An area where AMD server processors are more secure than Intel, thatwe pray never comes to desktop!

AMD's server Epyc processors have a security feature that doesn't even
exist in Intel yet: vendor-locked CPU's! If you install an Epyc
processor into certain servers from vendors like HP or Dell, that
processor will lock itself into that vendor and never work on any other
manufacturer's system again.

It's called PSB, Platform Secure Boot. The Epyc processor starts out as
a standard vendor-agnostic Epyc processor, but if it's installed into
one of these vendor's motherboards, during the first ever boot, the
motherboard BIOS will send the processor a lock code which will then
lock in that processor to that vendor forever! This is done to make sure
that no insecure code can be sent to modify the BIOS after that. Pretty
cool, but that also means that you can never sell that processor on the
used market again, after you're done with that particular processor.

Something like this coming to the client side would be a nightmare, as
selling old processors is a common thing. Did you know that this feature
existed? Intel processors can't do this yet, but Epyc processors have
been able to do this for 2 years already.

https://www.servethehome.com/amd-psb...ity-at-a-cost/

https://www.youtube.com/watch?v=kNVuTAVYxpM&t=1241s

Yousuf Khan wrote:

If you install an Epyc processor into certain servers from vendors like
HP or Dell, that processor will lock itself into that vendor and never
work on any other manufacturer's system again.

Maybe AMD think it'll cut down second hand CPU sales, but what security
does that offer anyone?

Andy Burns wrote:
Yousuf Khan wrote:

If you install an Epyc processor into certain servers from vendors
like HP or Dell, that processor will lock itself into that vendor and
never work on any other manufacturer's system again.

Maybe AMD think it'll cut down second hand CPU sales, but what security
does that offer anyone?

Intel has this too. If this is the feature I think it is.

It's available on a "per-CPU-lot" basis.

If Tyan were to build 10,000 systems, it would say to Intel
"Hey, Intel, I need a Tyan-only signature stamped on this CPU".

If this is the feature being referred to, it only allows a
Tyan-signed BIOS to work on the motherboard. If you had
say a "CoreBoot" OpenFirmware BIOS, it would not boot on
your "Tyan-lot" processor.

This can be done on any processor, I don't think it's restricted
to just server processors. If you check the Intel Ark site, you
can see whether a given processor supports it. If support is
present, a company still has to order the processor with a
signature in it, to make it "armed and dangerous". You can
still have the feature on a processor with no signature loaded,
and the processor behaves "normally" and loads any BIOS.

Most processors aren't likely to have it, but if you buy
second-hand processors, after a certain year, it could be
present as a feature. If you were buying Core2 Xeons for
example, it's not likely to affect you. But say a 10th generation
chip, out of some Dell, well, who knows really. They could
put it on an Optiplex (a machine that supports Management Engine).

Intel probably has some minimum lot size for purchase
of this feature. If Tyan issues a BIOS update for its board
with that kind of CPU in it, then the Tyan BIOS tool signs
the executable portion, and then the BIOS when it loads,
the Intel processor checks the signature. POST will stop
if the signature doesn't match.

Something like that.

It mainly sticks a fork in CoreBoot type activities. And
since not a lot of progress is possible there, maybe not
that many people are affected. I would hope such processors
are BGAs and *soldered* to their motherboard, as socketed
CPUs which could be separated from the motherboard, this
would be a bad thing.

I could see some "unhappy Ebay activity" because of this.
We'll just have to wait until that generation comes off-lease
to hear the howls as the odd person gets burned on a purchase.
A responsible company would *only* do that for soldered
processors, but how many of those companies are like that
exactly ? AMD doesn't offer all its processors in solder-down
versions. And a lot of Xeons have been sold, by plucking them
out of motherboards, so the history of the topic is, it's
very easy for a "I got burned" scenario to arise. Now,
how often would a Tyan or Mitac product do that ? Dunno.
But I think it *has* shipped that way, so it's not a zero-uptake
feature. It's out there. They've used it.

If you were shopping for second hand processors, you
probably wouldn't have the correct motherboard in any case.
The motherboard might cost $800 to $1000, and if the
people parting these out are grinding up the Tyan motherboards,
there'd be no "platform" for you to use the processor
anyway. Only a person clever enough to buy an empty
motherboard today, then wait five years for part-out,
only that individual would get burned on an Epyc. It
would take real skill and cunning to run into the problem.

