Hacker News new | past | comments | ask | show | jobs | submit login
AMD PSB Vendor Locks EPYC CPUs for Enhanced Security at a Cost (servethehome.com)
342 points by virgulino 46 days ago | hide | past | favorite | 254 comments

Manufacturers push the term "gray market" to imply that resold goods are somehow bad and people who sell them are participating in something like an illegal black market. Reselling equipment is a normal part of doing business. There's nothing gray about it.

There is no separate market for new products that have been bought from manufacturers and resold. It's just one market. We don't need to refer to something that doesn't exist, so we don't need a special term for it.

The term "gray market" is linguistic manipulation to benefit manufacturers at the expense of customers, society, and the environment. Let's stop using the term.

For products that have been used, we have a "second-hand market".

In Europe there is indeed a market for new products that have been bought from manufacturers and resold right away, that's what's called a grey market. This happens because suppliers tend to use different pricing in countries with a different purchasing power, in order to extract more consumer surplus.

It's not uncommon that if you buy the cheapest product in a webshop in Northern Europe you will find it has a Polish user manual when it arrives. It's not illegal to do that (although suppliers would probably like it to be).

The same happens with servers, just compare USD and EUR prices on the Dell website.

It should not be considered a grey market. But it should be considered illegal to grossly vary prices inside the EU region. It's an extremely anti consumer practice and all it does is, as you say, extract more money from the consumers.

There actually are rules that say you cannot charge different prices depending on the location of the buyer, but suppliers trivially manage to circumvent that by making a tiny change and giving it a different SKU.

Although I understand the sentiment, I'm not sure I would like additional legislation to try to prevent that. Even if you do manage to make that water tight the end result will probably mean higher prices for the consumers in countries with low purchasing power.

At no point will the manufacture or distributers sell at a loss unless it's for strategical reasons. Perhaps the prices will go up in the countries with lower purchasing power, but it's bound to go down in the countries with higher purchasing power. That may or may not be intentional, but it's clearly possible to sell it at the low price, so they could just do that.

> In Europe there is indeed a market for new products that have been bought from manufacturers and resold right away.

These businesses are called suppliers there is nothing grey / illegal / dodgy about the business model of suppliers.

Tesco lost a long court case in the UK about the right to buy and sell Levi jeans: https://www.theguardian.com/business/2002/aug/01/clothes.mar...

Common market, hell yeah! And when they are "exporting" goods outside of Poland they get their VAT back(0% VAT). Really cute.

It is called arbitrage in finance if i recall right.

And what should be illegal is pricing things with such huge differences between regions in same market, or have the same brand's product have grossly different quality/composition between regions.



because it is exploitative?

You use your brand, widely known, to sell inferior product for cheap. I would call it an 'official' counterfeit. Worst case - some of those inferior products were sold at higher markup!

Definition of gray market

Merrian-Webster: a market employing irregular but not illegal methods especially : a market that legally circumvents authorized channels of distribution to sell goods at prices lower than those intended by the manufacturer https://www.merriam-webster.com/dictionary/gray%20market

Investopedia: A grey market is a market in which goods have been manufactured by or with the consent of the brand owner but are sold outside of the brand owner's approved distribution channels—an activity that can be perfectly legal. In the securities markets, a grey market is a market wherein a company's shares are traded before they are issued in an initial public offering (IPO). https://www.investopedia.com/terms/g/greymarket.asp

Wikipedia: A grey or gray market (sometimes confused with the similar term "parallel market")[1][2] refers to the trade of a commodity through distribution channels that are not authorized by the original manufacturer or trade mark proprietor. Grey market products (grey goods) are products traded outside the authorized manufacturer's channel. https://en.wikipedia.org/wiki/Grey_market

Conclusion: Grey market seems to be the correct term.

The question is not "Does the term grey market have a meaning?" the question posed was "Is the use of the term perpetuating an unhealthy view of commerce to advantage manufacturers?".

After you've been sold a product, the manufacturer has no authority on how you use it or where you resell it. Since the manufacturer doesn't have this authority they you can't be legally circumenvting authorized channels when reselling it.

There is nothing "gray" about second hand.

I concur. If I bought a camera lens in New York and it came with a Malaysian manual and a warranty that's not valid in the US, but it's a genuine Canon lens, that's gray market.

But if I buy a similar lens from the camera shop down the street, and it was originally sold in the US and the warranty is still valid in the US etc, it's a USED lens or a second-hand lens, but there's nothing gray-market about it.

I think you're spot-on here; sources quoted in the article are misusing the term gray-market to simply refer to second-hand parts, which are something completely different. They want to make pre-owned parts sound just as shady, but the're not -- the first-sale doctrine would like a word.

> but it's a genuine Canon lens

How do you know this? More to the point, how does an amateur buying their first lens ever know this?

My friends and I used to buy surprisingly good deal products on Craigslist and see how long it took to determine if they were fakes or broken. It was always one or the other.

I've found a reputable local shop that I trust. In addition to a lot of new stuff, they sell used gear (possibly on consignment?), which means they've got some experts who'll do valuation on it. They have a largely professional clientele and a reputation to uphold, so I think they're trustworthy.

I'm sure I could take a lens to them and have it checked out for a few bucks, or have them broker a sale between me and another private party. Knowing what I'm getting has its own value, and I'm not opposed to paying someone for their time and expertise.

tl;dr: I don't, personally, know that. I trust someone else to know that.

So it sounds like we agree then; the second hand market can be quite dodgy and you need expert help to be sure you're not being ripped off.

> After you've been sold a product, the manufacturer has no authority on how you use it or where you resell it.

Unfortunately, this idea is not as settled as you make it sound (around the world). Even in the US, it still pops up - in 2019 SCOTUS heard a case on cheap imported college text books.

Additionally, manufacturers have latitude on who they sell to, and to sign contracts with those intermediaries.

The use and definition of the term is completely descriptive and accurate. You are projecting some normative and negativity towards good descriptive term.

To show how absurd this subjective projected pejorativity is, lets use it to 'second hand':

>The question is not "Does the term second hand market have a meaning?" the question posed was "Is the use of the term perpetuating an unhealthy view of commerce to advantage manufacturers?".

>There is nothing "second" about selling used products.

"second" is descriptive.

"gray" sounds like it's questionably legal and halfway to "black market". The negativity is definitely part of the term, not imagined.

Is the product I'm buying a genuine product or a rip-off with the same logo on the outside?

Has something been done to it to void the warranty?

Is this a cheaply done "refurbished" version which will die in 3 months?

Is it stolen?

Seems pretty gray to me.

Grey markets might not be a real, standalone market, but they do describe real side-effects of a non-conventional supply chain.

Take grey market cameras. They're are often bought as kits from Asian markets, broken up into lenses and camera bodies and sold on "as new" in western markets but with no support direct from eg Nikon if it goes wrong. Warranty support is from the reseller only. They may ship your unit back to China for support, or repair/replace it at their cost.

So no, these are important differences for customers to recognise. Let's keep using it.

> they do describe real side-effects of a non-conventional supply chain.

Thats just the thing they don't there is nothing unconventional about suppliers acting as middlemen and setting their own price. To pretend this is a problem is unconventional and anti consumer.

No, that's not fair. Most of the products that get imported this way also have local service centres that fulfil warranty claims. The labour is more expensive and often part of a different regional company than the import or manufacturer.

I wouldn't import a Ford truck from the US and expect a local Ford garage to meet its warranty obligations here in the UK.

There are extraordinary things to consider for the consumer. A label like "grey market" helps. It's not a slight. It's just quicker and easier than saying "this was imported from a distribution channel in another country and will only be serviced in that country".

>Manufacturers push the term "gray market" to imply that resold goods are somehow bad [...] The term "gray market" is linguistic manipulation to benefit manufacturers at the expense of customers, society, and the environment. Let's stop using the term.

From my experience reading manufacturers' warnings[1] about this, they never use the phrase "gray market" because a lot of consumers don't understand what that terminology means. It's more that the dealers/retailers and some savvy consumers use the phrase "grey market".

There is a category of _new_ (not used) products that have the following attributes:

- sold by unauthorized dealer : i.e. no contractual relationship with the original manufacturer to buy from them and then resell the item

- sold without a manufacturer's warranty : any warranty must be honored by the unauthorized reseller or some other 3rd party or comes with no warranty at all

So instead of the cumbersome long-winded hyphenated term of "unauthorized-retailer-and-no-manufacturer-warranty market", the industry just shortens it to "gray market". It's a useful label of what the product is. You're right, it's not unlawful or unethical to sell unauthorized/unwarranted merchandise as long you inform the customers.

E.g. Most of the luxury watches sold on amazon.com (Cartier, Rolex, etc) are "gray market" because they don't come with manufacturer's warranty. If you buy a Cartier watch from Amazon[2] to save money and it's broken and needs repair, you can't take it into a Cartier retailer at the mall to have them fix it. There's nothing wrong with it as long as customers understand the tradeoffs of lower price vs service convenience. Even though the watches are genuine instead of counterfeit, they don't come with manufacturer's documentation to get factory-authorized service.

[1] one example of a manufacturer warning about "gray market" without ever using that terminology: https://usa.yamaha.com/support/unauthorized_sellers/index.ht...

[2] https://www.amazon.com/s?k=cartier+ladies+watch&s=price-desc...

In places with decent consumer protection laws (like California), manufacturers must honor warranties regardless of who you bought the product from.

