{"id":58344,"date":"2020-09-08T18:00:42","date_gmt":"2020-09-08T16:00:42","guid":{"rendered":"https:\/\/www.planet3dnow.de\/cms\/?p=58344"},"modified":"2020-09-13T18:58:51","modified_gmt":"2020-09-13T16:58:51","slug":"amd-epycs-haben-mainboard-lock-wenn-die-hersteller-es-wollen","status":"publish","type":"post","link":"https:\/\/www.planet3dnow.de\/cms\/58344-amd-epycs-haben-mainboard-lock-wenn-die-hersteller-es-wollen\/","title":{"rendered":"AMD<\/span> EPYCs haben Mainboard-Lock wenn die Hersteller es wollen"},"content":{"rendered":"

Wie Ser\u00adve\u00adThe\u00adHome<\/a> und auch eini\u00adge fest\u00adstel\u00adlen muss\u00adten, gibt es ein bis\u00adher nicht bedach\u00adtes \u201cFea\u00adture\u201d bei den AMD<\/span> EPYC<\/span> CPUs der 7001er und 7002er Serie:<\/p>\n

Die Main\u00adboard-Her\u00adstel\u00adler k\u00f6n\u00adnen die CPUs auf ihren Boards sper\u00adren. Es soll der Sicher\u00adheit des Sys\u00adtems dienen.<\/p>\n

Wor\u00adum es geht:<\/span>
\nMan steckt einen fabrik-neu\u00aden EPYC<\/span> in ein DELL<\/span> Board und star\u00adtet das Sys\u00adtem. Beim ers\u00adten Start brennt sich eine Ein\u00admal-Siche\u00adrung in die CPU<\/span> und danach star\u00adtet die CPU<\/span> nur noch in DELL<\/span> Boards mit ent\u00adspre\u00adchend signier\u00adtem BIOS<\/span>. Steckt man danach jedoch die CPU<\/span> zB in ein ASUS<\/span> oder ASRock Board star\u00adtet die CPU<\/span> nicht, die CPU<\/span> stellt sich tot, bis die\u00adse wie\u00adder in ein DELL<\/span> Board kommt. Auch Hew\u00adlett-Packard Enter\u00adpri\u00adse soll dies haben.<\/del><\/p>\n

 <\/p>\n

The AMD<\/span> Plat\u00adform Secu\u00adre Boot Fea\u00adture (PSB<\/span>) is a miti\u00adga\u00adti\u00adon for firm\u00adware Advan\u00adced Per\u00adsis\u00adtent Thre\u00adats. It is a defen\u00adse-in-depth fea\u00adture. PSB<\/span> extends AMD<\/span>\u2019s sili\u00adcon root of trust to pro\u00adtect the OEM<\/span>\u2019s BIOS<\/span>.  This allows the OEM<\/span> to estab\u00adlish an unbro\u00adken chain of trust from AMD<\/span>\u2019s sili\u00adcon root of trust to the OEM<\/span>\u2019s BIOS<\/span> using PSB<\/span>, and then from the OEM<\/span>\u2019s BIOS<\/span> to the OS<\/span> Boot\u00adloa\u00adder using UEFI<\/span> secu\u00adre boot. This pro\u00advi\u00addes a very powerful defen\u00adse against remo\u00adte atta\u00adckers see\u00adking to embed mal\u00adwa\u00adre into a platform\u2019s firmware.<\/em><\/p>\n

An OEM<\/span> who trusts only their own cryp\u00adto\u00adgra\u00adphi\u00adcal\u00adly signed BIOS<\/span> code to run on their plat\u00adforms will use a PSB<\/span> enab\u00adled mother\u00adboard and set one-time-pro\u00adgramma\u00adble fuses in the pro\u00adces\u00adsor to bind the pro\u00adces\u00adsor to the OEM<\/span>\u2019s firm\u00adware code sig\u00adning key. AMD<\/span> pro\u00adces\u00adsors are ship\u00adped unlo\u00adcked from the fac\u00adto\u00adry, and can initi\u00adal\u00adly be used with any OEM<\/span>\u2019s mother\u00adboard. But once they are used with a mother\u00adboard with PSB<\/span> enab\u00adled, the secu\u00adri\u00adty fuses will be set, and from that point on, that pro\u00adces\u00adsor can only be used with mother\u00adboards that use the same code sig\u00adning key. (Source<\/strong>: AMD<\/span> state\u00adment to STH<\/span>)<\/em><\/p><\/blockquote>\n