It would be low-end processors where the problem would
be more pernicious. $4000 processors at bargain Ebay
prices as pulls, you're not likely to have the $800 mobo
on hand for it. If they grind up the (unbranded) motherboards,
they won't be floating on Ebay. Who it might screw over,
is some shoestring SOHO outfit, hoping to score a fat
upgrade for their gutless server. And considering the
OS license fees (per core based), I really don't
see the economics of doing this. The OS license fee
will swamp out any sweet profit from buying Ebay processors.
If you have that much money to waste, you might as well
buy brand new kit.

Is it a bad idea ? Yes, of course. It's intended as
a profit center, couched as a security feature. Like
the NSA puts bugged BIOS in FEDEX shipments or
something... :-) That would never happen. Never.

Paul

On 9/12/2020 6:10 AM, Paul wrote:
Intel has this too. If this is the feature I think it is.

It's available on a "per-CPU-lot" basis.

If Tyan were to build 10,000 systems, it would say to Intel
"Hey, Intel, I need a Tyan-only signature stamped on this CPU".

Actually if you watch the video link that I provided, this is not the
exact same feature. This feature may come to Intel with the next
generation of Xeon processors.

It sounds like right now Intel has to special manufacture some
processors at the factory that stay locked to a specific vendor. Whereas
with this AMD feature, no special processors need to be manufactured,
it's all available with a standard Epyc processor. The Epyc processor
modifies its locking status after initial boot. The potential exists
that you can even get per-customer locking with this, where a special
crypto key is made for a large customer and all of the processors are
locked to that customer forever.

Yousuf Khan

Andy Burns wrote:
Yousuf Khan wrote:

If you install an Epyc processor into certain servers from vendors
like HP or Dell, that processor will lock itself into that vendor and
never work on any other manufacturer's system again.

Maybe AMD think it'll cut down second hand CPU sales, but what security
does that offer anyone?

For AMD, prevents used CPU market. As with all things "Secure
[whatever]" has nothing to do with security and everything to do with
vendor-lock-in.

--
Take care,

Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com

On 9/12/2020 3:57 AM, Andy Burns wrote:
Yousuf Khan wrote:

If you install an Epyc processor into certain servers from vendors
like HP or Dell, that processor will lock itself into that vendor and
never work on any other manufacturer's system again.

Maybe AMD think it'll cut down second hand CPU sales, but what security
does that offer anyone?

It's mainly in the server market, where the customers have actually been
/asking/ for this feature! It prevents you from installing modified
firmware into a server, unless it's from the same vendor who created
that hardware. There's a crypto key that identifies a vendor-provided
firmware, which can't be replicated by just anyone.

Yousuf Khan

Yousuf Khan wrote:

It's mainly in the server market, where the customers have actually been
/asking/ for this feature! It prevents you from installing modified
firmware into a server

Why don't they just make the motherboard block firmware not signed by
the manufacturer?

On 9/12/2020 12:42 PM, Andy Burns wrote:
Yousuf Khan wrote:

It's mainly in the server market, where the customers have actually
been /asking/ for this feature! It prevents you from installing
modified firmware into a server

Why don't they just make the motherboard block firmware not signed by
the manufacturer?

If the CPU is locked, then you can't even run tools that can modify the
firmware.

Yousuf Khan

Yousuf Khan wrote:

If the CPU is locked, then you can't even run tools that can modify the
firmware.

Surely you can if you leave the original cpu in the server, or how do
you ever upgrade the bios? It's a tail wags dog reason for locking the
cpu to the manufacturer.

"Yousuf Khan" wrote

| Something like this coming to the client side would be a nightmare, as
| selling old processors is a common thing.

It is? I've never thought of buying a used CPU.
And it has to fit the board, anyway. I paid about $65
for my current 8-core, 3.3 GHz AMD. Why buy used?
Though I have noticed that prices seem to have
gone crazy. I wonder why? They seem to start at $200+
these days.

On 9/12/2020 5:52 AM, Mayayana wrote:
"Yousuf Khan" wrote

| Something like this coming to the client side would be a nightmare, as
| selling old processors is a common thing.

It is? I've never thought of buying a used CPU.


