A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Windows 10 » Windows 10 Help Forum
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

An area where AMD server processors are more secure than Intel, thatwe pray never comes to desktop!



 
 
Thread Tools Rate Thread Display Modes
  #1  
Old September 12th 20, 06:51 AM posted to alt.comp.os.windows-10
Yousuf Khan[_2_]
external usenet poster
 
Posts: 2,447
Default An area where AMD server processors are more secure than Intel, thatwe pray never comes to desktop!

AMD's server Epyc processors have a security feature that doesn't even
exist in Intel yet: vendor-locked CPU's! If you install an Epyc
processor into certain servers from vendors like HP or Dell, that
processor will lock itself into that vendor and never work on any other
manufacturer's system again.

It's called PSB, Platform Secure Boot. The Epyc processor starts out as
a standard vendor-agnostic Epyc processor, but if it's installed into
one of these vendor's motherboards, during the first ever boot, the
motherboard BIOS will send the processor a lock code which will then
lock in that processor to that vendor forever! This is done to make sure
that no insecure code can be sent to modify the BIOS after that. Pretty
cool, but that also means that you can never sell that processor on the
used market again, after you're done with that particular processor.

Something like this coming to the client side would be a nightmare, as
selling old processors is a common thing. Did you know that this feature
existed? Intel processors can't do this yet, but Epyc processors have
been able to do this for 2 years already.

https://www.servethehome.com/amd-psb...ity-at-a-cost/

https://www.youtube.com/watch?v=kNVuTAVYxpM&t=1241s
Ads
  #2  
Old September 12th 20, 08:57 AM posted to alt.comp.os.windows-10
Andy Burns[_6_]
external usenet poster
 
Posts: 1,318
Default An area where AMD server processors are more secure than Intel,that we pray never comes to desktop!

Yousuf Khan wrote:

If you install an Epyc processor into certain servers from vendors like
HP or Dell, that processor will lock itself into that vendor and never
work on any other manufacturer's system again.


Maybe AMD think it'll cut down second hand CPU sales, but what security
does that offer anyone?
  #3  
Old September 12th 20, 11:10 AM posted to alt.comp.os.windows-10
Paul[_32_]
external usenet poster
 
Posts: 11,873
Default An area where AMD server processors are more secure than Intel,that we pray never comes to desktop!

Andy Burns wrote:
Yousuf Khan wrote:

If you install an Epyc processor into certain servers from vendors
like HP or Dell, that processor will lock itself into that vendor and
never work on any other manufacturer's system again.


Maybe AMD think it'll cut down second hand CPU sales, but what security
does that offer anyone?


Intel has this too. If this is the feature I think it is.

It's available on a "per-CPU-lot" basis.

If Tyan were to build 10,000 systems, it would say to Intel
"Hey, Intel, I need a Tyan-only signature stamped on this CPU".

If this is the feature being referred to, it only allows a
Tyan-signed BIOS to work on the motherboard. If you had
say a "CoreBoot" OpenFirmware BIOS, it would not boot on
your "Tyan-lot" processor.

This can be done on any processor, I don't think it's restricted
to just server processors. If you check the Intel Ark site, you
can see whether a given processor supports it. If support is
present, a company still has to order the processor with a
signature in it, to make it "armed and dangerous". You can
still have the feature on a processor with no signature loaded,
and the processor behaves "normally" and loads any BIOS.

Most processors aren't likely to have it, but if you buy
second-hand processors, after a certain year, it could be
present as a feature. If you were buying Core2 Xeons for
example, it's not likely to affect you. But say a 10th generation
chip, out of some Dell, well, who knows really. They could
put it on an Optiplex (a machine that supports Management Engine).

Intel probably has some minimum lot size for purchase
of this feature. If Tyan issues a BIOS update for its board
with that kind of CPU in it, then the Tyan BIOS tool signs
the executable portion, and then the BIOS when it loads,
the Intel processor checks the signature. POST will stop
if the signature doesn't match.

Something like that.

It mainly sticks a fork in CoreBoot type activities. And
since not a lot of progress is possible there, maybe not
that many people are affected. I would hope such processors
are BGAs and *soldered* to their motherboard, as socketed
CPUs which could be separated from the motherboard, this
would be a bad thing.