 <\/p>\n

Pro\u00adblem daraus:<\/span>
\nSolan\u00adge man die CPUs inner\u00adhalb einer Fir\u00adma wan\u00addern l\u00e4sst (zB inner\u00adhalb DELL-Sys\u00adte\u00adme oder HPE-Sys\u00adte\u00adme) funk\u00adtio\u00adniert es. Will man aber eine CPU<\/span> aus einem sol\u00adchen Sys\u00adtem zie\u00adhen und die\u00adse in ande\u00adre Sys\u00adte\u00adme ste\u00adcken (oder wei\u00adter\u00adver\u00adkau\u00adfen) star\u00adten die CPUs nicht mehr.<\/p>\n

F\u00fcr die Sicher\u00adheit des gesam\u00adten Sys\u00adtems ist dies gut \u2014 f\u00fcr den Zweit\u00admarkt und die Umwelt ist dies nicht gut!<\/p>\n

Update 1:<\/strong>
\nDie EYPC<\/span> stel\u00adlen sich nicht tot son\u00addern star\u00adten an und h\u00e4n\u00adgen mit dem POST-Code 78
\nIm STH<\/span> Forum gibt es ein Thread hier\u00adzu<\/a><\/p>\n

DELL<\/span> schreibt hier\u00adzu in der ver\u00adlink\u00adten PDF<\/span>:<\/p>\n

The first gene\u00adra\u00adti\u00adon of the AMD<\/span> EPYC<\/span> pro\u00adces\u00adsors have the AMD<\/span> Secu\u00adre Pro\u00adces\u00adsor \u2013 an inde\u00adpen\u00addent pro\u00adces\u00adsor core inte\u00adgra\u00adted in the CPU<\/span> packa\u00adge along\u00adside the main CPU<\/span> cores. On sys\u00adtem power-on or reset, the AMD<\/span> Secu\u00adre Pro\u00adces\u00adsor exe\u00adcu\u00adtes its firm\u00adware while the main CPU<\/span> cores are held in reset. One of the AMD<\/span> Secu\u00adre Processor\u2019s tasks is to pro\u00advi\u00adde a secu\u00adre hard\u00adware root-of-trust by authen\u00adti\u00adca\u00adting the initi\u00adal PowerEdge BIOS<\/span> firm\u00adware. If the initi\u00adal PowerEdge BIOS<\/span> is cor\u00adrupt\u00aded or com\u00adpro\u00admi\u00adsed, the AMD<\/span> Secu\u00adre Pro\u00adces\u00adsor will halt the sys\u00adtem and pre\u00advent OS<\/span> boot. If no cor\u00adrup\u00adti\u00adon, the AMD<\/span> Secu\u00adre Pro\u00adces\u00adsor starts the main CPU<\/span> cores, and initi\u00adal BIOS<\/span> exe\u00adcu\u00adti\u00adon begins.
\nThe very first time a CPU<\/span> is powered on (typi\u00adcal\u00adly in the Dell EMC<\/span> fac\u00adto\u00adry) the AMD<\/span> Secu\u00adre Pro\u00adces\u00adsor per\u00adma\u00adnent\u00adly stores a uni\u00adque Dell EMC<\/span> ID<\/span> insi\u00adde the CPU<\/span>. This is also the case when a new off-the-shelf CPU<\/span> is instal\u00adled in a Dell EMC<\/span> ser\u00adver. The uni\u00adque Dell EMC<\/span> ID<\/span> insi\u00adde the CPU<\/span> binds the CPU<\/span> to the Dell EMC<\/span> ser\u00adver. Con\u00adse\u00adquent\u00adly, the AMD<\/span> Secu\u00adre Pro\u00adces\u00adsor may not allow a PowerEdge ser\u00adver to boot if a CPU<\/span> is trans\u00adfer\u00adred from a non-Dell EMC<\/span> ser\u00adver (and CPU<\/span> trans\u00adfer\u00adred from a Dell EMC<\/span> ser\u00adver to a non-Dell EMC<\/span> ser\u00adver may not boot). AMD<\/span> EPYC<\/span> Gene\u00adra\u00adti\u00adon 2 pro\u00adces\u00adsors also offer the AMD<\/span> Secu\u00adre Pro\u00adces\u00adsor \u2014 for cryp\u00adto\u00adgra\u00adphic func\u00adtion\u00ada\u00adli\u00adty for secu\u00adre key gene\u00adra\u00adti\u00adon and key manage\u00adment. This pro\u00advi\u00addes full stack encryp\u00adti\u00adon wit\u00adhout any over\u00adhead for the pro\u00adces\u00adsor. In addi\u00adti\u00adon, for hard\u00adware-acce\u00adle\u00adra\u00adted memo\u00adry encryp\u00adti\u00adon for data-in-use pro\u00adtec\u00adtion, the secu\u00adri\u00adty com\u00adpon\u00adents in Rome pro\u00adces\u00adsors include the AES-128<\/span> encryp\u00adti\u00adon engi\u00adne, which is embedded in the memo\u00adry con\u00adtrol\u00adler and auto\u00adma\u00adti\u00adcal\u00adly encrypts and decrypts data in main memo\u00adry with an appro\u00adpria\u00adte key.<\/p><\/blockquote>\n

