AMD Removes CPU Security Feature Without Notice

AMD has reportedly removed a security feature known as Transparent Secure Memory Encryption (TSME) from its consumer-grade CPUs without prior notification. TSME, designed to protect sensitive data in memory from physical attacks like cold boot exploits, was previously available on a range of AMD processors, including consumer Ryzen chips.

Users recently discovered that TSME was no longer supported on their consumer CPUs, even when the setting was enabled in the BIOS. AMD has since stated that TSME is a security feature "only applied to PRO CPUs as part of AMD PRO Technologies," marking the first public acknowledgment of this restriction.

An investigation by Ben Kilpatrick, a Linux hobbyist, revealed that the functionality of TSME on consumer Ryzen processors was dependent on specific versions of the AMD Generic Encapsulated Software Architecture (AGESA) firmware. Older AGESA versions allowed TSME to function, while newer versions, such as 1.2.7.0, disabled it. This change was difficult to detect on Windows systems and required technical effort on Linux.

AMD engineers initially suggested that the issue might be related to BIOS settings or motherboard firmware, directing users to contact their motherboard vendors. However, further testing by motherboard manufacturers like MSI confirmed that TSME was indeed disabled on consumer CPUs while remaining active on PRO and EPYC processors, regardless of the AGESA version used for PRO chips.

Subsequent analysis of memory captures indicated that an internal AGESA flag, DfIsTsmeEnabled, which controls TSME activation during firmware initialization, was set to FALSE for consumer processors and TRUE for PRO and EPYC processors. Despite these findings and a reminder that TSME had previously been confirmed on consumer CPUs in 2020, an AMD engineer concluded the discussion, stating no further information was available.