AMD will reinstate memory encryption on Ryzen 9000 CPUs through a BIOS update in July - TSME is coming back after 'valuable community feedback'

AMD will reinstate memory encryption on Ryzen 9000 CPUs through a BIOS update in July - TSME is coming back after 'valuable community feedback'

AMD says it will reinstate firmware memory encryption (TSME) on non-PRO Ryzen 9000 desktop CPUs through a BIOS update in July, following the feature's removal through an earlier firmware update.

The feature was quietly removed through a firmware update on some non-PRO Ryzen CPUs. AMD has told Tom's Hardware that it will reinstate Transparent Secure Memory Encryption (TSME) on desktop Ryzen 9000 processors in July (we have the full statement further below). The feature is branded as Memory Guard for AMD's Ryzen PRO lineup, but it's available on non-PRO CPUs, as well.

Earlier this year, AMD quietly removed the feature with AGESA 1.2.7.0, which Ars Technica reported on earlier this week. AMD tells Tom's Hardware that it's bringing TSME back to non-PRO Ryzen 9000 chips "based on valuable community feedback."

What is TSME?

TSME is a firmware-level encryption feature for memory. It allows the processor to generate a key in order to encrypt data stored in RAM, serving as a layer of protection against cold boot attacks, where a sudden shutdown can allow a physical attacker to extract sensitive data stored in memory.

According to the Ars Technica report, AMD confirmed TSME support on consumer CPUs as far back as 2020 with the Ryzen 7 3700X. The author of the story, Ben Kilpatrick, discovered TSME's removal after running a security audit on a new machine with the Ryzen 7 9700X. After discovering that TSME was no longer supported, Kilpatrick worked with MSI (his motherboard vendor) to confirm that TSME had previously been supported but was disabled in AGESA 1.2.7.0.

Following the discovery, Kilpatrick raised a bug report on AMD's GitHub repository, where Mario Limonciello, a senior principal software engineer at AMD, eventually responded: "My apologies, but I don't have any more information to share on this topic."

Without any comment from AMD, it appeared as though the company disabled TSME through firmware on its consumer parts in order to differentiate its PRO lineup. TSME isn't a critical security feature for most consumer desktops, as it protects against attacks where the attacker needs physical access to the device. Still, if it was previously a capability, there's no reason TSME should be disabled through firmware.

AMD's official statement

Now, AMD has responded to Tom's Hardware with the following statement:

"We take the security of our customers' data very seriously. AMD Memory Guard (Transparent Secure Memory Encryption, or TSME) is a hardware-based memory encryption technology available on our Ryzen PRO desktop and mobile processors where supported in silicon. It is a foundational security feature, and we have no plans to remove support from our Ryzen PRO lineup. This commitment holds now and in the future. Regarding certain non-PRO Ryzen 9000-series desktop processors, a BIOS option to enable Memory Guard was previously available but was removed in a recent update. Based on valuable community feedback, we will reinstate this option in an upcoming BIOS release in July."

Community discussion

• -Fran- Strange PR W for AMD. Let's celebrate while it lasts.

• hotaru251 Reply So... Intel will give AVX512 back to the people with Alder Lake? LOL Regards.

• -Fran- Reply iirc that was hardware level not software level.

• hotaru251 Reply iirc that was hardware level not software level. It was hard disabled during production.

• -Fran- Reply In a later revision. B0 had it enabled and they patched it with a BIOS microcode update. EDIT: https://www.tomshardware.com/news/how-to-pick-up-an-avx-512-supporting-alder-lake-an-easy-way Regards.

• usertests This, FSR4, ROCm, etc. There's a culture of hostility and paranoia between AMD and its users developing.

• -Fran- Reply They had "good" reasons to disable it, and will finally "give" it back soon, not to old CPUs, but with the Nova Lake AVX10 kludge they had to create to get P-cores and E-cores to play nice with it. AMD will adopt AVX10 in the future, so I wonder if they will be using it for their own "LP" cores that might not be able to execute full-width AVX-512. Between new (and old) instructions in Nova Lake, a viable X3D competitor in bLLC, and maybe an eventual goal of eliminating E-cores by the end of the socket, Intel is probably worth a second look. Unclear is whether they will decide to credibly challenge Strix/Gorgon/Medusa Halo with "AX" models. Intel could be abandoning Xe graphics in the long run for Nvidia graphics. AMD may be eliminating the iGPU on Zen 6 (Olympic Ridge) to provide a big NPU only, while Intel will continue to provide both with Nova Lake. That's got my attention.

• usertests "It's ok guys; just buy the new thing".

• -Fran- Reply "It's ok guys; just buy the new thing". No? As for the NPU rumour. I've never found having an iGPU on a dedicated "CPU" SoC really useful. I rather the die space is used on something else that can better the CPU SoC performance instead. But that's me. I do recognise it can be useful, but you can go read my long rants from the past about it, if you want. There's plenty, if you're curious about my position on the subject. So, in short: I could not care less they're removing the iGPU. If I had a complaint, I rather they get rid of the NPU as well. I don't see how that could be useful as a general purpose accelerator in the SoC. Also, they could use a dual purpose "NPU", since at the end of the day, to display image on screen, you don't really need fully DX12/VK compliant units and just video out. Look at Matrox in the server segment. Regards.

• hotaru251 Reply an igpu means even if gpu dies you can "use" the device. an npu is niche and majority of people don't care about it nor will they use it. If you cared for ai..you'd have them with modern GPU (in form of tensor cores)

• hwertz Yeah, Intel absolutely could have kept AVX512 going on those systems. AMD used 256-bit (AVX2) hardware plug microcode to provide AVX512 on certain processors, and Intel actually did as well. I have no idea why they didn't just do this on the E-Cores (instead of having it on the P-Cores, and not the E-Cores; then disabling it on both later on.)

• -Fran- Reply Do not confuse "video out device" with a "video card to play games with". Video out can be done with very little silicon if you just don't care about HW acceleration or any other "modern conveniences" and an NPU is basically a subset of a GPU slice (super simplified, yes), so you can just attach the image processor part (video ports) and fixed units for encode and decode (if needed) and call it a day. Not saying that is what they'll do or what I'm hoping for. I rather they have neither an iGPU nor NPU. Waste of silicon area in my eyes. Also a waste of motherboard routing from the socket as well. That could give me half a DDR channel! Not really, but who knows, lol. Regards.