It's probably both of their fault. Lenovo wouldn't do it unless there was something in it for them. I wouldn't be surprised if they get a better deal from AMD on these CPUs for being locked to a specific board (killing off their ability to be used in the parts reseller market).
That link doesn't explain how it improves security, as all mainboards of the vendor have the same key. All it does is prevent somebody from sneakily replacing the mainboard with a different brand! It would make more sense if the board was bound to the specific CPU (assuming the CPU is the root of trust). But then you could just encase it in some kind of thermal epoxy...
It's obvious that this is supposed to limit the second hand server parts market.
If you read the two pages and you concluded that both AMD with their statement on Page 1 nor servethehome on Page 1 and Page 2 provided any information about how PSB works I can't help you.
Or that commenter read and understood the description of how it works, and failed to see how it increases security in a meaningful way. I also struggle to think of a threat model that this protects against.
I'm a security researcher. PSB as described there is orthogonal to the specific policy of tying the board to a specific CPU key, as you can tell from per CPU keys not being in the hardware root of trust as described by cloudflare. In fact you can swap the CPUs across boards from different ODMs in your most recent citation, since the root is an AMD key that then verifies the off chip ODM cert in flash.
I was pretty sure that I made it clear that the concept under discussion was using a hardware root of trust scheme like PSB to tie a specific CPU to a particular vendor's boards.
As an aside I'm putting a lot of effort into staying civil; I'd appreciate seeing that effort be a bit more reciprocal.
PSB is there to protect you from a compromised motherboard it protects you from malware in your UEFI firmware. It's not even a vendor lock in it's signing key lock in that is used in that manner by AWS, Gcloud and Azure. Compromised UEFI Firmware is a constant point of failure in pentesting of the secure chain of trust. That you as a security researcher are dismissing the fact is honestly just unbelievable.
No, my comment talked about that some believe PSB is only there to destroy the second hand market and I wrote that it is a false statement and PSB actually provides a higher security for servers and you persisted it's not.
> The feature was implemented in 2017 the only vendors that are using it are lenovo and dell. With lenovo being the only one using it on lower tier cpus than epyc.
All of the ODMs use PSB in some way (the PSP won't start without it); it's only Lenovo and Dell that use PSB to tie CPUs to certain boards.
