WEBVTT

00:00:00.240 --> 00:00:08.240
oh geez is it okay crap i bent a lot of pins

00:00:06.080 --> 00:00:13.759
Linus that's really bad i can fix it

00:00:12.240 --> 00:00:19.119
if everything goes according to plan today i'm gonna install this brand new

00:00:15.920 --> 00:00:22.640
ryzen 5600g CPU in that lenovo thing

00:00:19.119 --> 00:00:24.960
center m75s pc destroying it permanently

00:00:22.640 --> 00:00:30.640
and believe it or not that's a feature not a bug you see some AMD ryzen cpus

00:00:28.000 --> 00:00:37.120
contain a fuse that allows a motherboard manufacturer to lock the CPU to their

00:00:34.239 --> 00:00:41.520
own brand of motherboard it's a security feature that first showed up in epic

00:00:39.360 --> 00:00:47.520
server chips but lenovo seems to have taken it upon themselves to enable it on

00:00:44.640 --> 00:00:51.440
the desktop okay maybe destroyed permanently is a little unfair the chip

00:00:49.680 --> 00:00:56.879
will still work as long as you put it in a lenovo motherboard but

00:00:53.840 --> 00:00:58.719
damn it i'm mad or at least i will be if

00:00:56.879 --> 00:01:02.800
it behaves the way that i'm expecting obviously we don't want to break any

00:01:00.239 --> 00:01:06.560
more chips than we absolutely have to so we haven't actually tried it yet but

00:01:05.280 --> 00:01:11.119
we're about to smart deploy gives you zero touch zero

00:01:08.720 --> 00:01:15.680
headache pc management for it you can deploy Windows apps and drivers from the

00:01:13.280 --> 00:01:19.520
cloud with no vpn required get your free subscription worth over six hundred

00:01:17.200 --> 00:01:22.000
dollars at smartdeploy.com Linus

00:01:24.640 --> 00:01:29.840
why am i so good at fixing hardware when you break a lot of hardware you gotta

00:01:28.080 --> 00:01:32.560
fix a lot of hardware well it's not hardware in general that i'm good at

00:01:31.119 --> 00:01:35.799
fixing but i am pretty good at fixing dead pins

00:01:52.640 --> 00:01:59.280
there is virtually no way of knowing if the lenovo system that you just bought

00:01:56.640 --> 00:02:04.479
has a locked CPU inside it there's no visual indication no sticker the website

00:02:02.240 --> 00:02:09.039
no mention of it whatsoever and even the full nine page spec sheet nothing and

00:02:06.960 --> 00:02:13.920
i'd bet that the vast majority of people that bought a system like this one would

00:02:10.879 --> 00:02:16.400
think that the ryzen 5 5650g inside it

00:02:13.920 --> 00:02:21.280
would work like any other desktop CPU let's try that first maybe this is all a

00:02:18.480 --> 00:02:24.959
big misunderstanding and lenovo didn't lock down this machine i guess we should

00:02:23.360 --> 00:02:28.800
power it on first make sure it actually works right yeah sure

00:02:27.040 --> 00:02:33.680
there we go everything booted up as normal the dvd drive works which is

00:02:31.840 --> 00:02:39.920
really good overall what are we looking at here we've got solid front i o uh

00:02:36.560 --> 00:02:42.080
less solid rear i o ryzen 5650g

00:02:39.920 --> 00:02:45.360
processor with a very unexceptional looking blower cooler although i do like

00:02:43.760 --> 00:02:50.280
that it exhausts all the heat directly out of the back of the system

00:02:47.040 --> 00:02:53.360
m.2 boot drive

00:02:50.280 --> 00:02:56.640
260 watt power supply wow i don't even

00:02:53.360 --> 00:02:59.120
get a 260 watt power supply anymore oh

00:02:56.640 --> 00:03:03.200
lordy is that single channel memory for shame 16 gigs on a single stick well i

00:03:01.840 --> 00:03:07.200
can definitely see why people would want to put the CPU in a different computer

00:03:05.360 --> 00:03:11.440
so what's your bet alex doesn't work you bet it doesn't work it

00:03:09.120 --> 00:03:15.599
doesn't work i don't know there's so little concrete

00:03:13.840 --> 00:03:20.800
information out there about this i kind of am hoping that it's just a