The term "unauthorized dealer" is another word to stop using. In a free market, everyone is authorized to buy & sell every safe product at all times.

>In places with decent consumer protection laws (like California), manufacturers must honor warranties regardless of who you bought the product from.

This is incorrect, and you're unintentionally spreading misinformation. California law specifically uses the term "grey market" and manufacturers do not have to honor warranties of products purchases through unauthorized channels as long as it is disclosed to the consumer. See the actual text of the law: http://leginfo.legislature.ca.gov/faces/codes_displayText.xh....

>The term "unauthorized dealer" is another word to stop using.

I think you're too focused on words instead of the underlying behavior. Even if we outlawed the phrase "unauthorized", you still have the reality of manufacturers refusing to enter wholesaler contracts with any dealer. You'd still need an alternative word to describe a dealer that sells products without a contract to purchase directly from the manufacturer. Whether we use a cumbersome multi-hyphenated phrase or come up with alternative jargon to avoid the word "unauthorized" ... the reality still remains that manufacturers will not enter into buy/sell contracts with every dealer.

Some savvy and sophisticated consumers will want to know if dealer X doesn't have a direct relationship with the manufacturer as part of the purchasing decision. You don't like the word "unauthorized". Ok, that's fine. But what alternative label do you propose for that non-existent relationship?

That law explains how an item that was not originally sold in the US can have no US warranty at all, for anyone.

So the claim that "manufacturers must honor warranties regardless of who you bought the product from" is still true. If it ever had a US warranty, that warranty will not be invalidated by any selling or reselling.

>That law explains how an item that was not originally sold in the US can have no US warranty at all, for anyone.

The law is not about what wasn't originally sold in the USA. Instead, it's specifically defines "grey market" imports and the whole purpose of the following text is for resellers to disclose the product's grey market status to inform the buyer. The California law does allow for resellers to "hide" the grey market status only if the reseller (not the manufacturer) has a "reseller warranty" equal to or better than the manufacturer's warranty.

>So the claim that "manufacturers must honor warranties regardless of who you bought the product from" is still true.

No it isn't. Please read section 1797.81 again carefully. Read the actual text excerpt:

"1797.81 (a)(1) The item is not covered by a manufacturer’s express written warranty valid in the United States "

I.e. You can't buy Nikon/Canon grey market cameras or Cartier grey market watches in California and force the manufacturers to honor the warranty. California law does not force this.

>If it ever had a US warranty, that warranty will not be invalidated by any selling or reselling.

You're inadvertently trying to say something else here but it's missing a word. I will correct your statement to be: "If it ever had a [VALID] US warranty, that warranty will not be invalidated by any selling or reselling."

The "grey market" products such as cameras/pianos/watches through side channels never had a valid US warranty in the first place.

>But the "grey market" that we're talking about with AMD processors [...] You're using a much narrower definition that doesn't fit this entire conversation.

I thought mleonhard was making a general statement about "grey market" outside of these specific AMD chips.

> The law is not about what wasn't originally sold in the USA. Instead, it's specifically defines "grey market" imports and the whole purpose of the following text is for resellers to disclose the product's grey market status to inform the buyer.

That's what I'm trying to say. This law only applies when there are distributors or other parties that were sold the product outside the US and import it into the US.

> Read the actual text excerpt: "1797.81 (a)(1) The item is not covered by a manufacturer’s express written warranty valid in the United States "

That text excerpt says that if a product meets that criteria, it must have a label stating so. It doesn't say when that happens. "Every retail seller who offers grey market goods for sale shall post a conspicuous sign at the product’s point of display and affix to the product or its package a conspicuous ticket, label, or tag disclosing any or all of the following, whichever is applicable"

> You're inadvertently trying to say something else here but it's missing a word. I will correct your statement to be: "If it ever had a [VALID] US warranty, that warranty will not be invalidated by any selling or reselling."

Okay, I guess? I would say that an "invalid warranty" is not in fact a warranty, so the use of the word "valid" is redundant. But pretend I said "valid" if you want.

> The "grey market" products such as cameras/pianos/watches through side channels never had a valid US warranty in the first place.

But the "grey market" that we're talking about with AMD processors is largely composed of products that were sold in the US, with a valid US warranty, that are now being sold off later. You're using a much narrower definition that doesn't fit this entire conversation.

Thanks for putting in the effort to check my comment.

I'm not a lawyer. I read through the rest of the California consumer warranty laws and some of the Uniform Commercial Code which California also uses. A warranty goes with a product. It does not matter which company sold the product. A manufacturer cannot refuse to honor a warranty just because it doesn't like the reseller who issued the receipt.

The California law you linked applies to products that were originally sold outside USA. International trade is complicated. That law tries to protect buyers from confusing different products that have the same name. It has an important caveat at the top:

"(1) The item is not covered by a manufacturer’s express written warranty valid in the United States (however, any implied warranty provided by law still exists)."

Implied warranties are made by law. Express warranties are made by manufacturers & resellers and provided in writing to buyers. Even if a foreign-purchased product is sold in the USA with no US express warranty, it still has implied warranties.

New goods have implied warranty periods of at least 60 days. Products without express warranties have implied warranties of 1 year. https://leginfo.legislature.ca.gov/faces/codes_displaySectio...

Used goods have implied warranty periods of at least 30 days: http://leginfo.legislature.ca.gov/faces/codes_displaySection...

And the other protections apply. For example, manufacturers/resellers must provide technical documentation for repairing electronic products (>$99) for 7 years from date of manufacture: http://leginfo.legislature.ca.gov/faces/codes_displaySection...

>The California law you linked applies to products that were originally sold outside USA.

Neither sections "1797.8. (a)" nor section "1797.81. (a)(1)" talks about products "originally sold outside the USA"

The law talks about _imports_ and not what was _sold_in_foreign_country_. The law then further defines that some imports are considered "grey market".

Using the phrase "originally sold outside the USA" that's not even there in the text of the law is copying the same mistake that Dylan16807 made.

>A manufacturer cannot refuse to honor a warranty just because it doesn't like the reseller who issued the receipt.

I'm not sure why you believe this? I can't find any court case that forces manufacturer to honor a warranty when it is purchased from unauthorized resellers.

>Implied warranties are made by law. [...], it still has implied warranties.

Both UCC and California law allows for manufacturers and sellers to disclaim implied warranties. Search for word "disclaim" in the actual California law text: https://leginfo.legislature.ca.gov/faces/codes_displayText.x....


(I'm sure everyone has seen that verbage before but never really paid attention to it because what most people care about is the manufacturer's warranty.)

How do you presume this grey market distributor got ownership of the item outside the US if it wasn't sold to them outside the US?

Generally this is a reference related with channel partners, who are usually contractually restricted from selling used products or selling new products to other companies that intend to resell the product. For end customers, it is fine, except that enrolling in a new support contract from the manufacturer many have conditions or not be possible.

Isn't buying goods to resell them just called retail ?

Enabling retail is a massive part of U.S. property and commercial law, this is how Blockbuster was able to do business.

So this basically seems like the AMD equivalent of Intel Boot Guard, except that the keyfusing seems to be done on the CPU, not the PCH.

What I'm hearing here is that Dell, HP, etc. are designing their firmware to keyfuse any unfused CPU it sees to their firmware automatically, silently, and without any prompting whatsoever. And that AMD apparently has no problem with this.

In no way, shape or form is this a reasonable design. A boot prompt before basically quasi-destroying (for many purposes) a CPU would be the only reasonable thing to do. "This operation is irreversible and will render the CPU unusable in other machines", etc.

I'm wondering if Dell etc. could be sued for this.

>Outside of x86, IBM POWER10 is making a push for enhanced security, so the will need to have a silicon root of trust to enable their security feature set.

If this were true, this would make POWER10 dead-on-arrival in terms of being something Raptor is willing to ship. Comments made by Raptor don't suggest this and suggest they will be able to ship POWER10 eventually, so it doesn't seem likely.

Keyfusing is an excessively brittle technology, can't support key rollover (you're stuck with one key forever, or at best can change it only a couple of times, depending on the size of OTP), and is basically unusable for owner controlled (not vendor controlled) secure boot.

Having such a prompt doesn't really alleviate any of the concerns in this article. I still have to worry about that when buying a second hand CPU, except now I'm even less sure, because sure the CPU came out of a Dell, but maybe the owner never fused it.

If the CPU doesn't perform as advertised you can always return it. The only hope here may be putting enough pressure on Dell and whoever else to make their components worthless on the second hand market.

I've been involved in more than one purchasing decision where the ability to resell the parts was factored into the sticker price.

Well, if the CPU has worked fine for ages but stops working after trying it out in (say) a new Dell server... then the cpu isn't really "returnable" as the Dell server is the one that broke it. :(

> If the CPU doesn't perform as advertised you can always return it.

For second-hand CPUs? Not likely.

Nope, very likely. In Kansas at least it is explicitly impossible to disclaim an implied warranty or suitability for a particular purpose. Most other states are actually de facto the same -- how can you sell something without it addressing some need of the purchaser?

If it doesn't fulfill that need, even second hand, you can get your money back.

Ali Express doesn't care about your local laws. Neither does Craigslist, nor eBay. If you're buying a Dell from Dell, then sure, but that's never been the problem anyway.

If someone sells to you they must operate under your state's laws. You can easily bring suit against them in small claims or real court, but you probably won't even need to do that as you can just get a chargeback.

