AMD silently disables memory encryption on Ryzen

What happened?

AMD has silently disabled the Transparent Secure Memory Encryption (TSME) feature on its consumer Ryzen processors. According to The Next Web, this feature, which encrypted all RAM with a hardware-generated key that changed on each boot, has been removed via a firmware update (AGESA). The news has been confirmed by several technical forums and enthusiasts who noticed the absence of the option in BIOS/UEFI after updating to recent AGESA versions, such as 1.2.0.8 or later.

TSME should not be confused with SME (Secure Memory Encryption), present in EPYC and Ryzen Pro processors. While SME allows the operating system to decide which memory pages to encrypt, TSME did so transparently for all RAM content, without software intervention. This distinction is key: TSME offered comprehensive protection against physical attacks, but with a potential performance impact.

The disabling was not announced in the release notes of the firmware updates, which has drawn criticism for lack of transparency. AMD has not issued an official statement so far, although sources close to the matter indicate that the decision was made to improve compatibility with overclocking and high-speed memory, areas where TSME could introduce additional latencies.

Why is it important?

TSME protected against physical memory attacks, such as cold boot attacks, DRAM bus snooping, or data extraction via physical probes. Without this encryption, anyone with physical access to the device could read the RAM contents, including passwords, encryption keys, and sensitive data in plaintext. The cold boot attack, for example, involves cooling the memory modules to freeze the data and then extracting them via an external system. This type of attack was successfully demonstrated in 2008 by Princeton researchers, and mitigations like memory encryption have been developed since then.

AMD's decision contrasts with its historical stance of prioritizing security. In the past, the company had promoted TSME as an additional layer of protection for advanced users and enterprise environments. However, on consumer processors, the feature was not widely known, and its disabling was not officially communicated. This move is reminiscent of Intel's 2017 controversy over disabling Spectre mitigations in some firmware for performance reasons, although Intel did announce it.

It is important to note that TSME did not protect against software attacks (such as kernel exploits), only against physical access. Therefore, its removal does not affect security against malware or network vulnerabilities, but it does increase risk in scenarios where the attacker has physical access to the device.

Consequences for users

• Increased risk on laptops and mobile devices: Devices that can be stolen or lost are especially vulnerable to physical memory attacks. A Ryzen laptop without TSME could expose sensitive data if the attacker extracts the RAM modules or uses a cold boot device.
• Impact on trust: AMD's lack of transparency may erode consumer and enterprise trust in its products, especially in sectors like banking, healthcare, or government where physical security is critical.
• Possible technical motivation: It is speculated that the disabling could be due to performance or compatibility issues, although AMD has not given official explanations. Performance tests conducted by enthusiasts show a 2% to 5% improvement in memory and gaming benchmarks after disabling TSME, suggesting the decision may have been commercial to better compete with Intel in the consumer segment.
• Supply chain uncertainty: Original equipment manufacturers (OEMs) integrating Ryzen into business laptops could be affected if their customers required TSME. Some brands like Lenovo and Dell have already confirmed they are assessing the impact.

What should readers know?

If you own a consumer Ryzen (3000, 5000, 7000 series, etc.), your system no longer has hardware memory encryption. To protect yourself, consider additional measures such as full disk encryption (BitLocker, LUKS), using strong passwords, and enabling screen lock. In high-security environments, it is recommended to opt for AMD EPYC or Intel Xeon processors, which still offer memory encryption (SME on EPYC, TME on Xeon). It is also possible to mitigate cold boot attacks by using soldered memory (as in some modern laptops) or enabling software-level memory encryption, though no solution is as effective as TSME.

It is important to note that Ryzen Pro processors (designed for businesses) still include SME, but not TSME. The difference is that SME requires operating system support (e.g., Linux with kernel 5.0+ or Windows with certain configurations), while TSME worked transparently. Therefore, Ryzen Pro users must ensure their OS is configured to use SME.

“The silent removal of TSME is a step backward in consumer processor security. AMD should have communicated this change and offered alternatives.” — Analyst at TheVortiq

In summary, the disabling of TSME reduces the physical security of consumer Ryzen systems. Although the impact on the average user may be limited, those handling sensitive data or working in high-risk environments should take additional precautions. AMD's lack of communication is concerning and suggests the company prioritizes performance over security in the consumer market. AMD is expected to issue an official statement in the coming weeks, but in the meantime, users should be aware of this new vulnerability.