00:03:17.680 --> 00:03:23.519
storm in a teacup situation holy crap

00:03:20.800 --> 00:03:29.280
it's just in a boot loop what's the code it's throwing it ends up at c2 and then

00:03:25.840 --> 00:03:31.040
it reboots it goes c2 0 0 and then it

00:03:29.280 --> 00:03:35.599
reboots and i know 0 0 means no processor we've given this a solid five

00:03:33.440 --> 00:03:39.360
minutes at this point it's clearly not going to fire up i want to take a closer

00:03:37.200 --> 00:03:44.319
look at this CPU maybe it's uh maybe there's something else at play here okay

00:03:41.440 --> 00:03:49.519
well here's one thing this is a ryzen 5 pro 5650g

00:03:47.040 --> 00:03:53.680
and we do know that their pro lineup is geared more towards the workstation

00:03:51.760 --> 00:03:57.680
market i don't mean workstation in the sense that you're doing like 3d modeling

00:03:55.840 --> 00:04:03.439
or animation certainly not on a machine like this but workstation that this is a

00:04:00.319 --> 00:04:06.000
professional machine maybe it's just pro

00:04:03.439 --> 00:04:10.159
ones or maybe that motherboard's not pro compatible or if you want we can test a

00:04:08.159 --> 00:04:14.239
pro CPU in that motherboard we have another pro yeah we have another pro oh

00:04:12.159 --> 00:04:17.840
i can go grab it yeah let's do that so i have this 4750g although we do have a

00:04:16.239 --> 00:04:23.759
problem that this is from a lenovo system so oh if it's locked that would suck i just

00:04:21.519 --> 00:04:27.680
fired this one up and alex is about to fire this one up if this turns on then

00:04:26.000 --> 00:04:32.320
what we'll know for sure is that this motherboard works with pro cpus and if

00:04:30.639 --> 00:04:36.800
it doesn't then we won't really know anything either that CPU is also vendor

00:04:34.800 --> 00:04:40.000
locked or this board doesn't support pro cpus

00:04:38.000 --> 00:04:44.960
if this one turns on then we will know for certain that the CPU itself still

00:04:42.240 --> 00:04:48.720
works but that lenovo absolutely did lock it down to their motherboard ryzen

00:04:46.960 --> 00:04:52.160
pro compatibility confirmed there we go it only took me

00:04:50.639 --> 00:04:56.479
two tries to time that do i have to break the 5600g

00:04:54.720 --> 00:04:58.800
well we don't know if it'll break or not we're pretty sure it's going to break

00:04:57.840 --> 00:05:05.360
alex but we don't know there it is

00:05:02.479 --> 00:05:09.199
psb enable enabled by default if it is enabled when a new CPU is installed the

00:05:07.120 --> 00:05:14.080
system will notify the user during post this notice message can be cleared by

00:05:11.120 --> 00:05:17.840
pressing y so you clear it by pressing y but which if i understand correctly will

00:05:16.240 --> 00:05:23.840
also mean that you have just vendor locked your CPU that's not as simple as just

00:05:21.120 --> 00:05:27.199
clearing a notification and confirmed it is

00:05:24.880 --> 00:05:31.600
locked down so that the CPU will only work in a lenovo system by default which

00:05:29.759 --> 00:05:35.759
raises the question why would anybody want that in the first

00:05:33.759 --> 00:05:40.320
place i mean i get why you'd want to lock down certain parts of your pc

00:05:37.919 --> 00:05:44.960
firmware for example could help prevent malicious code from being injected into

00:05:42.639 --> 00:05:49.039
it or having an encrypted hard drive to make sure people can't steal your data i

00:05:46.639 --> 00:05:52.639
mean heck even encrypted RAM since you could hypothetically have someone freeze

00:05:50.880 --> 00:05:58.080
it with liquid nitrogen and then read the bits off of it but how could vendor

00:05:54.720 --> 00:06:00.720
locking a CPU increase security well as

00:05:58.080 --> 00:06:06.160
it turns out we aren't actually super concerned about the CPU we're concerned

00:06:03.360 --> 00:06:11.680
about the UEFI BIOS the firmware and locking the CPU is a byproduct of

00:06:09.199 --> 00:06:17.520
locking down that the culprit here then is AMD's platform secure boot or psb and

00:06:15.840 --> 00:06:22.479
we can see it's enabled right here and it's legitimately a useful feature that