What you are suggesting is absurd. Craigslist, Ebay, Paypal, and the people selling using those platforms are above the law?

I can see how you'd think that if you'd never tried to do any of these things, but in reality there's what the law says and then there's what you can actually get the law to do. Those are sometimes very, very different things. This is one of those times.

It sounds like you might not be familiar with any of the platforms in question. But no, you can't do either of those things to the kinds of people who deliberately sell defective parts on ebay and Craigslist. Or at least, you won't once you figure out what's actually involved.

I would say beside as opposed to above, but it sums to the same thing.

What does that mean for the open source software I release with no implied warranty? Do I need to forbid residents of Kansas from using my software?

Are as-is used car sales illegal in that state?

Manufacturers could also use this to segment their product lines, i.e. prevent you from running a 'server' CPU in a workstation by using different keys or only use different keys for a 'value' line of products.

They already do this by binning and different sockets; for the CPU manufacturers themselves I think this problem is already solved.

Regarding Raptor...



Were there ever any updates to that rather pessimistic blog post?

It makes me wonder if you have a case for demanding a new CPU from Dell, et al, if you unknowingly put a CPU on one of their boards. You do, as far as I can tell.

The "this is for security" argument would make sense if they only locked CPUs that were sold by the vendor together with the motherboard, or if they had an action that an administrator could affirmatively take to lock the CPU.

But automatically, permanently "poisoning" any CPU that's inserted into the socket after a single boot? That sounds like it's being done for economic reasons.

They want to turn the used CPU market into a sketchball market for lemons so that everyone is so scared that they only buy board+CPU combos directly from the vendor rather than trying to save a few pennies here and there.

I don't know, when you think about what makes easier (cheaper) for the vendor, this way they just have to assemble the CPUs into the motherboards and ship the systems like they always have.

I can't see that the market for enterprise system is heavily affected by grey market CPUs. Their customers are by and large buying these systems built & configured, and racking them up as they come.

It'd be nice if there was a jumper you could set on the motherboard to stop it claiming a CPU though (maybe there even is?).

My understanding was that you can put this in any other motherboard with the same signing key. Presuming the intent her is that every single machine would have to have a different signing key. If this was the case, then yes, security seems to be the reason.

However, and I may have misunderstood this so please do correct me if I have, based on the article, it seems for certain vendors, they share the same signing key with multiple machines (presuming whole lines), in which case this certainly seems to be about vendor lock-in from the vendor side.

Its not really vendor locking by design. It locks to a signing key. That key COULD be shared between vendors or even a single vendor could have multiple incompatible keys.

It provides a mechanism to prove the entire boot process hasn't been tampered with, but I wish AMD provided a way to run these fused processors in a generic way without the security chain, with it just reporting that there isn't a secure root of trust. However I assume they are afraid of that allowing malicious code to fool deeper parts of the system without the system administrator knowing.

So good for security, but bad for e-waste and second hand sales.

>So good for security, but bad for e-waste and second hand sales

I concur, but it's true for even consumer devices like smartphones. Once the software updates stop, if security is the key then the devices are e-waste. Many times, I wish there was an International law which forces manufacturers to unlock their device when they stop pushing software updates to their device, so that alternate firmware can be installed. Of course this is just a wishful thinking, even those who abandoned their smartphone segment entirely(MS) didn't do this, So why would those who run profitable business out of planned obsolescence do it?

The law doesn’t need to be international, only one large enough market needs to do it. The market has to matter enough that the manufacturers won’t just say “screw them” and pull out of it. Then the mechanics are there and everyone benefits even those who live where there is no such law.

Manufacturers already sell unlockable/non-unlockable devices per-market. Not having this be international means they’ll just lock the device where they can.

It almost seems that a law like that would be something out of a sci-fi or cyberpunk universe.

We live in a cyberpunk universe. The only think it got wrong was aesthetic.

Instead of grunge everything is covered in RGB LEDs. Literally almost everyone my age has RGB LEDs everywhere. All over their rooms and not to mention keyboards.

Bright neon-colored lighting is a big part of the cyberpunk aesthetic.

Marginalised people living among e-waste in every Cyberpunk universe is already true anyways.

The UK is currently taking steps towards this - the plans aren't perfect, but will require "security updates until" dates, no default or symmetrically derived passwords, and a vulnerability disclosure programme to be available.

It doesn't go as far as to force unlocking, but requiring transparent disclosure of a committment to security update longevity (like Chromebooks and pixel phones have) is probably the first step along the road to that.

You can get a pretty good idea of how long security updates will be provided already, so does that help almost ever? Like, great, now Motorola has an official promise to do security updates for for 15 months post-launch. If they decide to release a permanently locked phone, the consumer's still getting screwed just as much.

Basically, "doesn't go as far as" sounds like a massive understatement.

>So good for security

This is entirely debatable. This is essentially bootguard for socketed CPUs similar to how most laptops behave. For one, it makes fixing the crap that Dell and their contractors write impossible. You cannot replace the bios with coreboot.

For all these features that require blessings, I really liked apple's use of the term notarised. Everyone should call these notarisation features rather than security ones. It's as boring and useless as going to a notary, if you have ever done that.

Notarization is good. Intel calls enclave signing “attestation”, which is clear to me.

Why couldn't they have put the key in user-resettable memory which erases the disk encryption key when cleared, like with TPMs for example? It was a poor design to even allow it to be used this way.

Booting from disk is the BIOS's job. The whole point is to guard against a compromised motherboard.

If the CPU prevents the disk from ever being unlocked, there's nothing to compromise by controlling the motherboard

This method prevents the user from trying to recover with a backed up encryption key, or booting live media. Instead it makes it clear that this motherboard is compromised and cannot be safely used.

And in the current model, what prevents the user from assuming the processor is dead and replacing it with an unlocked one (which will then presumably become permanently locked to the compromised motherboard)?

If you care about this specific attack scenario then make sure you check the keys with a management tool or something. It's not necessary to make the chip unusable for almost every aftermarket user just to make it a little bit clearer that a compromise has happened in that rare case.

Fair point. Though in many large environments the number of people with access to the IPMI console is greater than the number of people with physical access who can swap out a CPU.

I'm just trying to speculate what might be driving demand for this type of feature, since TPMs already exist.

> Its not really vendor locking by design. It locks to a signing key.

I see, so it's basically AMD's implementation of Intel Boot Guard, but on servers instead of laptops. On boot, the CPU verifies the BIOS's signature from its OTP memory and refuses to boot if verification fails.

Theoretically, if you move CPUs between different laptops, you'll find the CPUs are locked to its platform as well, but we don't feel it since they are not replaceable, the only visible effect is that the firmware has been locked and you cannot run coreboot.

And now the same thing is coming to servers and it has a bigger visible effect...

It is designed to destroy the secondhand market, the fact it can be hand waved away as "security" is just the smokescreen.

It could be implemented in a way that preserves the ability to reuse CPUs, but it wont be.

What would such an alternative implementation be?

I guess they could provide a key that works with all the fuses blown, and a utility to blow all of them.

In which case you could easily blow all fuses, sign your malicious firmware with the all-fuses key and you're good to go.

No, this won't work if the user is checking the attestation ability of the firmware or system. A similar exploit already exists by just modifying the firmware and expecting the user the just replace the CPU without checking the BIOS.

Wouldn’t it make more sense to blow the motherboard rather than the CPU? A compromised CPU without anything connected is pretty useless at boot. The motherboard is what’s connected to all the good stuff.

The CPU isn't what's compromised - this is protecting against a compromised motherboard

I think that’s the chicken & egg. If the motherboard was responsible for this, you’re trusting the firmware to validate itself. So this moves the validation a level lower.

It’s an interesting problem. The solution is valid, but it’s unfortunately permanent.

You could have a small rom firmware validating a larger ugradable firmware.

However, the root of trust is embedded to the CPU. So, you can't hammer the CPU on another board for keys.

Also, we sometimes lose the CPU rather than the board. As the CPUs become more complex, their probability to fail has risen.

> However, the root of trust is embedded to the CPU. So, you can't hammer the CPU on another board for keys.

I guess that's the key point here.

Would be interesting to know whether Dell will use the signing key to unlock the CPU if you ship it to them, or if it's like old motherboards where there is a physical procedure (it was typically to powercycle with a jumper between two pins that shouldn't normally be joined) to reset it, built into the hardware. Seems strange to be able to "brick" a CPU like that.

The article describes the mechanism as programmable fuses; so there is a near-certain chance these are one-time-programmable and can’t be reset. Ever.

(This is fairly normal in cpus. Picture 8 regular fuses. If you read across them, you’ll get 0xff. Now blow the first four fuses and read again. You’ll get 0xf0. Here’s the catch. You can’t “unblow” them. With real fuses, you’d replace them. If they’re inside the cpu, you replace the cpu.)

Fun trivia. The boot loader signing in the raspberry pi works the same way.

> (This is fairly normal in cpus. Picture 8 regular fuses. If you read across them, you’ll get 0xff. Now blow the first four fuses and read again. You’ll get 0xf0. Here’s the catch. You can’t “unblow” them. With real fuses, you’d replace them. If they’re inside the cpu, you replace the cpu.)

this made me think of the pencil trick from the earliest days of socketed athlons. not exactly the same I know.