Nor have I. I've never bought or thought about buying a used computer
nor any computer component. I'm not interested in saving a few dollars
if it increases the risk of problems.


And it has to fit the board, anyway. I paid about $65
for my current 8-core, 3.3 GHz AMD. Why buy used?
Though I have noticed that prices seem to have
gone crazy. I wonder why? They seem to start at $200+
these days.





--
Ken

On Sat, 12 Sep 2020 07:08:10 -0700, Ken Blake wrote:

On 9/12/2020 5:52 AM, Mayayana wrote:
"Yousuf Khan" wrote

| Something like this coming to the client side would be a nightmare, as
| selling old processors is a common thing.

It is? I've never thought of buying a used CPU.


Nor have I. I've never bought or thought about buying a used computer
nor any computer component. I'm not interested in saving a few dollars
if it increases the risk of problems.

Nor have I. I've built and upgraded dozens and dozens of PCs over the
years, for myself and others, and never once have I considered selling or
buying a used processor. The feature being discussed in this thread would
have no effect on me.


And it has to fit the board, anyway. I paid about $65
for my current 8-core, 3.3 GHz AMD. Why buy used?
Though I have noticed that prices seem to have
gone crazy. I wonder why? They seem to start at $200+
these days.

On 9/12/2020 8:52 AM, Mayayana wrote:
"Yousuf Khan" wrote

| Something like this coming to the client side would be a nightmare, as
| selling old processors is a common thing.

It is? I've never thought of buying a used CPU.
And it has to fit the board, anyway. I paid about $65
for my current 8-core, 3.3 GHz AMD. Why buy used?
Though I have noticed that prices seem to have
gone crazy. I wonder why? They seem to start at $200+
these days.

That's exactly why buying used CPU's are common. If you can buy let's
say a 1st gen octa-core Ryzen for about the same price as a quad-core
new Ryzen, why wouldn't you do it? There might be at most a 10%
reduction in single-core performance, but a big rise in multi-core
performance. And they all fit into the same motherboards too.

Historically, in my life, I would say I may have bought maybe 20-30% of
my previous CPU's used. The rest were new ones, but I would have to say
in many cases, the new processors I've bought were previous-generation
processors to save some money. Rarely have I bought cutting-edge current
generation processors (actually can't think of any time, but may have
happened); even if I did buy current generation, it would likely be a
lower-end one. But even buying low-end current, or high-end previous
gen, doesn't compare to the prices you'll get on used processors usually.

Yousuf Khan

On 9/12/2020 1:51 AM, Yousuf Khan wrote:
AMD's server Epyc processors have a security feature that doesn't even
exist in Intel yet: vendor-locked CPU's! If you install an Epyc
processor into certain servers from vendors like HP or Dell, that
processor will lock itself into that vendor and never work on any other
manufacturer's system again.

So here's an example of exactly why this type of security is being
implemented, it's to prevent hardware hacks from being implemented in
the motherboards. In 2015, a bunch of servers were found with hardware
spyware installed directly in Supermicro server motherboards, that were
being sold to Amazon, Apple, and others.

The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies -
Bloomberg
https://www.bloomberg.com/news/featu...-top-companies

Yousuf Khan

In article , Yousuf Khan
wrote:

AMD's server Epyc processors have a security feature that doesn't even
exist in Intel yet: vendor-locked CPU's! If you install an Epyc
processor into certain servers from vendors like HP or Dell, that
processor will lock itself into that vendor and never work on any other
manufacturer's system again.

So here's an example of exactly why this type of security is being
implemented, it's to prevent hardware hacks from being implemented in
the motherboards. In 2015, a bunch of servers were found with hardware
spyware installed directly in Supermicro server motherboards, that were
being sold to Amazon, Apple, and others.

no they weren't.

The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies -
Bloomberg

https://www.bloomberg.com/news/featu...ow-china-used-
a-tiny-chip-to-infiltrate-america-s-top-companies

fabricated article with zero proof.

amazon, apple and supermicro have been unable to find *any* evidence.

the fbi, nsa, dhs and various other entities claim it's false.

nobody has been able to provide a hacked board or even a photo of one
with the chip, plus several of the sources cited in the article have
stated their statements were twisted and taken out of context.

it's yet another bogus bloomberg articles intended to deliberately
manipulate the stock market.