Recently, reports spread that AMD had disabled TSME, one of the Ryzen CPU security features without warning. It’s a bit more complicated than that, however, as this was not a regular default feature, but rather a Pro SKUs technology that was only present on standard Ryzen CPUs unofficially if not accidentally. The media attention seems to have resulted in access to TSME technology being restored for the non-Pro Ryzen processors, though.
What Is TSME and Why Was It Controversial?
TSME stands for Transparent Secure Memory Encryption, a technology in which the processor writes data to physical RAM in encrypted form and automatically decrypts it when reading it back, allowing running applications to be completely unaware of the process. The technology first appeared in the first generation of Epyc processors (7001 “Naples” with Zen 1 cores) in 2017, also under the name SME (Secure Memory Encryption). In 2018, it was also introduced in the Ryzen Pro 2000 processor series intended for desktop systems and notebooks used by large organizations and enterprises. It was one of the additional features that distinguished the Pro series SKUs, alongside remote management and similar technologies. In newer generations, it has also been marketed as Memory Guard, once again as a feature advertised only for Ryzen Pro processors.
Recent reports have revealed, however, that you could toggle this technology on even when using non-Pro Ryzen processors because BIOS (UEFI) setup options on some motherboards exposed the setting. The mere presence of the option in the BIOS does not necessarily mean anything, but it appears that some users actually tested whether it worked and concluded that it did. It is possible, however, that motherboard BIOSes exposed the option on standard processors unintentionally or due to an oversight.

One of the users who had enabled TSME (on a Ryzen 7 9700X, a regular non-Pro SKU) recently discovered that after updating the BIOS, the feature was no longer active. This appears to be a change introduced with AGESA 1.2.7.0. AMD’s response to the bug report submitted by this user was that TSME is a technology supported only on Ryzen Pro processors. As far as we know, this is correct, as AMD classifies it among its “Pro Technologies.”
Since its introduction, TSME has officially been limited to Epyc and Ryzen Pro processor families and (unless we have missed something) has never been advertised as being available on standard desktop or notebook Ryzen processors. Therefore, it is not entirely scandalous that AMD retroactively disabled it on these processors and left it turned off. Whether this is truly grounds for complaints is highly debatable.
Although the update removed a feature that had previously been working on these CPUs, it was something that had never been advertised as functional for the product (and in fact may not even have been fully functional, since this component might never have been validated during processor testing). Nevertheless, several highly critical media articles ignored this context, and social media reactions were similarly scathing.
Removal Did Not Actually Reduce User Security
It was also not entirely fair for some articles to claim that AMD had “removed a critical security technology from Ryzen” or that it had left unsuspecting users vulnerable. This technology is certainly not something that is commonly used. Its primary role is in cloud servers hosting virtual machines for multiple users. By assigning each VM its own encryption key (known as SEV, Secure Encrypted Virtualization), you can ensure that vulnerabilities allowing a virtual machine user to read physical memory cannot be exploited to access data outside that VM’s assigned memory range, including data belonging to other users’ virtual machines or memory data of the service provider.

On a personal computer, the benefits are rather questionable. Here, TSME mainly serves as protection against reading data from a memory module by cryogenically freezing it immediately after shutting down the computer and quickly transferring it to another system (so-called cold boot attacks). That is an extremely theoretical threat requiring physical control of the computer in the first place. If you believe you need protection against such attacks, you should probably approach your security investments very differently than by buying hardware on which this feature is not officially supported and therefore offers no guarantee of working correctly.
TSME Will Ultimately Be Available on Standard Processors After All (Unofficially)
In the end, however, AMD apparently concluded that the negative publicity was not worth it and announced that, in response to user feedback, it would revert the TSME change introduced in AGESA 1.2.7.0 in one of the upcoming scheduled updates. Looking ahead, new versions incorporating this change should become available in July. The updated AGESA code will be distributed as part of motherboard BIOS updates, so the release schedule will depend on individual motherboard manufacturers and will likely vary from one board to another.
However, it should still remain an unofficial capability that is not guaranteed or covered by vendor support in any way, and TSME remains something AMD does not promise to users of standard Ryzen processors. This differs from ECC support, for example, which AMD explicitly states is “supported if supported by the motherboard” for non-Pro Ryzen 7000 and 9000 AM5 desktop processors.
It is not entirely clear which processors were affected by the unofficial availability of TSME (it was apparently not something many people actually used), but according to some sources, in addition to the current Ryzen 9000 desktop processors, it may also have been available as far back as on Ryzen 3000 processors with Zen 2 cores, and perhaps the intervening generations as well. Following AMD’s policy reversal, the technology will apparently continue to be available on those processors in the same unofficial capacity (or at least remain user-enableable, albeit without any guarantee). That does not necessarily mean this will continue with future generations, however, such as the upcoming Zen 6-based CPUs. AMD could block it at the firmware level right from the launch in future generations (so that no one has grounds for complaint.)
It is also worth asking whether this “victory” might have negative consequences. Because of the media backlash, AMD may begin paying closer attention to ensuring that technologies and features not officially advertised cannot be enabled and used unofficially in this way. Or to prevent situations such as the accidental leak of FSR4 code compatible with older graphics cards, which proved very useful for users because AMD did not have official support for the technology ready for a long time (Radeon RX 7000 cards are only receiving it now). Yet the company subsequently faced criticism because that support was unofficial. Fortunately, that story ended well (with official support), but the managers responsible might also take away the lesson that they should exercise tighter control over developers in the future and ensure that nothing unintended is released.
You Should Probably Leave TSME Disabled
The overwhelming majority of processors (essentially all except server CPUs) and client devices do not encrypt memory, so it is not true that users’ security has been meaningfully reduced by TSME not functioning. We are not aware of anything equivalent to TSME being active on standard Intel processors—Intel’s analogous Total Memory Encryption feature is likewise available only on servers and on desktop platforms supporting vPro technologies. Full system memory encryption is also not used on Apple computers.
There is at least one good reason for this—encryption comes at a performance cost. If nothing else, it increases the critically important memory access latency. Especially on gaming PCs, enabling TSME just because it is possible to do so is not a good idea, as memory latency has a significant impact on gaming performance.
Source: Tom’s Hardware
English translation and edit by Jozef Dudáš
⠀