I’d never heard of the pencil trick before but it’s quite interesting: http://www.ocmelbourne.com/tutorials/PencilTrick/PencilTrick...

The XBox 360 used the same technique for patches to keep you from downgrading the system.

Same for the Nintendo Switch.

Older firmware has exploits, which allow installing Ubuntu, etc. To prevent exploiting, old firmware refuses to boot if the new firmware has ever booted. This is marked by blowing fuses.

Note - there is even a fuse that when blown, prevents other fuses from being blown!


This is what distinguishes a normal iPhone from one that Apple engineers use, as well. If the fuse is blown, as it is in a production device, you can no longer control the boot chain.

Is there a downside to blowing that anti-blow fuse? Can its state be read?

It’s like an EEPROM that holds major version numbers and debug configurations. If fuse says “major version:20 allow debug: no, allow unsigned: no” and updater is for version 17->18, the user is trying to force a downgrade on a production board. Usually the updater refuses to continue and kernel do the same upon boot. Updater itself is signed and verified so checks are supposed impossible to bypass.

I believe Xbox 360 one was rewritable while Switch one is not. They also require higher voltages than rest of CPU to write. So modders used to modify PCB to block writes or tried to write old values. For Switch they had unrelated nonupdatable boot exploits to bypass signature checks for early batches.

Right, but they weren't asking about those normal fuses, they were asking about the special fuse that disables fuse-blowing.

And the simplest answer is that code could check if the fuses are reading out too early a version and abort. Which you could try to patch around but it won't be easy.

Is it even possible to unlock it with the signing key? Saying it's fused implies it's a one time thing, doesn't it?

I had the same initial reaction though. It seems like something that makes more sense as a jumper or something that can be reset by jumper so physical access becomes the requirement.

The only reason I can think of to do it as described is to kill the secondary market or, even worse, to maintain a lifetime licensing requirement on the system. If the signing keys can expire like signing certificates I expect step 2 will be custom signed firmware via a cloud portal where no license means no signing. I hope I'm wrong, but that's likely the endgame here.

TLDR; If the signature on the BIOS can expire, it's more nefarious than it sounds IMO.

You have to use on-die fuses to get most of the security benefit vs someone in customs who has a few hours alone with your server, as jumpers can be trivially modified to look like they are set/unset when they are not.

The header pins can be varnished (or other techniques) so they do not conduct, but they still look normal. To set a pin, 36GA wire between the plastic of the header and the PCB would do the trick. If the adversary had a particularly high budget, they could fabricate and install a header that would even pass inspection by a multi-meter's continuity check by making the outer part of the pins be electrically isolated from the inner, except where it contacts the PCB, where the attackers choice of conductivity is made.

I don't think anyone has come up with a good way to downgrade the CPU from secure operation to insecure without also creating a way to bypass it for an attacker. The only way I can think of is if there was a revocation of secure mode that put the CPU serial number on a public list, then after a week, the CPU blew a fuse allowing it to boot in insecure mode. It will allow enterprises to be assured that the computers they are sending all over the globe are untampered, but still allow people who don't care to get them second hand and not be stuck with the rest of the computer. The hard part is making sure the CPU can only blow that fuse after it gets an ack that its been a week. Ideally, there would be some way for the CPU to attest which mode its running in so secondary audits of the CPU's state can be performed.

I don't think this is supposed to secure against someone with physical access.

If they have physical access and are replacing the BIOS, they could just replace the CPU at the same time with a fresh unlocked one that will lock itself to the replacement's signing key on first boot.

Can these CPUs sign with its key from software? If they can, then that system can not sign with the original key, and it is trivial to catch it.

The key in question is a public key, it's not a secret. The CPU uses it to verify the BIOS, not the other way around.

That makes a lot of sense. I was really only considering things like persistent malware that flashes the BIOS. I still think it'll get abused eventually to devalue the second hand market, but I can see the appeal security wise.

Is there any guarantee each vendor will only ever use one signing key? Or might we have problems swapping from one Dell to another Dell, for example?

I would imagine they'd have to use new ones every once in a while.

What I am most worried about is vendor's key becoming compromised (whether cracked or stolen), which means that a revocation mechanism is missing.

Even with revocation implemented, such equipment would be rendered useless (I imagine vendor would have to cover for replacements).

Discussed later in the video. But this is possible which adds another layer of complexity if one tries to track pulls.

If I put a cpu in a server (Dell, HP, whatever), and that CPU then doesn't function in other equipment, than that cpu is broken. That's not an exaggeration in any way.

So, the server maker then owes me a new cpu (of the same model obviously) that does work.

It'll be interesting to see the legal fallout from this, as purposely breaking customer owned gear is not going to end well.

While shitty, if this required pre-programmed OEM CPU’s it would be one thing - but knowing I could put a several thousand dollar boxed CPU into a branded motherboard and have it perpetually locked to that OEM is horrible.

Quite frankly this should be an optional security feature I can flip off with a physical switch on the board - go show an alert on the BMC for all I care, but as is this is total bullshit.

> It'll be interesting to see the legal fallout from this, as purposely breaking customer owned gear is not going to end well.

IANAL; I wonder if this would be grounds for a class-action lawsuit in the future. Something like suing the motherboard manufacturers to replace every CPU their boards have broken by this method.

Good luck collecting on the new CPU they owe you

Australian Consumer Law would make Dell liable for damages if anyone bought a computer from them that damaged a CPU by design. I don't even think that having a warning attached would be a sufficient shield, because it's impossible to 100% guarantee that an end user fully comprehends the consequences of a computer that is designed to permanently alter how their CPU functions.

AMD created this feature, so why not complain to them?

While reaching out directly to the company is definitely a strong way to express disagreement, I almost guarantee that someone from AMD PR will be reading through comments on tech community posts like these.

Expressing discontent in an open forum can catalyse a much larger reaction that PR depts will pay much more attention to compared to a few angry emails or twitter DMs.

No one owes you anything if the CPU functions exactly as advertised.

If you don't want a platform-secured CPU, don't buy one.

Nobody advertises irreparable damage. This testing lab found out the hard way and then had to follow up with the vendors to get an explanation.

This entirely depends on individual's perspective.

As Chris mentioned, this is exactly what Big Corp™ wants. They'll be the ones buying it too, and would likely pay extra for such a feature. They're the target market for these vendors.

Thus, sure, for those looking to buy second hand, this is indeed advertising irreparable damage. But for Big Corp™, this is advertising security (in my opinion quite rightly so), and ensuring their data isn't stolen.

And what happens when old hardware is resold? How can anyone trust any future excorp hardware?

Well you don't. But corportations don't really care about that as much as they care about their data.

Admittedly it feels like AMD could have created something that allows the chip to be reset providing you have the original signing keys.

They should at least disclose to all prospective buyers that a current chip cannot be reset, and how to tell which firmware CA it's stuck on.

> If you don't want a platform-secured CPU, don't buy one.

...the problem is what happens when you buy an unlocked CPU.

It becomes a problem when there's a monopoly or a duopoly of suppliers and there are no suitable alternatives on the market with similar performance characteristics. I believe then the FTC can get involved with antitrust matters if they are abusing their dominant position to prevent reuse/recycling.

AMD has barely 10% server market share, if anything that just shows that Intel is the monopoly.

I am beyond sick of this "security" justification being used for everything. At the end of the day, the only thing really being secured are the greedy vendor's profits.

With a criminal penalty via the DMCA for bypassing it, because encryption is involved. That's why I'm so angry and want companies employing such encryption to be prevented from doing so or face prosecution.

So if I wanted to modify my car to unlock performance that's usually OK and certainly has been considered moral for decades. But if I wanted to unlock a core in my Ryzen CPU, or just hardware hack my GPU (Radeon Vega and above) to make it do neat tricks, I now technically risk a FELONY because of the PSP encryption and the DMCA - even though I want nothing to do with cracking copy protection. That is enough to have a chilling effect and prevent neat stuff from being released.

AMD have gone as far as signing the BIOS* on their recent GPUs, so tweaking it may be technically illegal (assuming you could crack the signature, though)!

This is unprecedented, nobody ever risked a potential felony for wanting to look inside their car to see how it works, or modifying their household appliances.

We need to get together (on Twitter and other social media) to fight this and let consumers know what is happening, because if people did, especially the more technically minded enthusiasts/gamers, that would put pressure on AMD and others to stop.

Specifically for gamers, let them know it's likely a FELONY to unlock a core in their Ryzen CPU or Radeon GPU due to PSP crypto. Just as with the ink cartridge recyclers who have been prosecuted for breaking cartridge chip security.

* = Radeon Vega and later GPUs have a Cortex-A5 PSP which runs autonomously, executing the Trustonic TEE from the SPI BIOS chip at boot, once the signature has been verified. Yes a whole DRM operating system running on the GPU - if you want to see for yourself, take a Radeon Vega or later BIOS and run binwalk -e to extract the compressed TEE.

And this doesn't solve the issue with PSP either. So not much actual progress with security. We need CPUs which do not contain black boxes and allow us to use open source (auditable) firmware (UEFI BIOS).

There are some realistic benefits. If my phone gets stolen, there is no way for it to be wiped and reused without my input. And if it makes it back to me, it is extremely unlikely that it has been loaded with malware which will send off my data when I log in again.

But yes, its really shitty how the downsides end up with the loss of user control and ewaste. Especially when it is possible to design something that is secure and that the user controls.

