Lenovo vendor locking Ryzen-based systems through AMD Platform Secure Boot in the client PC segment

Submit

Serve The Home recently revealed that Lenovo uses AMD Platform Secure Boot, also known as AMD PSB, for their desktop platforms, especially the AMD Ryzen PRO-based systems to vendor lock the processor to their brand lines. The website has run a few features on the vendor locking process, and a recent video from the site on YouTube explains the purpose of AMD PSB and the advantages and disadvantages of the process.

Lenovo vendor locks AMD Ryzen PRO-based systems with AMD Platform Secure Boot

In Serve The Home's recent video, they display a Lenovo ThinkPad desktop computer system, the Lenovo M75q Tiny Gen2, equipped with the processor onboard. The processor shows to be vendor locked to Lenovo systems specifically. Still, upon looking at the processor, the user would not distinguish it from an identical processor located on a separate system. The process uses AMD's Platform Secure Boot, and in the video below, the hardware site explains in detail why Lenovo would lock the processor to their systems and not others.

AMD Computex 2022 ‘High-Performance Computing’ By CEO, Dr. Lisa Su, To Feature Next-Generation Desktop & Mobile PC Innovations

Patrick Kennedy, owner of the YouTube and website Serve The Home, has covered the impact of AMD PSB on the AMD EPYC processors in 2020. The specific AMD EPYC processors Kennedy mentions are used on the server-level systems, with Dell initially adopting the vendor locking for their designs.

AMD explains their PSB technology in a security white paper from 2021, "AMD RYZEN™ PRO 5000 SERIES MOBILE PROCESSORS, MAKING DEFENSES COUNT: DESIGNING FOR SUBSTANTIAL DEPTH," written by Akash Malhotra, Head of Product Security and Strategy Group for AMD.

AMD Platform Secure Boot (PSB) provides a hardware root of trust (RoT) to authenticate the initial firmware including BIOS during boot process of the device. When a system powers on, ASP executes the ASP boot ROM code, which then authenticates various ASP boot loader code before initializing silicon and system memory.

Once system memory is initialized, ASP boot loader code verifies the OEM BIOS code, authenticating other firmware components before the OS is booted.

PSB enforces platform integrity by providing stronger protection from rogue or malicious firmware, automatically denying them access upon detection. AMD PSB helps provide seamless and secure transition from low-level firmware to OS.

Vendor-locking can be troublesome for users since the origin company unmarked the processor and does not state that it can only work on the corresponding platform. The process instills upon the processor singular usage on the particular brand's platform and not a competing company. It also halts any user from swapping the processor with a different processor that is lower in cost but offers more efficiency. Suppose someone buys a second-hand, vendor-locked AMD processor, such as the one in the Lenovo M75q Tiny Gen2 in Patrick Kennedy's video. In that case, the user who attempts to place the processor into a non-Lenovo system would find the component unusable.

Serve The Home ran a story last April 2021 about Lenovo using the AMD PSB technology to vendor-lock AMD Ryzen Threadripper PRO processors for utilization outside of the server marketplace. It currently shows that vendor-locking is present in AMD EPYC-based processors and the AMD Ryzen PRO series on Lenovo platforms.

AMD Radeon & NVIDIA GeForce Graphics Card Price Update: RX 6000 Series at 5% Over MSRP, RTX 30 Series at 24% Over MSRP

The vendor-locking on Lenovo devices came into light from a viewer of Serve The Home on Twitter.

The viewer adds that vendor-locking can be changed to not using AMD PSB within the Lenovo devices in response to the above tweet.

Kennedy notes quite a bit about the vendor locking and brings several points and issues to light. First, users should know that vendor locking is not a standard feature found on systems. Most vendors do not lock their processors to specific scenarios. Lenovo has chosen to implement this feature across their line in both server and premium Threadripper Pro workstations, such as the Lenovo ThinkStation P620.

If a user does have a vendor-locked processor, it does have the capability of installation on another Lenovo system, but not on another brand's motherboard. Kennedy presents that sellers of vendor-locked processors should list or mark somewhere on or with the processor that it is locked to a specific vendor so that purchasers are not approaching issues in the future when trying to implement the processor on another system. He continues the warning to eliminate the possibility of e-waste that would appear due to selling a locked processor. Finally, Kennedy notes that

Some online have said that the lock is between a specific motherboard and CPU. That clearly has challenges when a motherboard needs to be replaced, especially in the server market when a motherboard may cost $600 and the two CPUs may cost $10,000. As a result, AMD PSB locks to a vendor’s firmware signature key, not to a specific motherboard.

Source: Serve The Home, Patrick Kennedy (@Patrick1Kennedy on Twitter), AMD Security Whitepaper (PDF)

Submit