00:06:20.080 --> 00:06:26.479
some customers do want because once an intruder has access to your BIOS the

00:06:24.400 --> 00:06:31.520
rest of your security measures become largely meaningless so to address this

00:06:29.120 --> 00:06:35.759
AMD and Intel for that matter puts a little ARM microcontroller in their CPU

00:06:33.840 --> 00:06:40.000
that is responsible for security and to ensure that everything is secure the

00:06:37.440 --> 00:06:45.600
BIOS or firmware needs to trust the CPU and the CPU needs to trust the BIOS so

00:06:42.720 --> 00:06:49.840
when psb is enabled there's a little field programmable fuse in the CPU that

00:06:48.160 --> 00:06:53.120
has some information from the BIOS written onto it including a

00:06:51.280 --> 00:06:58.479
cryptographic code from the motherboard manufacturer so let's disable psp in the

00:06:55.759 --> 00:07:02.160
BIOS and put our off-the-shelf ryzen 5 5600g in here oh wow you did a great job

00:07:00.880 --> 00:07:06.880
of straightening those pins it actually goes in pretty easily thank you like so

00:07:04.479 --> 00:07:12.639
many parts of this video we are not 100 sure that our non-pro ryzen CPU will

00:07:10.000 --> 00:07:16.400
even have this feature at all so we're going to head into the BIOS

00:07:14.639 --> 00:07:21.199
with it disabled you don't want to accidentally lock it and see what it

00:07:18.400 --> 00:07:21.199
says okay

00:07:22.560 --> 00:07:28.639
pspn okay well the features here i want

00:07:25.680 --> 00:07:33.520
to enable it i want to i want to know oh apparently it's on the regular chips

00:07:31.840 --> 00:07:39.520
a new CPU has been installed on your system press yes button or y to lock the

00:07:37.120 --> 00:07:44.240
CPU and execute the platform secure boot process note the locked CPU cannot be

00:07:42.240 --> 00:07:47.599
used on other models am i supposed to do it now is this the point in the

00:07:45.440 --> 00:07:51.520
adventure when i have to do it press y oh god

00:07:48.800 --> 00:07:56.240
goodnight sweet friends to confirm the CPU does still work lttstore.com holy

00:07:54.800 --> 00:08:01.919
crap we launched the cute little plushies but i am now expecting the CPU

00:07:58.960 --> 00:08:05.919
to not work on our other machine i hate this that light's just blinking and it's

00:08:04.240 --> 00:08:10.720
going through the exact same postcode cycle oh i like really don't feel very

00:08:09.199 --> 00:08:15.680
good right now that really sucks so at this point you guys

00:08:14.000 --> 00:08:21.120
are probably thinking surely there is some way to reverse this

00:08:17.599 --> 00:08:24.000
process right no there is not once psb

00:08:21.120 --> 00:08:28.879
is enabled it cannot be undone in fact the whole point of AMD's psp is to allow

00:08:26.800 --> 00:08:31.280
the CPU to verify that the BIOS can be trusted so

00:08:30.160 --> 00:08:35.200
if a hacker was able to easily overwrite the

00:08:33.360 --> 00:08:39.039
cryptographic key then you can sure as heck bet that that would be the first

00:08:36.640 --> 00:08:41.919
step of their hack to just disable it right speaking of hacking we're

00:08:40.800 --> 00:08:45.839
currently working on a video where we hack a ps4 pro get subscribed so you

00:08:43.839 --> 00:08:50.959
don't miss it now to be clear i have no problem at all with this

00:08:47.360 --> 00:08:52.880
feature existing or even oems having it

00:08:50.959 --> 00:08:57.279
on their systems the problem is that in the case of this one i wasn't given a

00:08:55.040 --> 00:08:59.839
choice nor was i given clear messaging around it there are

00:08:58.720 --> 00:09:04.399
so many better ways that lenovo could have

00:09:02.160 --> 00:09:09.040
handled this they could have shipped the system with the feature enabled but not

00:09:06.720 --> 00:09:12.720
yet locked and maybe had a better worded warning about it they could have had psb

00:09:11.040 --> 00:09:16.880
as an option in their online configurator i mean heck even just

00:09:15.040 --> 00:09:20.640
clearly stating it on the web page would be a great start so people know what the

00:09:19.360 --> 00:09:26.640
trade-off is so the blame rests pretty much entirely