Really? What phone do you have? A decent number of the recent iPhones have a bootloader exploit now. So there’s no security, just a lot of bitchy software.

Mine is newer than that exploit so no. But also a flaw in the implementation doesn't invalidate the reason for implementing it in the first place. Anti theft features on android and ios have likely saved hundreds of thousands of phones from being stolen, if not millions.

But how often does a server gets stolen from a data center?

It surely makes sense for phones as it makes less profitable to steal them (as you could only sell parts of the phone and even that can be blocked). Maybe even for laptops but not for desktops and servers.

They’re not worried about stolen servers, they’re worried about flashing malware to the motherboard (possibly without physical intervention)

At least one attack they're trying to mitigate is firmware attacks on systems being shipped to the data center.

Well, the market is free for someone to offer a processor that doesn't care about "security" (whether it is or isn't the excuse you deem it to be), and we could see if that offering is successful. Maybe there's a new role for something like that. Cursing the situation won't do any good.

You mean that's going to surely happen, because the server CPU market has traditionally been easy to enter due to low R&D costs, steady avaibility of qualified engineers, cheap manufacturing equipment and customers eager to adopt unknown brands? /s

Well then, maybe you have to live with some inconveniences and higher costs than you would like, because of the natural market dynamics?

You pointed out all those factors to say that they're reasons why CPU OEMs should be able to make all your dreams about price, quality, speed, open hardware come true?

It was about the market being difficult to enter. If you disagree, prove me: I hereby pledge to buy one CPU (needs to be a custom design) + mainboard designed and manufactured by supernova87a, and am willing to pay 800 US$, due 3m after delivery, conditional: It runs my Linux &Windows software like a, and performs at least equally or better than a, then-new system costing up to 400US$ (for cpu+mb, so today something like a Ryzen 1600). This agreement expires on 1.1.2025 0:00 UTC. Your call, do you agree? - Edit, also for balancing reasons: What do I get from you if you fail?

(Since I know you're not getting a x86 license that's an easy call for me - I know for sure you're unable to tap into that market)

how about 800 million dollars US, it will be the same result.

You're right, but: In the unlikely case a random person on the internet succeeds (who knows what happens in the next 5 years, or who s/he is?), I am out of 800US$. For something that I think is a good idea. In case of 800m US$, well, I'm a little bit embarrassed to admit that I can't afford that right now ;-)

Yeah just if you don't like a monopoly on a critical resource, its your fault for buying it.

Makes perfect sense.

These kind of DRM-like 'security' features starting being implemented first with phones and consoles and then has spread throughout the entire industry like a cancer.

Many of the features of the AMD PSP could be implemented as hardwired logic, no need for a CPU for that. And thus no chance of malware being able to run undiscovered.

It's like Orwellian doublespeak, in fact the Platform Security Processor might well be making the entire system less secure. Because we cannot inspect the content of the eFuse ROM how do we know if a state level adversary has placed code in there to weaken the system security?

Note: On the nVidia Tegra platform the eFuse ROM can contain executable code to patch the boot-up process, as Nintendo has done with the Switch console. It's likely that AMD has such similar functionality.

So the PSP could be cracked, and then CPUs can be eFused with malware before shipping the server, and nobody would know that there's an easily exploitable vulnerability now present.

I guess one of the real purposes of the PSP is to protect AMD's security and prevent the user from unlocking disabled cores, boosting clock frequencies, retrieving HDCP keys, etc. on both CPUs and GPUs. So it's partly to prevent the owner from doing what they want with the hardware.

AMD should realize they are tarnishing their own brand reputation with the inclusion of the PSP and the recent CPU lockdown.

Even though it's a server CPU that's affected by the lockdown, stories like this are definitely not well received by the enthusiast and gamer communities and draw attention to such anti-features like the PSP. Knowing that there's a special processor inside the CPU specifically designed to prevent you from unlocking cores, etc. would NOT be good PR for AMD at all. I am using a Ryzen system right now and I regret buying it, I wish I went with Intel instead. At least the management engine has been cracked, unlike AMD's AFAIK.

It's about time we looked into a legal response to this behavior, just as with John Deere farm equipment, it will likely not stop unless fines are imposed or some kind of consumer boycott occurs.

Regarding the CPU lockdown, even Intel wouldn't do such a thing. Surely isn't it anti-competitive to lock the CPU to a specific system in this way? What would the EU think about this regarding e-waste and recycling? And I believe in Australia the ACCC would crack down very hard on such shenanigans?

AMD, you removed the TrueAudio block from your older Radeon GPUs, couldn't you cut the PSP and implement some of its functionality using logic instead of a CPU? So the first thing to boot will be an x86 core, as it did in the old days. A physical jumper can be used to disable the security functions and remote attestation (to a server on the LAN) can be used to determine if CPUs are running in secure mode or not? Thus satisfying the needs of corporate users?

Removing the PSP will eliminate the negative PR it creates together with the associated security risk of having a secret part of the CPU where malware can hide.

On GPUs HDCP functionality can be implemented with ROM-based microcontrollers as it did on older hardware?

In many jurisdictions the product has to be 'fit for purpose', should the PSP be cracked and a hacker able to use it to assist malware wouldn't that make AMD's product not fit for purpose???

How many exploits/breaches in the wild due to open s3 bucket, default admin passwd to database, poorly written webshit code, plaintext password, etc. ? And how many prevented by secure boot, boot guard, memory encryption, ME, PSP etc. ? Other than obvious money reasons for Dell, people seem to be vastly overestimating their threat models. And even for the secure chain of trust, there are ways to do so where the owner has the key, not the vendor. See heads for example.

Or, those scenarios just don't make the news as frequent as script kiddie stuff. We only learned about what NSA has been up to because Snowden happened.

If I want to protect against the NSA I'm worried about them using Intel ME, AMD PSP and other black boxes to hack me. I don't worry that much about them sneaking into my data center or house and physically changing my hardware.

The security you lose from having a black box in your CPU is much greater than the security you win by virtue of being (theoretically) protected against unsigned bootloaders and rogue hardware.

I merely provided NSA as an example of how advanced attack vectors might go unnoticed for decades.

This is the opposite lesson to take away from Snowden's revelations. You want more user control, not less.

I agree. I’m just saying that news may not be the best indicator of how common an attack vector is.

Although a PSP flaw is very unlikely to harm an individual user, it puts the US and it's intellectual property at risk from foreign actors such as Russia or China. And many engineering firms do not have the resources of the NSA to protect against such threats.

Additionally, a PSP or Intel ME related hack involving a SCADA system would not be discovered until it's too late, with potentially extremely severe consequences. AMD is advertising the processor as being a security device that is intended to enhance system security. If such a SCADA hack involving the PSP was to result in loss of life for example, what would AMD's liability be in such circumstances, where the 'security device' itself has enabled the system to be hacked in the first place? Taking into account that the 'security device' cannot be disabled by the SCADA operator, so they have no choice to use it.

That is why I believe the PSP and ME should be removed completely. Should that not be possible it should be replaced with a processor that is transparent to its internal operation.

This is bullshit. Unless it clearly says at boot 'continuing will permanently prevent your CPU from being used in a non Dell computer y/n?' they are asking for a lawsuit for damaging hardware

In fact Australian Consumer Law flat out holds them liable for costs due to problems a seller could have reasonably foreseen

Do consumer laws apply to businesses in Australia? Because afaik, in the EU regretfully a lot of laws that protect consumers against abuse from vendors, do not apply to B2B/enterprise transactions.

On the other hand, there have been people who have warned about the dangers of CPU vendors putting Management Engines in their products, which are outside of the control of end users (by design). One of those concerns was the ability to rig sales or even kill off second hand markets markets all together. Apparently, this have already become a reality now.

I'm not surprised it's sold as security feature, just as terrorism and child pornography have been magic words in other fields. But at the end of the day, vendors stand to substantially increase their control on sales and with it their profits, with features that may only be significant in edge cases. That smells a lot like an antitrust issue to me. That all vendors are likely try to move in this same direction, as an opportunity to make more profit, doesn't make it any less devious. All the more reason for antitrust investigators to start looking into this.

> Do consumer laws apply to businesses in Australia? Because afaik, in the EU regretfully a lot of laws that protect consumers against abuse from vendors, do not apply to B2B/enterprise transactions.

Yes. Consumer protections apply to everyone. Within Australia, those protections are considered the "bare minimum" that must be implemented by every business, across the board.

Certain industries have other protections they must implement atop of those.

If that's true, and I have to admit that's a big surprise for me, then I'm glad to hear that. At least for Australia.

I'm not even sure if the following is uniform across the EU, but I have always assumed (maybe even been told) that it is. Where I come from (The Netherlands), (afaik) when you do business with another business then consumer protection laws don't apply.

The rational appears to be that as a business you don't need the same kind of protection as a consumer. It's considered the risk of doing business, and companies suing each other in court (e.g. for fraud) is considered to be less unbalanced than it would be for private individual (consumer) against a company, in terms of (financial/legal) means.

In reality there probably are different (less savory) historical reasons behind it too, maybe even the preservation of the "natural power distribution" (euphemism for the already wealthy to stay that way) between smaller and larger businesses. That's at least how I have heard it being justified politically. Meanwhile, good luck suing a large company if you're a smaller business yourself. Either way, as I already implied, I think that's more or less by design.

