AMD to restore Ryzen memory encryption option after complaints
AMD says a July BIOS update will bring back Memory Guard on certain non-Pro Ryzen 9000 desktop chips after users objected to its removal.
By James Whitfield · Staff Writer
3 min read
AMD plans to restore a memory encryption setting on some consumer Ryzen processors after users criticized the company for removing it through firmware. The feature matters because it can help protect data in RAM from attacks that require physical access to a machine.
In an email reported by Ars Technica, AMD said a BIOS option for Memory Guard had been available on certain non-Pro Ryzen 9000-series desktop processors, then was taken out in a recent update. AMD said it would bring the option back in a BIOS release scheduled for July, citing community feedback.
Memory Guard is AMD’s name for Transparent Secure Memory Encryption, or TSME. The technology encrypts the contents of physical memory as data moves to and from the processor, making RAM contents harder to use in cold boot attacks and related physical-access techniques, according to Ars Technica.
What changed
Ars Technica reported last week that AMD had removed TSME from consumer Ryzen chips without prior notice. The change affected lower-cost, non-Pro consumer processors rather than only higher-end business-focused models.
According to Ars Technica, the removal was difficult for ordinary users to spot. Windows systems did not offer an obvious way to detect the change, while Linux users needed more technical work to confirm it.
The change was made through firmware, Ars Technica reported, rather than through a new chip design. That fueled criticism from users who said AMD had taken away a security capability that had been present in consumer Ryzen systems for years.
AMD did not explain why the option was removed, according to Ars Technica, and the company did not respond to questions for the follow-up report. Critics cited by Ars Technica speculated that AMD may have wanted to reserve the feature for more expensive processors, though no evidence from AMD was given for that claim.
How the protection works
TSME automatically encrypts and decrypts memory reads and writes. Ars Technica reported that the encryption key is generated at each boot and is not available to software.
The feature is designed to work independently of the operating system, which can make it easier to enable than some other memory encryption options. It is aimed at attacks in which an adversary has physical control of a system and tries to recover information from memory chips.
The protection can carry a performance cost because data must be encrypted and decrypted as it moves through memory. Ars Technica noted that the impact varies by workload and that some game developers advise users to disable TSME.
That performance tradeoff helps explain why some users may not want the feature on. Ars Technica also reported that consumer systems are generally less likely than enterprise systems to face sophisticated physical attacks against memory.
The complaint from users was less about whether every Ryzen owner needed TSME enabled and more about control. AMD had offered the capability on consumer Ryzen CPUs for years, according to Ars Technica, and users objected when the company removed the option without notice.
AMD’s July BIOS update is expected to reinstate that choice for the affected non-Pro Ryzen 9000-series desktop processors. AMD has not said whether the episode will change how it communicates future firmware changes.
This story draws on original reporting from Ars Technica.