Update 2:<\/strong>
\nHew\u00adlett Packard Enter\u00adpri\u00adse ist doch nicht betrof\u00adfen \u2014 HPE<\/span> l\u00f6st dies anders als DELL<\/span> \u00fcber ihre eige\u00adnen BMC<\/span> Chips statt \u00fcber die PSP<\/span> in den EPYC<\/span> und brennt sich daher nicht in die EPYC<\/span> rein wie DELL<\/span>.<\/p>\n

HPE<\/span> cla\u00adri\u00adfied that they are doing this in a dif\u00adfe\u00adrent man\u00adner than Dell after initi\u00adal\u00adly con\u00adfir\u00adming that they were using the AMD<\/span> PSB<\/span> fea\u00adture. After this went live, HPE<\/span> sent us the following:<\/p>\n

HPE<\/span> does not use the same secu\u00adri\u00adty tech\u00adni\u00adque that Dell is using for a BIOS<\/span> hard\u00adware root of trust. HPE<\/span> does not burn, fuse, or per\u00adma\u00adnent\u00adly store our public key into AMD<\/span> pro\u00adces\u00adsors which ship with our pro\u00adducts. HPE<\/span> uses a uni\u00adque approach to authen\u00adti\u00adca\u00adte our BIOS<\/span> and BMC<\/span> firm\u00adware: HPE<\/span> fuses our hard\u00adware \u2013 or sili\u00adcon \u2013 root of trust into our own BMC<\/span> sili\u00adcon to ensu\u00adre only authen\u00adti\u00adca\u00adted firm\u00adware is exe\u00adcu\u00adted. Thus, while we imple\u00adment a hard\u00adware root of trust for our BIOS<\/span> and BMC<\/span> firm\u00adware, the pro\u00adces\u00adsors that ship with our ser\u00advers are not locked to our plat\u00adforms. (Source: HPE<\/span>)<\/p><\/blockquote>\n

Quel\u00adle \/ Links:<\/span><\/strong>
\nSTH<\/span> Arti\u00adkel dazu (engl.)<\/a>
\nSTH<\/span> Video dazu (engl.)<\/a>
\nDELL<\/span> Info PDF<\/span> hier\u00adzu (engl.)<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Wie Ser\u00adve\u00adThe\u00adHome und auch eini\u00adge fest\u00adstel\u00adlen muss\u00adten, gibt es ein bis\u00adher nicht bedach\u00adtes \u201cFea\u00adture\u201d bei den AMD<\/span> EPYC<\/span> CPUs der 7001er und 7002er Serie:<\/p>\n

Die Main\u00adboard-Her\u00adstel\u00adler k\u00f6n\u00adnen die CPUs auf ihren Boards sper\u00adren. Es soll der Sicher\u00adheit des Sys\u00adtems die\u00adnen. (\u2026) Wei\u00adter\u00adle\u00adsen \u00bb<\/a><\/p>\n","protected":false},"author":251,"featured_media":31928,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"ngg_post_thumbnail":0,"footnotes":""},"categories":[11],"tags":[966,1012,1307,2403,2404],"class_list":["post-58344","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-amd","tag-dell","tag-epyc","tag-lock","tag-sth","entry"],"share_on_mastodon":{"url":"","error":""},"_links":{"self":[{"href":"https:\/\/www.planet3dnow.de\/cms\/wp-json\/wp\/v2\/posts\/58344","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.planet3dnow.de\/cms\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.planet3dnow.de\/cms\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.planet3dnow.de\/cms\/wp-json\/wp\/v2\/users\/251"}],"replies":[{"embeddable":true,"href":"https:\/\/www.planet3dnow.de\/cms\/wp-json\/wp\/v2\/comments?post=58344"}],"version-history":[{"count":9,"href":"https:\/\/www.planet3dnow.de\/cms\/wp-json\/wp\/v2\/posts\/58344\/revisions"}],"predecessor-version":[{"id":58425,"href":"https:\/\/www.planet3dnow.de\/cms\/wp-json\/wp\/v2\/posts\/58344\/revisions\/58425"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.planet3dnow.de\/cms\/wp-json\/wp\/v2\/media\/31928"}],"wp:attachment":[{"href":"https:\/\/www.planet3dnow.de\/cms\/wp-json\/wp\/v2\/media?parent=58344"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.planet3dnow.de\/cms\/wp-json\/wp\/v2\/categories?post=58344"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.planet3dnow.de\/cms\/wp-json\/wp\/v2\/tags?post=58344"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}