AMD will reinstate memory encryption on Ryzen 9000 CPUs via BIOS update in July

AMD has confirmed it will restore support for the memory encryption feature TSME on Ryzen 9000 processors via a BIOS update in July, reversing its recent removal. This decision follows community feedback and concerns over security features previously available on these CPUs, making it a significant development for users prioritizing data security.

AMD told Tom’s Hardware that it will re-enable Transparent Secure Memory Encryption (TSME), also branded as Memory Guard, on non-PRO Ryzen 9000 desktop processors through a forthcoming BIOS update in July 2024. The feature, which encrypts data stored in RAM to protect against cold boot attacks, was previously available but was removed in AGESA 1.2.7.0 earlier this year.

The removal of TSME was initially unpublicized and was believed to be a firmware decision aimed at differentiating AMD’s PRO lineup, which continues to support the feature. AMD clarified that TSME support remains a foundational security feature for its PRO processors and has no plans to remove it from that lineup. The company stated that the reintroduction for non-PRO Ryzen 9000 chips is driven by community feedback, emphasizing its commitment to customer security.

Security researcher Ben Kilpatrick discovered the removal of TSME after testing a Ryzen 7 9700X, and AMD’s response to inquiries confirmed the feature’s previous support and its upcoming return. AMD’s official statement emphasized that the feature is hardware-based and that support will be reinstated via BIOS, not through a hardware change.

Impact of Reinstating Memory Encryption on Ryzen 9000

This development is important because it restores a security feature designed to protect sensitive data stored in RAM against physical attacks like cold boot attacks. While TSME is not critical for most consumer desktops, its availability can be vital for users handling sensitive information or operating in security-sensitive environments.

The decision to re-enable TSME reflects AMD’s responsiveness to the security community and its recognition of the importance of memory encryption as a security layer, even on consumer-grade CPUs. It also highlights ongoing discussions about firmware-level security features and their management across different product lines.

Background on AMD’s Memory Encryption Policy

AMD introduced support for TSME on Ryzen CPUs as far back as 2020 with the Ryzen 7 3700X. The feature encrypts data in RAM, providing protection against physical attacks where an attacker gains access to the memory modules after shutdown. Earlier this year, AMD quietly removed TSME support from non-PRO Ryzen 9000 processors with the release of AGESA 1.2.7.0, without detailed public explanation.

The removal was discovered by security researcher Ben Kilpatrick, who tested a Ryzen 7 9700X and found TSME was no longer supported. AMD’s response to inquiries was limited, with a senior engineer indicating no additional information was available. The move appeared to be a firmware-level disabling, possibly intended to differentiate the PRO lineup, which continues to support TSME.

Community feedback and security considerations prompted AMD to reconsider, leading to the upcoming BIOS update that will restore the feature on supported consumer CPUs.

“We take the security of our customers’ data very seriously. We will reinstate support for Memory Guard on non-PRO Ryzen 9000 processors via a BIOS update in July.”

— AMD spokesperson

Remaining Questions About TSME Reinstatement

While AMD confirmed the return of TSME support via BIOS in July, it is not yet clear whether all motherboard vendors will implement the feature immediately or if there will be any hardware-specific limitations. Additionally, the precise timing and whether any security or firmware updates are required beyond the BIOS remain to be seen. AMD did not specify if the feature will be fully functional on all supported models at launch or if some restrictions might apply.

Next Steps for AMD and Users Awaiting TSME

Manufacturers will begin rolling out the BIOS update in July, with users advised to check for firmware updates from their motherboard vendors. Security-conscious users should monitor AMD’s official channels for detailed instructions and compatibility information. AMD’s ongoing commitment to security features suggests that TSME will be fully supported on supported CPUs shortly after the update, but users should verify their system’s firmware status.

Key Questions

What is TSME and why is it important?

TSME (Transparent Secure Memory Encryption) is a hardware-based memory encryption feature that protects data stored in RAM from physical attacks like cold boot attacks. It is important for enhancing security, especially in environments where sensitive data is handled.

Will all Ryzen 9000 CPUs support TSME after the BIOS update?

Support will depend on the specific CPU model and motherboard compatibility. AMD has confirmed the feature will be re-enabled via BIOS for supported non-PRO Ryzen 9000 processors, but users should check with their motherboard vendors for availability.

Why was TSME support removed earlier this year?

AMD did not publicly specify the reasons, but it appears to have been a firmware-level decision, possibly to differentiate the PRO lineup, which continues to support TSME. The removal was discovered through security research.

Does the reintroduction of TSME mean AMD is shifting its security strategy?

It suggests that AMD is responsive to community feedback and recognizes the importance of memory encryption features, even on consumer CPUs. The company’s official stance emphasizes its ongoing commitment to customer data security.

Source: Hacker News