Shortly after receiving negative press for refusing to pay a $10,000 bounty for a significant vulnerability, AMD is back in the news for all the wrong reasons. The company appears to have dropped a crucial Transparent Secure Memory Encryption (TSME) feature from Ryzen CPUs that don’t carry the “PRO” badge. The problem is that AMD didn’t notify users of the change, and the problem could have gone unnoticed for even longer if it hadn’t been discovered by an independent user.
A security researcher, Ben Kilpatrick, discovered the issue while installing a new operating system on a computer with a Ryzen 7, and he noticed that TSME was no longer available after performing an audit of the host security ID. He contacted MSI’s engineering team, who found that the older version of AGESA firmware still had this feature, which surprisingly did not apply to units running the newer AGESA 1.2.7.0 firmware.
To make matters worse, the AMD update did not disable protection for Ryzen PRO processors, including the AMD Zen 5 Pro Ryzen processor. TSME was available on mainstream Ryzen chips, which means AMD’s most recent Ryzen update is to blame. The company has remained mostly silent on the controversy, eventually stating that the AMD encryption feature is only available with PRO processors.
How problematic is this?
yarrbush/Shutterstock
TSME was designed to encrypt data stored in connected memory. The idea is to protect processors against various exploits, such as cold boot attacks, which can extract sensitive data held in memory. Since TSME applies encryption to all stored content, attackers who access this information are dead in the water because whatever they obtain is virtually useless. AMD initially rolled out the protection to the most expensive processors, then added it to consumer versions of Ryzen processors. The likely problem is the firmware, which silently removed the security feature from consumer chipsets, although it is unclear whether this was the result of a bug, an oversight, or a deliberate decision by AMD.
This feature was never directly announced because it worked just fine on more affordable processors, but most users probably expected it to be included by default. As a result, many view the potential new policy change as tantamount to a betrayal. Unfortunately, with the absence of TSME, consumers may now be vulnerable to everything from DRAM monitoring to other forms of attacks targeting memory. While it’s impossible to predict how much damage this will do to the company’s reputation, AMD’s more budget-friendly processor (as shown in the Intel vs. AMD head-to-head comparison) may not seem as impressive if it sacrifices security.
