Following user outcry, AMD reinstates memory encryption in consumer CPUs

Skip to content

THE PEOPLE HAVE SPOKEN

Critics saw the move as an underhanded way to steer them toward more costly chips.

Credit:

JuSun/Getty Images

Consumer AMD CPUs will once again offer encryption protections against physical attacks after facing user backlash for silently removing the feature.

As Ars reported last week, AMD stripped the protection, known as TSME, from consumer Ryzen processors. Short for Transparent Secure Memory Encryption, TSME encrypts the entire contents stored in memory, making the data useless to adversaries performing cold boot attacks and similar intrusions requiring physical access.

Now you see it, now you don’t, soon you’ll see it again

About a decade ago, AMD added TSME to its high-end CPUs. Over the next few years, AMD added the protection to lower-end processors, including the consumer version of its Ryzen chips, a CPU that costs less than the Pro version. Over the years, users of these lower-end chips have gotten used to the added security, although some security experts (and plenty of novices, too) note that consumer chips are far less likely to be targeted by physical attacks. Recently and without warning or notice, the lower-end line of AMD chips suddenly dropped the protection, and it did so in a way that was impossible to detect on Windows machines and required a fair amount of technical work when using Linux. AMD last week declined to explain or acknowledge the change.

Following the revelation, social media was deluged by comments from AMD consumers decrying the move. They noted that AMD’s quiet removal of TSME after supporting it for so long seemed underhanded. The move came solely as a result of firmware changes made in a recent update. With no physical changes required to silicon, continued support was largely, if not purely, a matter of will rather than a necessity required by changes to hardware. The critics called on AMD to reverse the move.

Over the weekend, AMD said it planned to do just that in a firmware update scheduled for release next month. More often than not, the chipmaker refers to TSME as Memory Guard.

“Regarding certain non-PRO Ryzen 9000-series desktop processors, a BIOS option to enable Memory Guard was previously available but was removed in a recent update,” AMD said in an email. “Based on valuable community feedback, we will reinstate this option in an upcoming BIOS release in July.”

The company has yet to explain why it removed the protection. Critics speculate that AMD dropped it in an attempt to steer customers toward more costly CPUs.

It’s possible, though, that there were less nefarious reasons, such as the difficulty of continued support as chip designs changed. Another possibility is that AMD made the move for performance reasons. Encrypting and decrypting data in memory creates latency. Slowdowns are the enemy of gamers, one of the more popular customer segments using the 9000-line of Ryzen processors. Since many gamers already voluntarily disabled TSME and had little need for it in the first place, AMD may not have considered the change of much consequence.

The incident, and AMD’s refusal to discuss it, is emblematic of the public relations landscape that has emerged over the past two decades. Once, Big Tech and corporations in general were willing to acknowledge service and product changes to ensure customers had a predictable experience. They also showed a willingness to admit mistakes and to say how they planned to do better. Now, there’s only silence. As the companies’ power and dominance have mushroomed, their sense of accountability has diminished proportionately.

AMD didn’t respond to questions sent for this story.

TSME transparently encrypts all physical memory flowing in or out of the processor. It protects against cold boot attacks and similar attacks that use sophisticated techniques to siphon data out of memory chips once an adversary has gained physical access to them. Memory pages are automatically encrypted and decrypted on each write or read. An ephemeral encryption key is created during each system start and isn’t accessible by software. Unlike Secure Memory Encryption, TSME is OS independent, a condition that makes it much easier to enable.

The automatic encryption and decryption does come at a performance cost that differs depending on the tasks the chips are performing. Some game developers advise users to disable TSME.

Oftentimes, disabling security protections is frowned upon. In this case, the move is less risky since systems running consumer chips are less likely to store data that’s valuable enough to motivate a sophisticated physical attack.

The counterargument is that AMD has included TSME in its consumer Ryzen CPUs for about a decade. The company long left the decision to enable or disable the protection to users. Critics argue that the removal deprived them of a capability that had been tacitly promised. Making the move silently only added to the sense AMD was pulling a fast one.

Despite AMD’s continued opacity about the incident, the company deserves credit for restoring TSME. Customers complained, some bitterly, and AMD heard and granted their demands.

Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.

25 Comments