Great if Australia is more egalitarian on that subject. If not for all of nature tring to kill me at every second there, I'd seriously consider immigrating over this xD

There is some nuance with the Australian laws, but for the most part, the protections exist: [0]

When you buy goods or services for your business which are:

+ under $40,000

+ over $40,000 and normally bought for personal, domestic or household use or consumption

+ vehicles and trailers used mainly to transport goods on public roads

your business will be considered a consumer and entitled to certain remedies under the consumer guarantees if something goes wrong.


As an EPYC CPU doesn't cost more than $40,000 per unit (closer to $8,000 from what I've found), it would fall under the guarantees.

Australian laws are still skewed in favour of the larger companies, but one place where the law tends not to fall down is consumer protections.

[0] https://www.accc.gov.au/business/business-rights-protections...

It should be illegal to lock devices like that. Pure corporate greed. It is sad that as soon as AMD restored its glory they gone for a cheap cash grab. It should be easy to tell that device is running unsigned boot loader without blocking it (e.g. a jumper on the motherboard). If attacker is able to switch a jumper, then you have bigger problems than a boot loader. Community should nip this in the bud and out AMD.

Did you even read the article? AMD is shipping everything unlocked, it's the OEMs that can choose to active this feature.

Certainly it's a debate whether such feature should exist in the first place, but presumably OEMs are the driving force behind this, so they see a need.

This is the work of AMD together with the OEMs.

AMD wins because it destroys the secondary market, driving up the prices they can charge for new CPUs.

The OEMs win because once you've put your CPUs into Dell servers, you can't just buy different servers and move your CPUs over (e.g. to reuse CPUs from servers that broke in other ways or were decomissioned for other reasons), so you have a higher hurdle when switching to a competitor. Payment from AMD could also be involved, because I think AMD has more to win here.

You as a CPU buyer, or a buyer of services that cost more if CPUs cost more (aka everything), lose, as does the environment.

AMD has created this "feature" out of greed.

How soon can we expect them to just use soldered BGA chips on desktops and servers?

Works really well for laptops - motherboard fried? Just throw that CPU, GPU, RAM and VRAM away, and buy a new one! You're not rich enough to pay for its repair, are you?

Justified by thinness for consumers and security for corporate. What a terrible practice.

Maybe it was the case few years ago, but now the rework equipment is quite affordable. It is certainly within hobbyist reach now to e.g replace BGA chip. That's why they rather go into "security" excuse as this sort of stuff cannot be easily bypassed.

This may well be a case of the vendor does this, they get a better price as removes all aspects of reselling the CPU's on and the whole grey market risk - https://en.wikipedia.org/wiki/Grey_market

Large vendor, such details may mean a few dollars saving on the CPU's and that will add up. For many it won't be an issue, more a gotcha for the second hand market upon those thinking they can buy and part it out. So down the line, this is going to make some second hand CPU's a real gotcha unless these chips have identifiable visible marking.

That seems absurd, why not just clear the secure area (or make it inaccessible until cleared) if the processor detects a different firmware instead of not booting?

Looks like they might be doing this intentionally to get some sort of financial gain: perhaps the plan is that this would lead to less used AMD chips being resold and thus more AMD chips bought from AMD itself and more profit for AMD?

Even then, why would Dell play along? Is AMD contractually forcing them to create a firmware that locks the chips? What about the massive liability of customers demanding refunds or suing them because the Dell firmware irreparably damaged their CPUs?

If this was about actual security, not destroying the secondary market, the obvious solution for this would be providing a way to "factory reset" the CPU using a pin that is normally physically disconnected.

An attacker that breaks into your datacenter to physically reset the CPU could also swap it, so once you have physical access, the security argument doesn't hold. OEMs/recyclers could simply plug each CPU into a testing/resetting jig that has this connected, or mainboards could have a jumper for it.


Edit: I wonder if this will enable a new category of ransomware. "Pay us (half the current value of your CPUs) to get your firmware signed with the key that we just locked all the CPUs in your fleet to".

Why does this require to blow fuses? Just store a secret into the CPU that can only be unset if the same secret is provided again. It could be totally reversible, as long as you know the secret, that way the lock could be removed when decommissioning the system.

With a tiny bit more fancy crypto one could also generate per-system unlock keys so that a vendor doesn't have to reveal his master lock or something like that.

Unlocking bootloaders is a solved problem on android. Why introduce a worse solution that creates vendor lock-in?

> Why introduce a worse solution that creates vendor lock-in?

Obviously in order to create vendor lock-in.

I don't understand what this secures, with the exception of Dell's profit.

If it locks the CPU to a certain manufacturer, all an attacker has to do is get an identical new system and swap the CPUs.

Besides, what matters is the data on the storage. Is it encrypted with keys stored on the CPU? If it's not, how does this help?

I may be wrong, but as far as I understand the most likely scenario it protects against is a tampered bootloader. Someone could inject malware in there and then the whole chain of trust of secure computing breaks.

Ok, that makes sense.

What does not make sense is that it's not optional.

I honestly don't see why the CPUs couldn't from the factory contain a public key from AMD, and from there AMD issues certificates to firmware vendors to sign their firmware with. This would allow the CPU to 'verify' the certificate chain of the firmware that is being used without locking it to a specific vendor. This decreases security a little because the leakage of a single signing certificate means you can malicious firmware on any device but it seems like its much more consumer friendly.

Does this defend against any additional attack surface that wasn't already defended by the UEFI Secure Boot standard?

Yes, UEFI Secure Boot defends against OS/bootloader malware while this defends against flashing malware into the UEFI firmware itself.

Wait so if i flash malware into the firmware, i should also have a spare fresh EPYC CPU i could install?

Yes, I think that would be a valid way to bypass the protection.

With physical access you can bypass just about any protection given enough money and time. In a data centre context, the damage you can do is rapidly minimised by rapidly increasing the amount of capital and time required to access more of the DC.

The more important change is that without this feature, malware could theoretically install itself into the firmware without requiring physical access. Now it should be just about impossible to break the chain of trust without a person physically tampering with the machine.

Note: I should mention that I think this is such a massive double edged sword (maybe double edged shield is a better term). This lets you build a threat model that accounts for everything up to physical access. This however also has such a massive opportunity to be an incredibly anti-consumer feature that I fear to see how it will be used. I wish they would have required a physical switch to enable/disable the feature. I do however understand how adding such a feature could complicate its implementation quite a bit.

The keys for trusted compute, memory encryption and such are saved inside the CPU, so if you change the CPU you also loose all those keys.

So if I understand correctly, I wouldn't be able to flash, say coreboot?

Of course.

The joke is that UEFI got so complex that we can have malware there in the first place.

It defends big vendors against secondary market.

This sounds reasonable. I mean to bypass this lock our criminal would have to ... replace the CPU and continue attack like nothing happened. Totally infeasible, inconceivable even! proving this was introduced for safety and not Vendor_lock-in!!!1

I get why its done, but all this locking down of modern systems is making me rapidly lose interest in computing.

I can think of two scenarios where this security feature is helpful.

First, somebody breaks into a server room, replaces the motherboard with a compromised one, and notices mid replacement that they forgot a processor. (Since the processor locks during first boot, it is of no use if the supply chain is compromised before the first boot. On the other hand, I would imagine somebody willing to break into a data center to replace a motherboard would also be willing to do all kinds of other shenanigans, like bringing another processor.)

The second scenario is, somebody thinks about buying a used instead of an new processor.

Bingo. It’s a money grab.

It’s actually easier to swap a mobo with a cpu and heatsink that’s already seated.

Well, the security key of VM is stored in the CPU, so you can't replace CPU unless you can enter the console, copy the data out and re-encrypt it with key from another CPU.

While if you can do this, you don't need to replace mother board/CPU anyway because you already pwned them and copy/modify the data whatever you want.

> Well, the security key of VM is stored in the CPU

What security key? Do you mean the memory encryption key? We're talking about a powered off machine, so that's irrelevant.

I mean keys stored in cpu ftpm. So next time it boot, it can't get the disk decrypted with the key in the cpu. And the admin will notice something very incorrectly happened.

Memory and Virtual Machines

Please explain better.

The article talks about virtual machines as a subset of memory encryption. It also specifically says "ephemeral keys". Not ones that would be preserved across a shutdown.

What is encrypted on a powered-off server that the CPU knows the key to?

I'm not as sketched out about this as if it were single socket workstation ryzen/threadripper CPUs. In the market from $1000 to $6000 workstation desktops where enthusiasts and people with specific requirements (or just 10, 15, 20 years of experience building x86-64 PCs themselves) would want to build their own desktop from individual components ordered off Newegg.

I doubt more than a single digit percentage of 'serious' dual socket (64-128+ core) rackmount server customers are going to be buying their own barebones motherboards and CPUs and assembling it themselves. They're going to buy it from a Dell, HP or a Supermicro integrator or similar. If you're buying a $12,000+ server with 128 cores and 512GB to 4TB+ of RAM and some fast NVME storage it's highly unlikely you're putting it together yourself.

Any massive hosting/cloud scale operations that want to DIY their own EPYC systems from pieces will be doing it through a Taiwanese integrator, such as those that supply the ecosystem components for open compute platform server motherboards. And as such they'll also not encounter any technical issues or procurement issues with this. At the point where you have two $3000 CPUs on a motherboard that costs $1200, the full firmware/motherboard/CPU integration and qualification process is very different than putting a $399 ryzen into a $300 board.

