AMD silently removes memory encryption from consumer Ryzen CPUs

Original Article ↗ Hacker News Discussion ↗

What TSME / Memory Encryption Does and Who Used It

  • Feature encrypts data between CPU and DRAM to mitigate cold-boot/“freeze the RAM and read it elsewhere” attacks, and can complicate some rowhammer-style or RAMbleed attacks.
  • Keys are managed in hardware and opaque to software.
  • Commenters note it was off by default on most consumer boards, undocumented as a consumer feature, and not widely used — but some people explicitly enabled and relied on it (e.g., labs, small data centers, security-conscious users, gaming servers).

Removal, Market Segmentation, and Motives

  • Newer AGESA firmware disables TSME on consumer Ryzen; PRO / server lines retain it.
  • Many see this as classic market segmentation: reserving “enterprise” features (RAM encryption, ECC, SEV variants) for higher-priced SKUs.
  • Others say it may never have been officially supported on consumer parts and might have been unintentionally left enabled, now “corrected.”
  • Some suspect pressure from state actors (e.g., NSA), but this is purely speculative in the thread and explicitly challenged by others.
  • AMD’s silence on the reason is a major point of criticism; lack of transparency is seen as the core issue.

Security Impact and Threat Models

  • Several argue the practical benefit for average consumers is tiny: physical attacks with liquid nitrogen / bus snooping are niche compared to simpler software or social attacks.
  • Others counter that:
    • Not all adversaries are nation-states; local law enforcement, organized crime, or domestic abusers may have physical access.
    • Raising the bar on physical attacks is still valuable defense-in-depth.
    • Memory encryption also tangentially helps with rowhammer-type and side-channel scenarios.
  • Some commenters note instability or broken behavior (e.g., VFIO, GPU drivers, VMs) when enabling TSME, suggesting it “never really worked right” on some consumer platforms.

Ethics, Trust, and “Post-Sale Enshittification”

  • Strong reaction against silently removing an existing hardware capability via firmware, even if undocumented:
    • Compared to cars losing heated seats or ovens losing modes after purchase.
    • Seen as part of a wider trend of post-sale degradation and opaque updates.
  • Others reply that undocumented features are inherently non-guaranteed, but still agree AMD should have communicated clearly.
  • Several advise: if your AMD system is stable and you rely on TSME, avoid BIOS/AGESA updates or even downgrade to earlier versions where the feature works.