It is much more profitable for computer manufacturers to sell an entire computer than to update it with parts from different brands, this is an undeniable fact and that is why most pre-built computers come with limitations. artificial so that you are tied to a specific brand.
If we add to this that AMD has for many years been the ugly duckling of the various computer manufacturers and has had to fight very hard for certain major brands to use their CPUs and those of Intel. It is therefore clear that they had to make an assignment in order to benefit the interests of their partners. One of the most controversial is the Platform Secure Boot or PSBwhich has served manufacturers such as Dell or Lenovo to bind the Ryzen, Threadripper and EPYC processors of the company led by Lisa Su to their hardware exclusively.
What is the connection between manufacturers’ interest in tying you to their platform and AMD’s boot protection system? Well, let us explain it to you.
What is the AMD PSB?
In BIOS, UEFI is stored in the motherboard’s flash memory, which, since it is non-volatile RAM, is addressed as if it were part of main memory. There are times when even with all the protective measures, malware can still inject code into the firmware and perform an unauthorized update. Remember that the boot process establishes the location of certain public and private keys, used only by the security processor.
This means that if we do not use a TPM module in our PC with an AMD processor, then our confidential information, such as that related to the validation certificates that we use to interact with our bank, is stored via fTPM which is in the boot firmware, so additional security measures must be added to protect it.
AMD Secure Boot Platform or PSB is one of the security measures built into the security processor of AMD processors. Its usefulness is none other than to prevent the execution of firmware related to the boot process that has been modified for malicious purposes. To do this, it creates a chain of trust responsible for authenticating all the firmware that the processor accesses when we start the computer, including the BIOS and the start of the operating system.
How it works?
The PSB adds a higher level of security than the UEFI BIOS itself can provide, as it validates the contents of memory which contains everything in the boot program. It does this through a chain of trust executed only through hardware and without any external programs before the whole boot process is executed.
- It performs the commit of the first BIOS/UEFI block, in doing so it sends a signal to the CPU’s HOLD pin so that it does not boot while it performs the check.
- It is responsible for checking the contents of the system ROM, this memory contains a backup copy of the basic BIOS functions and contains the entire boot process immutably. Note that new BIOS feature updates are not related to system startup.
- The security chip performs the comparison between the contents of the ROM and the firmware stored by the UEFI to verify any unauthorized modification. After that, it releases the CPU so that the PC can be booted without problems.
AMD Security Chip or Platform Security Chip is a small microcontroller with the highest privilege level for access to RAM and system peripherals. It is rated on an ARM Cortex-A5 and due to its low power consumption, it can work with the computer in standby or sleep mode. It will therefore be the first processor to be put to the test when we turn on our PC or take it out of one of the low consumption modes.
How are OEMs abusing AMD’s PSB?
In recent times, we see not only how there are moves towards integration, but also that in the midst of this process, one of the bases that has defined the PC since its inception is under attack: the expandability and configuration by the user. Most manufacturers have come to the dangerous conclusion that the fact that we can expand the capabilities of our PC affects the purchase of future products. Thus, the polemic of the right to repair appeared vis-a-vis the practices of the various assemblers and manufacturers of material.
Logically, one would expect this to only affect the consumer market. It is therefore the servers and data centers used by both the various public bodies and large companies that, in theory, should not be affected. However, AMD decided to create a program called PSB so that manufacturers and assemblers could sell their servers whole and not parts. The reason behind this? There is a second-hand market where EPYC processors already stripped from their servers are used for used servers and data centers.
In other words, when a company gets rid of its old server or data center, it does not throw it away, but sells its parts to recover part of the investment. This creates additional competition for server manufacturers. Since they may find it more attractive to their customers to build a server themselves and maintain it themselves, this abuses one of AMD’s EPYC security features to lock customers into a particular brand.
How do they lock?
In order to make an AMD EPYC server processor work only with a specific model of motherboard and the used server market, manufacturers abuse the boot certification process provided by the PSB to tie processors to their specific servers, which which means that we cannot pair certain processors except with certain server boards.
To understand the whole process, we must start from the fact that when the manufacturer has finished creating the PC, whatever it is, a process is carried out in which the boot image stored in the ROM is created and which will include two associated keys, both with a size of 4096 bits and SHA-384 encoding. The former will be stored in the System ROM and will be reflected in the Boot Firmware. The second, on the other hand, will do so within the HSM, a hardware responsible for generating cryptographically encrypted keys and also decoding them.
Both keys are part of the public key infrastructure and are used to sign the contents of a certificate which is in the motherboard boot ROM and which includes the processor identification code and the rest of the elements materials. If any of these items are missing from the system, the PSB will simply not allow the system to boot.
Table of Contents