Not yet. We will in 5 years time when their resale value meets our budgets.

I work in a rather budget-constrained lab environment. “Beg, borrow, steal” is the order of the day. Just today I was pricing out pre-loved Gen8 HPs. In 5 years time I could be exactly the hypothetical the article outlines.

This isn’t today’s problem - it’s a problem we’re creating today. We’ll hit it when your examples start retiring them and my example are eager to recycle them.

Yes - and no, I know lots of people including myself who have things like older dual socket Dell R710 as home test hypervisor servers. Also a very tiny percentage of people will bother to ever upgrade the CPUs on them.

For home lab stuff... When people buy a $200 used Dell R610 off ebay with two 8-core CPUs they most likely expect to use it in the exact same CPU configuration. Maybe add RAM. And probably use their own choice of SATA 6Gbps SSD in the drive trays instead of whatever old, possibly unreliable used spinning drives might come with it.

I have a 4U, quad socket Dell R910 with 32 total cores and 256GB of RAM that I got for $350. I'm absolutely not going to go messing around with replacing the CPUs on it with something I've purchased from ebay. When it's too old or slow, or I'm tired of having a 500W electrical load in my garage, I'll replace it with another thing that's come off a 3-4 year lease cycle.

My go-to vendor’s business model is to do that for me. So I say, I want a DL360. I pick processors, ram, disk controllers from their stock. I can even tell them how many caddies I want (looking at you, Dell). And they ship me a build-to-order server from second-hand parts.

So in the future I’ll likely have a smaller bin of CPUs to choose from. If firmware keys get more specific than per-vendor, it could be potentially a very small bin. And small bins typically mean higher costs. The cheapest cpu is typically the biggest bin, not the highest specced.

I have never purchased a used server and aruck with the included CPU’s, they’re either power hungry beasts or bottom-rung SKU’s. All of my 12th gen PowerEdge servers at home run E5-2450L’s (they’re all -EN platforms), for example. The one exception is the R210 II I use as a firewall/router.

By percentage the number of 1U/2U servers sold with ultra power efficient CPUs is fairly low. When people buy those new they will absolutely be going for CPUs that are 85W to 130W TDP per socket, times two sockets.

As a person that's formerly worked for a server manufacturer for a number of years I would say that the mid to upper performance range of the CPU market is 80%+ of the servers by volume. The other 10% is either the very low power models, and the top 10% of the units sold by volume are the very most expensive CPUs available at the time.

If you buy a used 1U Dell R610 with two six-core CPUs and 64GB of RAM, nobody should be surprised that a 120VAC watt meter at the wall shows it idling at 150W power consumption, with cpu load at 0.00... [surprisedpikachu.gif]

I mean, they don’t have to be the ultra-efficient ones - but for my home lab use I want < 100W idle usage and even my R520 can handle that with the 2450L’s (Ivy Bridge-EN could do this without the L suffixed SKU’s, but HCC chips in that family were more expensive when I was buying).

I haven't yet purchased used server gear, but I do a lot of window shopping. Most of the servers come with CPUs, but not all of them, and there's always a lot of loose CPUs for sale. Very occasionally, I've seen new-old-stock server motherboards for sale for not too much.

> I work in a rather budget-constrained lab environment. “Beg, borrow, steal” is the order of the day. Just today I was pricing out pre-loved Gen8 HPs. In 5 years time I could be exactly the hypothetical the article outlines.

Likewise for me. I AM building a $20,000 HPC because simply put, no one will sell us one for anything close to what we can actually afford and when it affects the speed and capability of my research and publications personally, it feels like a waste to leave extra performance on the table.

If I may ask, using what motherboard? The problem of EPYCs being locked to a certain vendor platform should not be a problem for you if you're buying a factory new Supermicro or Tyan or competing board. And a new set of individually purchased EPYC CPUs.

As a University student, I had dual Athlon XPs on a Tyan board. It was a lot of money for me back then, and the power supply melted to the board (not the power supply's fault either. I soldered on a new ATX connector and the 2nd power supply also melted to the board). If I couldn't use those processors in any other machines except a Tyan, I would be insanely pissed off.

This would be better if there were a physical-only method to factory reset the CPU, instead of blowing fuses.

What problem is this trying to solve? Is there that much of a black market for data center CPUs?

Its called Secondary market, nothing black about it. https://www.youtube.com/watch?v=TxZ21Q0VSdE

BIOS (UEFI) level rootkits

I managed to get that much from the article but I still feel I'm missing a few pieces here. Are UEFI rootkits an actual concern, like are they common in the wild? Why should the responsibility of detecting them rest with the processor? How is this related to the Secure Encrypted Virtualization?

There have been a couple in the wild, but they aren't super common.

They've become a bigger concern with UEFI since it has a massive attack surface compared to legacy BIOS.

For a processor sitting in AWS / Azure, they want guarantees, and they're the ones EPYCs are designed for.

The responsibility has to rest with the processor, since it's the only thing executing code prior to UEFI. What it's doing is validating that UEFI was cryptographically signed with the correct key prior to running any UEFI code. When it's first used, it is saving the key for the vendors UEFI implementation and won't allow it to proceed if the root signature ever changes (think something similar to root certs for HTTPS).

It's only relevant to Secure Encrypted Virtualization insofar as they are both implemented inside the PSP which is a separate ARM core that runs at a higher privilege level than the x86 cores (and is the core that actually initializes the x86 cores).

This is how all phones have worked for many years, but apparently it's now becoming a thing in servers too.

Oh the UEFI code is run by the main processor.. somehow I had always assumed it was running on some micro-processor on the mobo.

Ah. Yeah.

The motherboard just loads BIOS/UEFI into a predefined memory address and then starts the CPU

This is a pretty good explanation https://manybutfinite.com/post/how-computers-boot-up/

> In a multi-processor or multi-core system one CPU is dynamically chosen to be the bootstrap processor (BSP) that runs all of the BIOS and kernel initialization code

These days, the "bootstrap processor" is a separate core that your OS can't see. On Intel it's the IME (running Minix) and on AMD it's the PSP (ARM TrustZone)

> Are UEFI rootkits an actual concern, like are they common in the wild?

If one segment needs to worry about UEFI rootkits, it's cloud vendors. Very dedicated (nation-state sponsored) attackers could burn/use a zero-day hypervisor escape to installs a UEFI rootkit that tampers with the processor's integrated HSM (as said in the article, tampering with it has already happened and the exploits have been patched by AMD). As I understand it, If a vendor uses full memory encryption, the above exploit could lead to decrypting and exfiltrating other customers' data.

Attacker might flash a tampered BIOS from inside a VM makes total sense. It’s surprising how many SPI ROM there can be in a box, and how basically they’re all waiting there to be exploited.

Cloud vendors should be using coreboot, not UEFI.

Not sure why downvoted. I run blobless coreboot for precisely this reason. My only regret is not being able to find newer x86_64 gear that supports it. OTOH you can still buy in-production arm64 boxes that boot with zero blobs (RK3399).

One of the cloud vendors created UEFI.

Then they know full well how bad it is!

*Jokes aside, I think Intel created UEFI (for Itanium?), not Microsoft?

The consortium has AMD, Intel, and Microsoft listed as contributors, so even if they didn't initially create the thing, they had a hand in it. The executable format used for UEFI is PE, which is telling.

Their statement says "It is a defense-in-depth feature", so maybe not?

is the think of the children excuse.

I felt a great disturbance in the Force, as if millions of voices suddenly cried out in terror and were suddenly silenced. I fear something terrible has happened.

Sorry to be blunt, but am I correct that this is a measure against tampering with servers by Chinese intelligence during the customs process? In that case, are the CPUs themselves signed or could they be replaced after modifying the motherboard?

Because otherwise it's really hard why the website would claim that every end user would be enthused about these lock-ins. Sort of weird statement.

No, it's about stopping BIOS-level rootkits from being installed when someone remotely compromises the machine.

No, its about shutting down secondary server hardware market.

The article was updated with new info from HPE:

"HPE does not use the same security technique that Dell is using for a BIOS hardware root of trust. HPE does not burn, fuse, or permanently store our public key into AMD processors which ship with our products. HPE uses a unique approach to authenticate our BIOS and BMC firmware: HPE fuses our hardware – or silicon – root of trust into our own BMC silicon to ensure only authenticated firmware is executed. Thus, while we implement a hardware root of trust for our BIOS and BMC firmware, the processors that ship with our servers are not locked to our platforms. (Source: HPE)"

I thought this type of system would provide a way to revert to factory defaults with a side effect of erasing all keys. So the processor would no longer be secure, but would at least still boot. Maybe this clearing can be done through the BIOS/UEFI on the original Dell system.

One time programmable fuses are rather terrible. I'd rather have an old UV resettable fuse that would also clear the key space. Or perhaps a set of contacts to reset the fuse, like a jumper or lands that should be connected with a pencil.

Is there any way to “fix” the processor afterwards? Maybe send it to AMD to be reset? If I’m buying a multi thousand dollar processor, I’d feel better if I could reuse it in other systems if needed.

If they’re setting OTP on the die, all AMD could offer would be a warranty replacement at best. There’s no etching new fuses into a packaged die.

They could blow the key to an "insecure" state, and then have a jumper on the motherboard to allow insecure booting.

That’s about the only way I see out of this, yeah. No fuses blown is obviously a specific state (works as expected everywhere). All-fuses blown needs to be a specific state too (say the trustroot is dead and it’s now “just a cpu”).

