At STH, we have covered the AMD PSB or Platform Secure Boot feature several times. In the last week or so, we have gotten a few reports that Lenovo is now bringing this technology to the desktop market in its AMD Ryzen (Pro) systems. This makes sense, but let us quickly take a look at what is going on.
Lenovo Vendor Locking Ryzen-based Systems with AMD PSB
The first time we covered AMD PSB and the impact it can have is in our AMD PSB vendor Locks EPYC CPUs for Enhanced Security at a Cost back in 2020. That was focused on the server market, and Dell was an early adopter of this vendor locking technology as you can see in the accompanying video:
The basic premise of the technology is that it blows field-programmable fuses that lock an AMD CPU to the vendor’s system. The concept is to create a permanent platform so the CPU must align with the motherboard for security purposes. Many of our readers are rightfully nervous about this. One cannot tell a CPU has been PSB fused and so purchasing CPUs on the secondary market can be perilous. If, for example, one purchases a fused Lenovo or Dell AMD EPYC CPU and tries to put it in a non-Lenovo or Dell system it should not work.
In April 2021, we covered that Lenovo is Using AMD PSB to Vendor Lock AMD Ryzen Threadripper Pro CPUs. This means that Lenovo is expanding its AMD PSB use beyond the server market. One could rightfully argue that the Threadripper Pro is basically a Rome-based EPYC in a workstation guise. Still, it was the first we saw of expanding that beyond the server line.
Now we have confirmation that it goes beyond the EPYC-based CPUs, and it seems like Lenovo is enabling this feature on its Ryzen (Pro) lines as well. We did our Lenovo ThinkCentre M75q Gen2 Tiny Review and a question we have gotten is whether one can upgrade the CPUs. We generally advise against this practice as part of Project TinyMiniMicro, but we understand the reasoning.
The PSB locking behavior is now present on the M75q Tiny Gen2 as reported to STH on Twitter. Here is the screenshot warning when putting a new CPU into the Lenovo system from Dee on Twitter:
— Dee (@FedsAgainstGunS) December 22, 2021
There is also apparently an option to turn this behavior off with Lenovo:
Forgot to add, that on the consumer platform it gives you the option to turn this off for future CPUs, but the OEM CPU is definately vendor locked, swapped the 4750GE out for a 4650G to get this message, but 4750GE would not post in 4650G motrherboard pic.twitter.com/8JhnyXoJ5j
— Dee (@FedsAgainstGunS) December 22, 2021
There are a few things to be clear of here:
- Vendor locking CPUs using AMD PSB is an optional feature. Many vendors do not lock CPUs
- Lenovo seems to have committed to using the vendor locking feature across its line, including not just servers and high-end Threadripper Pro workstations like the Lenovo ThinkStation P620, but also the ThinkCentre M75q Tiny Gen2.
- A vendor-locked CPU can be installed in another system from the same vendor, but not swapped to a motherboard from a different vendor.
- We advise our readers to both disclose when they are selling a vendor-locked CPU so as not to have issues with the next user trying to use the vendor-locked CPU in another type of system
- We also advise our readers to be careful when attempting to upgrade a Lenovo AMD platform because of the AMD PSB use and potential to generate e-waste from the exercise
- Some online have said that the lock is between a specific motherboard and CPU. That clearly has challenges when a motherboard needs to be replaced, especially in the server market when a motherboard may cost $600 and the two CPUs may cost $10,000. As a result, AMD PSB locks to a vendor’s firmware signature key, not to a specific motherboard.
That is a lot to cover, but it is important that our readers get through all of those points.
A quick thanks to Dee for posting this information on Twitter and being active in our TinyMiniMicro series. It is important that our readers know that Lenovo has chosen to implement this vendor-locking feature across its AMD range. We urge our readers, especially those looking at these machines as part of the Project TinyMiniMicro series, to share this with others so we can spread the word that Lenovo’s AMD systems are vendor-locking CPUs to platforms.
We have a Ryzen 5000 series M75q Tiny Gen2 inbound and will cover this when that arrives.