00:09:23.680 --> 00:09:30.880
on lenovo here because on servers for example psb is something that customers

00:09:28.720 --> 00:09:35.519
actually want and almost more importantly understand having a server

00:09:33.519 --> 00:09:39.200
shipped to you with psp enabled from the factory is

00:09:37.040 --> 00:09:43.200
valid because it allows the CPU to verify once it arrives that the BIOS of

00:09:41.680 --> 00:09:47.360
the firmware has not been tampered with in shipping hp dell and probably a bunch

00:09:45.839 --> 00:09:50.959
of other companies have been doing this for years and we didn't make a video

00:09:49.120 --> 00:09:55.200
about it Intel also has a similar feature in some xeons but again that

00:09:53.040 --> 00:09:59.519
kind of hardware is much less likely to end up in the hands of the average

00:09:56.320 --> 00:10:02.240
consumer by contrast when this desktop

00:09:59.519 --> 00:10:06.320
ends up at a recycler or in an office supplies auction do you think the person

00:10:04.320 --> 00:10:10.399
that buys this will know that that CPU cannot be used in other motherboards

00:10:08.240 --> 00:10:14.480
probably not and it's going to be a huge pain in the butt when these cpus end up

00:10:12.399 --> 00:10:19.680
on the second hand market even worse is the fact that nothing prevents lenovo

00:10:17.279 --> 00:10:24.160
from using this feature to actually lock the CPU to a particular model to our

00:10:22.240 --> 00:10:28.720
knowledge that hasn't been done yet it's only a vendor level lock for now but is

00:10:26.959 --> 00:10:33.040
there any reason lenovo couldn't have a whole host of different encryption keys

00:10:31.120 --> 00:10:36.800
for all their different models now patrick from serve the home came up

00:10:34.959 --> 00:10:43.040
with what he thinks is a solution to this problem AMD cpus could come with

00:10:39.360 --> 00:10:45.200
two fuses one that enables psb and then

00:10:43.040 --> 00:10:49.760
another that permanently disables it once that CPU is put out to pasture this

00:10:47.680 --> 00:10:53.920
would allow it to be disabled hopefully without compromising cpus that are

00:10:51.760 --> 00:10:58.480
currently using the feature but as much as that sounds good on paper it

00:10:56.720 --> 00:11:02.000
would probably require a hardware change so we are unlikely to see a solution

00:11:00.079 --> 00:11:06.079
like that in the short to midterm probably the biggest issue with this

00:11:03.760 --> 00:11:10.640
whole cluster though is that like Intel's notorious management engine

00:11:08.079 --> 00:11:15.760
psb's value as a security measure is unproven at best it assumes a couple of

00:11:13.920 --> 00:11:20.640
things number one that the vendor's cryptographic signature or signatures

00:11:18.000 --> 00:11:24.560
will never be leaked and number two it assumes that it's actually secure but

00:11:22.880 --> 00:11:29.360
it's closed source meaning that there's no way for independent security experts

00:11:26.640 --> 00:11:34.800
to audit it so it could very well be that we're just creating more e-waste

00:11:31.200 --> 00:11:36.320
for no good reason sorry mother earth i

00:11:34.800 --> 00:11:40.399
guess this is just one more that you're gonna have to take for the team graphis

00:11:38.399 --> 00:11:43.839
is an automated fishing defense solution that protects every inbox in your

00:11:41.920 --> 00:11:46.640
organization from outside threats adding graphics to your security stack allows

00:11:45.279 --> 00:11:50.320
you to defend your employees from cyber attacks including phishing email

00:11:48.480 --> 00:11:53.920
compromise account takeover identity spoofing malware and ransomware they use

00:11:52.399 --> 00:11:57.200
a patented machine learning technology that monitors communication patterns

00:11:55.440 --> 00:12:00.800
between people devices and networks to reveal untrustworthy emails and they

00:11:59.200 --> 00:12:04.320
analyze messages in real time integrating at the API level to detect

00:12:02.720 --> 00:12:08.240
social engineering attacks and activation only takes a few minutes so

00:12:06.320 --> 00:12:12.880
don't wait you can get 30 off the list price and 30 off onboarding with graphis

00:12:10.800 --> 00:12:16.720
at the link down below if you guys enjoyed this video why don't we throw it

00:12:14.320 --> 00:12:20.240
at the temple os video it's a good video and Anthony did a good job of writing it