You couldn’t just fail to that state (it’d be inappropriate for its primary use-case), as long as there’s some way to get there.

It could be done with some kind of JTAG mod-chip, but this depends on what kind of JTAG security they've implemented.

If you want to know where to start, search GitHub for 'KaveriPI', if you unpack AMD BIOSDBG.EXE you can find a complete list of processor registers. This is all from 2015 but the PSP is documented in there.

There's also a Microsoft Access database which has all the JTAG registers, but I don't have the time to decode the meaning of the fields... It is likely that things have changed since then but it still might be enough for a start.

Should the JTAG interface be protected then some kind of laser(?) fault injection might be required to open it up. I guest some of the eFuse bits can be overwritten, maybe there's a combination which can remove the lock. An innovative recycling company could work on making a jig to automate this somehow...

Some PSP JTAG stuff here (publicly available material from GitHub in 2015, fair use applies): 41469,3529,164000,164999,"SMU_PSP_efuse_ovr_tried",,1,0,0,0,50,"0000",0, 41470,3529,164000,164999,"SMU_PSP_FRA_pass_ld_err",,1,1,1,0,50,"0001",0, 41471,3529,164000,164999,"SMU_PSP_FRA_pass_ld_cor",,1,2,2,0,50,"0002",0, 41472,3529,164000,164999,"SMU_PSP_efuse_pdmb_aes_dis",,1,3,3,0,50,"0003",0, 41473,3529,164000,164999,"SMU_PSP_efuse_pcpu_dis",,1,4,4,0,50,"0004",0, 41474,3529,164000,164999,"SMU_PSP_efuse_ccp_cyph_dis",,1,5,5,0,50,"0005",0, 41475,3529,164000,164999,"SMU_PSP_efuse_FRA_en",,1,6,6,0,50,"0006",0, 41477,3529,164000,164999,"SMU_PSP_efuse_proto",,1,7,7,0,50,"0007",0, 41478,3529,164000,164999,"SMU_PSP_efuse_secure",,1,8,8,0,50,"0008",0, 41552,2352,164000,164999,"SMU_PSP_hard_resetb",,1,31,31,0,50,"101F",0, 41553,2352,164000,164999,"SMU_PSP_early_resetb",,1,30,30,0,50,"101E",0, 41554,2352,164000,164999,"SMU_PSP_slv_mbus2_reset",,1,29,29,0,50,"101D",0, 41555,2352,164000,164999,"PSP_SCAN_MODE_STICKY",,1,28,28,0,50,"101C",0, 41568,2352,164000,164999,"PSP_AEB_307_PCPU_RST_DLY_TDR_en_pclk",,1,15,15,0,50,"100F",0, 41569,2352,164000,164999,"PSP_AEB_304_PCPU_FORCE_rst_en_pclk",,1,14,14,0,50,"100E",0, 41579,2352,164000,164999,"PSP_Resetn",,1,8,8,0,50,"1008",0, 43605,555,164000,164999,"PSP_ENABLE_SPARE",,0,1,1,0,50,"0001",0, 43642,555,164000,164999,"PSP_SPARE",,0,7,14,0,50,"0007",0,

While I don't have the time to look at this myself, someone should really have a go at trying to crack this, here are some EPYC server schematics with the JTAG signals brought out to test points:


AMD is unlikely to sue anyone trying to reverse engineer the JTAG interface, especially if it's for an open source project to unbrick CPUs! If they do the EFF is very likely to step in and defend you.

Also on old AMD hardware (SMC based GPU/CPU?) there is a very critical time period JUST after the device comes out of reset and before the SMC starts to lock everything down. Then you can access 'secret' SMC registers through JTAG and read out the protected SMC ROM for example (just keep resetting the device over and over, while stepping the SMC address one by one). The SMC's CPU is a Lattice Mico32 (LM32). In the SMC ROM is a symmetric crypto key which used for authentication (SHA1).

The SMC ROM contains code to initialize the hardware before the PCIe links are brought up. One of the first things the SMC does after boot is read out the eFuse contents and program various 'write once' lockdown registers which are used to disable features within the chip. Once these registers have been written to they cannot be modified until a hard reset occurs. So you write to these before the SMU gets a chance to. Or you can halt the SMC itself, then write whatever registers you want and reboot it as nothing ever happened. That way you can override many of the eFuse related settings.

The above techniques might also work on PSP based CPUs/GPUs - so you need to access the JTAG interface ASAP after bringing the chip out of reset. I'm unsure if the SMC is still present on the PSP-based CPUs and GPUs, as I don't have any spare to test.

Double plus if it's for an environmental cause. That would be a PR disaster.

This is just waiting to be abused. No software or firmware (or even silicon!) is 100% secure; if at any point someone figures out a way to flip a fuse (maybe something like creating a short by overloading two adjacent fuses or abusing reads via power supply gliching) and then make the CPU unusable for everyone...

Hell, next step might be ransomware that fuses your CPU and unless you pay them they will reboot them so you can't use them any more until you buy their signing key.

TL;DR: Put an Epyc cpu in a Dell once, and it will never work again in any other vendor's motherboard? Is that right?

It's not necessarily just Dell, they're just the first to use the feature.

It also won't necessarily work in other Dell motherboards, just ones using the same key as the first.

It's strange Dell would blow the fuses by default, though.

HPE and some other vendors do this, not just Dell.

Could even enable some sort of region lock too? Selling CPUs at different prices to different markets for example?

Not really. AMD is only selling unlocked CPUs, and the "locking" is done the first time it boots in a given motherboard. So crossing regions wouldn't be any more of an issue in the future than it is now, you "just" need to ensure your motherboard and CPU come bundled together. Or you need to ensure you get an "unlocked" CPU, which is what retailers provide via AMD.

This will greatly complicate the future second-hand market, though. Buying used Epyc CPUs off of ebay in 5 years will become very sketchy for example.

You could have some crude region locking if SGI US signs with a different key than SGI EU, and US servers will only run on 60hz power supplies and EU servers only run on 50hz (some pinball machines use this to reduce transatlantic resale) it's not hard to measure, but it would need an extra power supply pin and a zero crossing circuit. DC systems would have a different signing key. Japanese systems wouldn't be able to move across their 50/60Hz divide, etc.

Used SGI to not pick a real vendor.

That only region locks the motherboard. The CPU would only be locked after it has been used in the motherboard, not before, which necessarily means you already have the CPU in question. So there wouldn't be any barrier to CPU movement across regions.

As in for your example there isn't anything stopping you from buying a CPU from anyone, including US retailers, and using it in an SGI EU motherboard. The CPU itself isn't locked when new, this signing key locking isn't baked into the CPU at the factory. It happens when you plop it into the socket & fire it up for the first time.

> As in for your example there isn't anything stopping you from buying a CPU from anyone.

I can't buy a used cpu from an SGI US customer and put it in an SGI EU motherboard. I can buy a new CPU from anyone though, but then I can only sell it in-region.

> I can't buy a used cpu from an SGI US customer and put it in an SGI EU motherboard.

Correct, but that's less a region thing and more this just poisons all used CPUs.

As in you don't even know if an SGI US CPU will work in a different SGI US motherboard. There's no particular reason to assume all SGI US motherboard models will have the same signing key. Within the same model that'd almost certainly be the case, but if it's a different model, especially different chipset, I don't know why they would necessarily strive to keep the key the same across different firmware branches.

> I can buy a new CPU from anyone though, but then I can only sell it in-region.

Er, why? Nothing about this stops you from re-selling CPUs however you want. Or are you still talking about the used market here?

I'm not reselling a cpu without plugging it in and testing it. If it's DOA when my customer got it, and I didn't test it, I need to take it back etc. Of course, if it gets locked when I test it, now it's more likely to be DOA for my customer.

Theoretically. If the OEM shipped region-specific firmware with a region-specific signing key, the CPUs would be region-specific as a side effect.


Some enterprising enthusiasts will find a way around this i hope

Hopefully the keys get leaked someday, as often eventually happens with such DRM-ish schemes.

Amidst all the hype for firmware security, one point missing in these discussions is how many points of failure these guys have added. 1) Intel/AMD for ME/PSP 2) Dell for bios signing keys 3) MS for secureboot keys 4) American Megatrends, Phoenix, etc., companies that people don't even know exist, who actually write the bios code. If the threat model is nation state attacks, there is plenty of surface area here in the circus.

I'm looking forward to the malware/ransomware that permanently locks CPUs to an attacker-signed BIOS.

This will be an interesting mess on eBay.

"Vendor-Locks" perhaps?


Intel has ME, AMD has PSP.

Intel has Boot Guard, AMD has this.

Either one may have seemed the better choice at one point in time, but it's clear they're really going down the same path.

If you dont provide this, Enterprise Vendor wont be buying AMD CPU, and AMD lose. ( They desperately need those EPYC Sales )

If they do, lots of people, whether they will buy it or not, will complain and make a big fuss about it. If they are going with Vendor lock they might as well go back to Intel.

Looks like AMD just cant Win.

The title as submitted to HN is super clickbaity. Overall this doesn't seem 'bad', aside from some questionable defaults that other commenters said about it being enabled by default.

It really should copy the article:

> AMD PSB Vendor Locks EPYC CPUs for Enhanced Security at a Cost

Should be corrected to "Vendor-Locks", as well.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact