AMD Re-Enables RAM Encryption on Ryzen CPUs Following Criticism

Recently, reports spread that AMD had disabled TSME, one of the Ryzen CPU security features without warning. It’s a bit more complicated than that, however, as this was not a regular default feature, but rather a Pro SKUs technology that was only present on standard Ryzen CPUs unofficially if not accidentally. The media attention seems to have resulted in access to TSME technology being restored for the non-Pro Ryzen processors, though.

What Is TSME and Why Was It Controversial?

TSME stands for Transparent Secure Memory Encryption, a technology in which the processor writes data to physical RAM in encrypted form and automatically decrypts it when reading it back, allowing running applications to be completely unaware of the process. The technology first appeared in the first generation of Epyc processors (7001 “Naples” with Zen 1 cores) in 2017, also under the name SME (Secure Memory Encryption). In 2018, it was also introduced in the Ryzen Pro 2000 processor series intended for desktop systems and notebooks used by large organizations and enterprises. It was one of the additional features that distinguished the Pro series SKUs, alongside remote management and similar technologies. In newer generations, it has also been marketed as Memory Guard, once again as a feature advertised only for Ryzen Pro processors.

Recent reports have revealed, however, that you could toggle this technology on even when using non-Pro Ryzen processors because BIOS (UEFI) setup options on some motherboards exposed the setting. The mere presence of the option in the BIOS does not necessarily mean anything, but it appears that some users actually tested whether it worked and concluded that it did. It is possible, however, that motherboard BIOSes exposed the option on standard processors unintentionally or due to an oversight.

Transparentní šifrování paměti uvedené jako funkce procesorů AMD Ryzen Pro v roce 2017
Transparent memory encryption listed as a feature of AMD Ryzen Pro processors in 2017

One of the users who had enabled TSME (on a Ryzen 7 9700X, a regular non-Pro SKU) recently discovered that after updating the BIOS, the feature was no longer active. This appears to be a change introduced with AGESA 1.2.7.0. AMD’s response to the bug report submitted by this user was that TSME is a technology supported only on Ryzen Pro processors. As far as we know, this is correct, as AMD classifies it among its “Pro Technologies.”

Since its introduction, TSME has officially been limited to Epyc and Ryzen Pro processor families and (unless we have missed something) has never been advertised as being available on standard desktop or notebook Ryzen processors. Therefore, it is not entirely scandalous that AMD retroactively disabled it on these processors and left it turned off. Whether this is truly grounds for complaints is highly debatable.

Although the update removed a feature that had previously been working on these CPUs, it was something that had never been advertised as functional for the product (and in fact may not even have been fully functional, since this component might never have been validated during processor testing). Nevertheless, several highly critical media articles ignored this context, and social media reactions were similarly scathing.

Removal Did Not Actually Reduce User Security

It was also not entirely fair for some articles to claim that AMD had “removed a critical security technology from Ryzen” or that it had left unsuspecting users vulnerable. This technology is certainly not something that is commonly used. Its primary role is in cloud servers hosting virtual machines for multiple users. By assigning each VM its own encryption key (known as SEV, Secure Encrypted Virtualization), you can ensure that vulnerabilities allowing a virtual machine user to read physical memory cannot be exploited to access data outside that VM’s assigned memory range, including data belonging to other users’ virtual machines or memory data of the service provider.

Slajd AMD k transparentnímu šifrování paměti z roku 2019 (SME)
AMD slide on transparent memory encryption from 2019 (SME)

On a personal computer, the benefits are rather questionable. Here, TSME mainly serves as protection against reading data from a memory module by cryogenically freezing it immediately after shutting down the computer and quickly transferring it to another system (so-called cold boot attacks). That is an extremely theoretical threat requiring physical control of the computer in the first place. If you believe you need protection against such attacks, you should probably approach your security investments very differently than by buying hardware on which this feature is not officially supported and therefore offers no guarantee of working correctly.

TSME Will Ultimately Be Available on Standard Processors After All (Unofficially)

In the end, however, AMD apparently concluded that the negative publicity was not worth it and announced that, in response to user feedback, it would revert the TSME change introduced in AGESA 1.2.7.0 in one of the upcoming scheduled updates. Looking ahead, new versions incorporating this change should become available in July. The updated AGESA code will be distributed as part of motherboard BIOS updates, so the release schedule will depend on individual motherboard manufacturers and will likely vary from one board to another.

However, it should still remain an unofficial capability that is not guaranteed or covered by vendor support in any way, and TSME remains something AMD does not promise to users of standard Ryzen processors. This differs from ECC support, for example, which AMD explicitly states is “supported if supported by the motherboard” for non-Pro Ryzen 7000 and 9000 AM5 desktop processors.

It is not entirely clear which processors were affected by the unofficial availability of TSME (it was apparently not something many people actually used), but according to some sources, in addition to the current Ryzen 9000 desktop processors, it may also have been available as far back as on Ryzen 3000 processors with Zen 2 cores, and perhaps the intervening generations as well. Following AMD’s policy reversal, the technology will apparently continue to be available on those processors in the same unofficial capacity (or at least remain user-enableable, albeit without any guarantee). That does not necessarily mean this will continue with future generations, however, such as the upcoming Zen 6-based CPUs. AMD could block it at the firmware level right from the launch in future generations (so that no one has grounds for complaint.)

It is also worth asking whether this “victory” might have negative consequences. Because of the media backlash, AMD may begin paying closer attention to ensuring that technologies and features not officially advertised cannot be enabled and used unofficially in this way. Or to prevent situations such as the accidental leak of FSR4 code compatible with older graphics cards, which proved very useful for users because AMD did not have official support for the technology ready for a long time (Radeon RX 7000 cards are only receiving it now). Yet the company subsequently faced criticism because that support was unofficial. Fortunately, that story ended well (with official support), but the managers responsible might also take away the lesson that they should exercise tighter control over developers in the future and ensure that nothing unintended is released.

You Should Probably Leave TSME Disabled

The overwhelming majority of processors (essentially all except server CPUs) and client devices do not encrypt memory, so it is not true that users’ security has been meaningfully reduced by TSME not functioning. We are not aware of anything equivalent to TSME being active on standard Intel processors—Intel’s analogous Total Memory Encryption feature is likewise available only on servers and on desktop platforms supporting vPro technologies. Full system memory encryption is also not used on Apple computers.

There is at least one good reason for this—encryption comes at a performance cost. If nothing else, it increases the critically important memory access latency. Especially on gaming PCs, enabling TSME just because it is possible to do so is not a good idea, as memory latency has a significant impact on gaming performance.

Source: Tom’s Hardware

English translation and edit by Jozef Dudáš


Contents

FSR 4.1 for Radeon RX 7000 Launched, APUs Will Get Lite Version

In May, AMD announced that FSR 4.1 AI upcaling is coming to Radeon RX 7000 and later also RX 6000 graphics cards. It was supposed to be due next month for X 7000, but AMD went and launched it this week possibly due to the launch of Valve’s Steam Machine, which uses GPUs from the Radeon RX 7000 series. And furthermore: Official FSR 4.1 should work better than the leaked FSR4 libraries that could previously be used unofficially. Read more “FSR 4.1 for Radeon RX 7000 Launched, APUs Will Get Lite Version” »

Radeon RX 9000: Top Game Visuals and Performance You Can Afford

Today’s market is rough for gamers seeking powerful hardware for latest titles. GPUs and other gear like gaming monitors that deliver high performance, flawless experiences and all the latest features without ruining your budget have become more crucial than ever. Today, Radeon RX 9000 GPUs are ideal for this, and Gigabyte can pair them with an affordable monitor offering parameters that until recently belonged to the realm of dreams. Read more “Radeon RX 9000: Top Game Visuals and Performance You Can Afford” »

Zen 6 Desktop Ryzen CPUs Reportedly Lack Integrated GPU

One of the advantages of AMD CPUs for the AM5 socket compared to the AM4 platform is that even the higher‑end chiplet models include an integrated GPU located in the IO chiplet. Thanks to this, these processors can be used in office PCs (or workstations that don’t require high GPU performance) without the needing a discrete graphics card. But the new generation with Zen 6 cores may lose this advantage, likely due to the AI hype. Read more “Zen 6 Desktop Ryzen CPUs Reportedly Lack Integrated GPU” »

Leave a Reply

Your email address will not be published. Required fields are marked *