modify
the firmware.

Surely you can if you leave the original cpu in the server, or how do
you ever upgrade the bios?

I have an MSI Tomahawk Max (Ryzen) motherboard which can flash its BIOS
without a CPU or RAM installed. It only needs a power supply connected.

I have an Asus motherboard (Intel CPU), with the same feature.
Board does not need a CPU or RAM, to upgrade the BIOS.
Place a BIOS file on a USB stick, plug in USB stick,
push the button, it flashes up the BIOS chip. The USB
slot has a white tab, indicating it is different than the
slots above it.

https://i.postimg.cc/5ycg0V3V/biosflash.gif


Since many mobos support this, (and for good reason such as building
with a newer CPU that requires bios update for support), then I sand by
my statement that 'As with all things "Secure [whatever]" has nothing to
do with security and everything to do with vendor-lock-in.'


--
Take care,

Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com

On 9/13/2020 5:19 AM, Andy Burns wrote:
Yep, and every server motherboard worth the name has a baseboard
management controller that could handle locking it down, without
involving the cpu.

Well, server motherboards would rather use the CPU to lock it down,
since that's the most powerful piece of silicon on the board, and it
reduces costs, not having to put a separate management controller.

Yousuf Khan

On 9/12/2020 1:51 AM, Yousuf Khan wrote:
AMD's server Epyc processors have a security feature that doesn't even
exist in Intel yet: vendor-locked CPU's! If you install an Epyc
processor into certain servers from vendors like HP or Dell, that
processor will lock itself into that vendor and never work on any other
manufacturer's system again.

So here's an example of exactly why this type of security is being
implemented, it's to prevent hardware hacks from being implemented in
the motherboards. In 2015, a bunch of servers were found with hardware
spyware installed directly in Supermicro server motherboards, that were
being sold to Amazon, Apple, and others.

The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies -
Bloomberg
https://www.bloomberg.com/news/featu...-top-companies

Yousuf Khan

In article , Yousuf Khan
wrote:

AMD's server Epyc processors have a security feature that doesn't even
exist in Intel yet: vendor-locked CPU's! If you install an Epyc
processor into certain servers from vendors like HP or Dell, that
processor will lock itself into that vendor and never work on any other
manufacturer's system again.

So here's an example of exactly why this type of security is being
implemented, it's to prevent hardware hacks from being implemented in
the motherboards. In 2015, a bunch of servers were found with hardware
spyware installed directly in Supermicro server motherboards, that were
being sold to Amazon, Apple, and others.

no they weren't.

The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies -
Bloomberg

https://www.bloomberg.com/news/featu...ow-china-used-
a-tiny-chip-to-infiltrate-america-s-top-companies

fabricated article with zero proof.

amazon, apple and supermicro have been unable to find *any* evidence.

the fbi, nsa, dhs and various other entities claim it's false.

nobody has been able to provide a hacked board or even a photo of one
with the chip, plus several of the sources cited in the article have
stated their statements were twisted and taken out of context.

it's yet another bogus bloomberg articles intended to deliberately
manipulate the stock market.