I could see some "unhappy Ebay activity" because of this.
We'll just have to wait until that generation comes off-lease
to hear the howls as the odd person gets burned on a purchase.
A responsible company would *only* do that for soldered
processors, but how many of those companies are like that
exactly ? AMD doesn't offer all its processors in solder-down
versions. And a lot of Xeons have been sold, by plucking them
out of motherboards, so the history of the topic is, it's
very easy for a "I got burned" scenario to arise. Now,
how often would a Tyan or Mitac product do that ? Dunno.
But I think it *has* shipped that way, so it's not a zero-uptake
feature. It's out there. They've used it.

If you were shopping for second hand processors, you
probably wouldn't have the correct motherboard in any case.
The motherboard might cost $800 to $1000, and if the
people parting these out are grinding up the Tyan motherboards,
there'd be no "platform" for you to use the processor
anyway. Only a person clever enough to buy an empty
motherboard today, then wait five years for part-out,
only that individual would get burned on an Epyc. It
would take real skill and cunning to run into the problem.

It would be low-end processors where the problem would
be more pernicious. $4000 processors at bargain Ebay
prices as pulls, you're not likely to have the $800 mobo
on hand for it. If they grind up the (unbranded) motherboards,
they won't be floating on Ebay. Who it might screw over,
is some shoestring SOHO outfit, hoping to score a fat
upgrade for their gutless server. And considering the
OS license fees (per core based), I really don't
see the economics of doing this. The OS license fee
will swamp out any sweet profit from buying Ebay processors.
If you have that much money to waste, you might as well
buy brand new kit.

Is it a bad idea ? Yes, of course. It's intended as
a profit center, couched as a security feature. Like
the NSA puts bugged BIOS in FEDEX shipments or
something... :-) That would never happen. Never.

Paul
  #4  
Old September 12th 20, 01:52 PM posted to alt.comp.os.windows-10
Mayayana
external usenet poster
 
Posts: 6,438
Default An area where AMD server processors are more secure than Intel, that we pray never comes to desktop!

"Yousuf Khan" wrote

| Something like this coming to the client side would be a nightmare, as
| selling old processors is a common thing.

It is? I've never thought of buying a used CPU.
And it has to fit the board, anyway. I paid about $65
for my current 8-core, 3.3 GHz AMD. Why buy used?
Though I have noticed that prices seem to have
gone crazy. I wonder why? They seem to start at $200+
these days.



  #5  
Old September 12th 20, 03:01 PM posted to alt.comp.os.windows-10
Jonathan N. Little[_2_]
external usenet poster
 
Posts: 1,133
Default An area where AMD server processors are more secure than Intel, that we pray never comes to desktop!

Andy Burns wrote:
Yousuf Khan wrote:

If you install an Epyc processor into certain servers from vendors
like HP or Dell, that processor will lock itself into that vendor and
never work on any other manufacturer's system again.


Maybe AMD think it'll cut down second hand CPU sales, but what security
does that offer anyone?


For AMD, prevents used CPU market. As with all things "Secure
[whatever]" has nothing to do with security and everything to do with
vendor-lock-in.

--
Take care,

Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com
  #6  
Old September 12th 20, 03:08 PM posted to alt.comp.os.windows-10
Ken Blake[_7_]
external usenet poster
 
Posts: 569
Default An area where AMD server processors are more secure than Intel,that we pray never comes to desktop!

On 9/12/2020 5:52 AM, Mayayana wrote:
"Yousuf Khan" wrote

| Something like this coming to the client side would be a nightmare, as
| selling old processors is a common thing.

It is? I've never thought of buying a used CPU.



Nor have I. I've never bought or thought about buying a used computer
nor any computer component. I'm not interested in saving a few dollars
if it increases the risk of problems.


And it has to fit the board, anyway. I paid about $65
for my current 8-core, 3.3 GHz AMD. Why buy used?
Though I have noticed that prices seem to have
gone crazy. I wonder why? They seem to start at $200+
these days.





--
Ken
  #7  
Old September 12th 20, 05:10 PM posted to alt.comp.os.windows-10
Yousuf Khan[_2_]
external usenet poster
 
Posts: 2,447
Default An area where AMD server processors are more secure than Intel,that we pray never comes to desktop!

