Lenovo vendor locking Ryzen-based systems through AMD Platform Secure Boot in the client PC segment
Serve The Home recently revealed that Lenovo uses AMD Platform Secure Boot, also known as AMD PSB, for their desktop platforms, especially the AMD Ryzen PRO-based systems to vendor lock the processor to their brand lines. The website has run a few features on the vendor locking process, and a recent video from the site on YouTube explains the purpose of AMD PSB and the advantages and disadvantages of the process.
Lenovo vendor locks AMD Ryzen PRO-based systems with AMD Platform Secure Boot
In Serve The Home's recent video, they display a Lenovo ThinkPad desktop computer system, the Lenovo M75q Tiny Gen2, equipped with the processor onboard. The processor shows to be vendor locked to Lenovo systems specifically. Still, upon looking at the processor, the user would not distinguish it from an identical processor located on a separate system. The process uses AMD's Platform Secure Boot, and in the video below, the hardware site explains in detail why Lenovo would lock the processor to their systems and not others.
Patrick Kennedy, owner of the YouTube and website Serve The Home, has covered the impact of AMD PSB on the AMD EPYC processors in 2020. The specific AMD EPYC processors Kennedy mentions are used on the server-level systems, with Dell initially adopting the vendor locking for their designs.
AMD explains their PSB technology in a security white paper from 2021, "AMD RYZEN™ PRO 5000 SERIES MOBILE PROCESSORS, MAKING DEFENSES COUNT: DESIGNING FOR SUBSTANTIAL DEPTH," written by Akash Malhotra, Head of Product Security and Strategy Group for AMD.
AMD Platform Secure Boot (PSB) provides a hardware root of trust (RoT) to authenticate the initial firmware including BIOS during boot process of the device. When a system powers on, ASP executes the ASP boot ROM code, which then authenticates various ASP boot loader code before initializing silicon and system memory.
Once system memory is initialized, ASP boot loader code verifies the OEM BIOS code, authenticating other firmware components before the OS is booted.
PSB enforces platform integrity by providing stronger protection from rogue or malicious firmware, automatically denying them access upon detection. AMD PSB helps provide seamless and secure transition from low-level firmware to OS.
Vendor-locking can be troublesome for users since the origin company unmarked the processor and does not state that it can only work on the corresponding platform. The process instills upon the processor singular usage on the particular brand's platform and not a competing company. It also halts any user from swapping the processor with a different processor that is lower in cost but offers more efficiency. Suppose someone buys a second-hand, vendor-locked AMD processor, such as the one in the Lenovo M75q Tiny Gen2 in Patrick Kennedy's video. In that case, the user who attempts to place the processor into a non-Lenovo system would find the component unusable.
Serve The Home ran a story last April 2021 about Lenovo using the AMD PSB technology to vendor-lock AMD Ryzen Threadripper PRO processors for utilization outside of the server marketplace. It currently shows that vendor-locking is present in AMD EPYC-based processors and the AMD Ryzen PRO series on Lenovo platforms.
The vendor-locking on Lenovo devices came into light from a viewer of Serve The Home on Twitter.
— Dee (@FedsAgainstGunS) December 22, 2021
The viewer adds that vendor-locking can be changed to not using AMD PSB within the Lenovo devices in response to the above tweet.
Forgot to add, that on the consumer platform it gives you the option to turn this off for future CPUs, but the OEM CPU is definately vendor locked, swapped the 4750GE out for a 4650G to get this message, but 4750GE would not post in 4650G motrherboard pic.twitter.com/8JhnyXoJ5j
— Dee (@FedsAgainstGunS) December 22, 2021
Kennedy notes quite a bit about the vendor locking and brings several points and issues to light. First, users should know that vendor locking is not a standard feature found on systems. Most vendors do not lock their processors to specific scenarios. Lenovo has chosen to implement this feature across their line in both server and premium Threadripper Pro workstations, such as the Lenovo ThinkStation P620.
If a user does have a vendor-locked processor, it does have the capability of installation on another Lenovo system, but not on another brand's motherboard. Kennedy presents that sellers of vendor-locked processors should list or mark somewhere on or with the processor that it is locked to a specific vendor so that purchasers are not approaching issues in the future when trying to implement the processor on another system. He continues the warning to eliminate the possibility of e-waste that would appear due to selling a locked processor. Finally, Kennedy notes that
Some online have said that the lock is between a specific motherboard and CPU. That clearly has challenges when a motherboard needs to be replaced, especially in the server market when a motherboard may cost $600 and the two CPUs may cost $10,000. As a result, AMD PSB locks to a vendor’s firmware signature key, not to a specific motherboard.