We just upgraded gcc67/68 to the latest BIOS/AGESA, added some settings to BIOS and kernel (see below) and restored ssh access to all accounts.

Please test to see if the ryzen machines are at last stable under cfarm usage patterns.

Note: we had to blacklist ccp kernel module on gcc68 so no kvm there. We'll restore it when new kernel is available with the proper fix for gcc68 processor.

PS: here are the instructions we followed:
https://utcc.utoronto.ca/~cks/space/blog/linux/RyzenApparentlyStable
For a long time these magic kernel command line parameters and similar tricks were the only workarounds available, at least to me. However there had long been rumors of a magic AMD provided magic firmware option that could work around the problem, generally exposed to you and me in a BIOS setting called 'Power Supply Idle Control', which you allegedly wanted to set to 'Typical current idle'. This apparently became available starting with AGESA 1.0.0.2a, which various motherboard vendors rolled into their overall BIOS at very different times. For bonus fun, apparently not all BIOS vendors even expose these AMD firmware settings, although enthusiast motherboards usually do.

https://utcc.utoronto.ca/~cks/space/blog/linux/KernelRcuNocbsMeaning

rcu_nocbs=0-N processor.max_cstate=1

(where N is the number of CPUs you have minus one.)