On 9/12/2020 3:57 AM, Andy Burns wrote:
Yousuf Khan wrote:

If you install an Epyc processor into certain servers from vendors
like HP or Dell, that processor will lock itself into that vendor and
never work on any other manufacturer's system again.


Maybe AMD think it'll cut down second hand CPU sales, but what security
does that offer anyone?


It's mainly in the server market, where the customers have actually been
/asking/ for this feature! It prevents you from installing modified
firmware into a server, unless it's from the same vendor who created
that hardware. There's a crypto key that identifies a vendor-provided
firmware, which can't be replicated by just anyone.

Yousuf Khan
  #8  
Old September 12th 20, 05:17 PM posted to alt.comp.os.windows-10
Yousuf Khan[_2_]
external usenet poster
 
Posts: 2,447
Default An area where AMD server processors are more secure than Intel,that we pray never comes to desktop!

On 9/12/2020 6:10 AM, Paul wrote:
Intel has this too. If this is the feature I think it is.

It's available on a "per-CPU-lot" basis.

If Tyan were to build 10,000 systems, it would say to Intel
"Hey, Intel, I need a Tyan-only signature stamped on this CPU".


Actually if you watch the video link that I provided, this is not the
exact same feature. This feature may come to Intel with the next
generation of Xeon processors.

It sounds like right now Intel has to special manufacture some
processors at the factory that stay locked to a specific vendor. Whereas
with this AMD feature, no special processors need to be manufactured,
it's all available with a standard Epyc processor. The Epyc processor
modifies its locking status after initial boot. The potential exists
that you can even get per-customer locking with this, where a special
crypto key is made for a large customer and all of the processors are
locked to that customer forever.

Yousuf Khan
  #9  
Old September 12th 20, 05:34 PM posted to alt.comp.os.windows-10
Yousuf Khan[_2_]
external usenet poster
 
Posts: 2,447
Default An area where AMD server processors are more secure than Intel,that we pray never comes to desktop!

On 9/12/2020 8:52 AM, Mayayana wrote:
"Yousuf Khan" wrote

| Something like this coming to the client side would be a nightmare, as
| selling old processors is a common thing.

It is? I've never thought of buying a used CPU.
And it has to fit the board, anyway. I paid about $65
for my current 8-core, 3.3 GHz AMD. Why buy used?
Though I have noticed that prices seem to have
gone crazy. I wonder why? They seem to start at $200+
these days.


That's exactly why buying used CPU's are common. If you can buy let's
say a 1st gen octa-core Ryzen for about the same price as a quad-core
new Ryzen, why wouldn't you do it? There might be at most a 10%
reduction in single-core performance, but a big rise in multi-core
performance. And they all fit into the same motherboards too.

Historically, in my life, I would say I may have bought maybe 20-30% of
my previous CPU's used. The rest were new ones, but I would have to say
in many cases, the new processors I've bought were previous-generation
processors to save some money. Rarely have I bought cutting-edge current
generation processors (actually can't think of any time, but may have
happened); even if I did buy current generation, it would likely be a
lower-end one. But even buying low-end current, or high-end previous
gen, doesn't compare to the prices you'll get on used processors usually.

Yousuf Khan
  #10  
Old September 12th 20, 05:42 PM posted to alt.comp.os.windows-10
Andy Burns[_6_]
external usenet poster
 
Posts: 1,318
Default An area where AMD server processors are more secure than Intel,that we pray never comes to desktop!

Yousuf Khan wrote:

It's mainly in the server market, where the customers have actually been
/asking/ for this feature! It prevents you from installing modified
firmware into a server


Why don't they just make the motherboard block firmware not signed by
the manufacturer?


  #11  
Old September 12th 20, 06:00 PM posted to alt.comp.os.windows-10
Yousuf Khan[_2_]
external usenet poster
 
Posts: 2,447
Default An area where AMD server processors are more secure than Intel,that we pray never comes to desktop!

On 9/12/2020 12:42 PM, Andy Burns wrote:
Yousuf Khan wrote:

It's mainly in the server market, where the customers have actually
been /asking/ for this feature! It prevents you from installing
modified firmware into a server


Why don't they just make the motherboard block firmware not signed by
the manufacturer?


If the CPU is locked, then you can't even run tools that can modify the
firmware.

Yousuf Khan
  #12  
Old September 12th 20, 07:04 PM posted to alt.comp.os.windows-10
Andy Burns[_6_]
external usenet poster
 
Posts: 1,318
Default An area where AMD server processors are more secure than Intel,that we pray never comes to desktop!

Yousuf Khan wrote:

If the CPU is locked, then you can't even run tools that can modify the
firmware.


Surely you can if you leave the original cpu in the server, or how do
you ever upgrade the bios? It's a tail wags dog reason for locking the
cpu to the manufacturer.


  #13  
Old September 12th 20, 07:15 PM posted to alt.comp.os.windows-10
Char Jackson
external usenet poster
 
Posts: 10,449
Default An area where AMD server processors are more secure than Intel, that we pray never comes to desktop!

On Sat, 12 Sep 2020 07:08:10 -0700, Ken Blake wrote:

On 9/12/2020 5:52 AM, Mayayana wrote:
"Yousuf Khan" wrote

| Something like this coming to the client side would be a nightmare, as
| selling old processors is a common thing.

It is? I've never thought of buying a used CPU.



Nor have I. I've never bought or thought about buying a used computer
nor any computer component. I'm not interested in saving a few dollars
if it increases the risk of problems.


Nor have I. I've built and upgraded dozens and dozens of PCs over the
years, for myself and others, and never once have I considered selling or
buying a used processor. The feature being discussed in this thread would
have no effect on me.


And it has to fit the board, anyway. I paid about $65
for my current 8-core, 3.3 GHz AMD. Why buy used?
Though I have noticed that prices seem to have
gone crazy. I wonder why? They seem to start at $200+
these days.


  #14  
Old September 12th 20, 08:53 PM posted to alt.comp.os.windows-10
Yousuf Khan[_2_]
external usenet poster
 
Posts: 2,447
Default An area where AMD server processors are more secure than Intel,that we pray never comes to desktop!

On 9/12/2020 2:04 PM, Andy Burns wrote:
Yousuf Khan wrote:

If the CPU is locked, then you can't even run tools that can modify
the firmware.


Surely you can if you leave the original cpu in the server, or how do
you ever upgrade the bios?* It's a tail wags dog reason for locking the
cpu to the manufacturer.


Well, I think the BIOS is wholly separate from the crypto-key that locks
the processor to the system. If the BIOS comes from the same vendor of
the server, then they would use the same crypto key to upgrade it. So if
there is a single crypto key for the same vendor, then that processor
will always work with that vendor's upgrades.

Yousuf Khan
  #15  
Old September 12th 20, 09:06 PM posted to alt.comp.os.windows-10
Yousuf Khan[_2_]
external usenet poster
 
Posts: 2,447
Default An area where AMD server processors are more secure than Intel,that we pray never comes to desktop!

On 9/12/2020 2:22 PM, Char Jackson wrote:
If it were me, and with the benefit of hindsight, I would have bought new
and avoided all of that back and forth. Money isn't tight enough here to
consider buying a used processor or GPU, nor would I try to sell one.

I get what you're saying, but it's not for me.


An RX480 was about $400 new. Then the 2017 Crypto bubble occurred, and
those cards soared up to double or triple their original price, if you
remember. Once the bubble finally burst, prices plunged back down to
around $250 for a new one (well, there were no more new RX480's, they
were only RX580's by then, which was just a rebadged RX480). But used
versions were around $100-$150. Substantial savings still even after new
ones were discounted, and I actually got mine for even less at $90
(which was later fully refunded to me). Also as you saw, a lot of them
still had their original warranties still in effect.

Prior to that I used to buy used parts locally on local classifieds, and
that was even easier to fix if they went wrong, you just recontacted the
guy you bought it from because he was local to you. I still buy locally,
just bought an used AC router locally, to replace another (new) AC
router that I had that went bad, $25 used, $250 when it was new. If
these things work now, then likely they will work for a long time into
the future. Even if they konk out after a few years, you've gotten your
money's worth.

Yousuf Khan
 




Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off






All times are GMT +1. The time now is 04:53 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2023, Jelsoft Enterprises Ltd.
Copyright 2004-2023 PCbanter.
The comments are property of their posters.