AMD appears to have yanked a memory encryption protection from consumer Ryzen chips, leaving users to play firmware detective.
For those who came in late: a decade ago, AMD added Transparent Secure Memory Encryption (TSME) to higher-end CPUs to protect systems from cold-boot attacks and other physical exploits that can siphon data from memory. The feature encrypts everything stored in RAM, making stolen memory contents useless to attackers with physical access.
Over time, TSME turned up on cheaper Ryzen consumer chips, and privacy-minded users reasonably started treating it as part of the package.
Recently, without warning, that protection vanished from lower-end AMD chips in a way Windows users could not easily detect and Linux users could spot only with some technical faffing.
According to Ars Technica AMD has not explained why TSME worked on these CPUs or fully confirmed the change, saying only that TSME “is a security feature only applied to PRO CPUs as part of AMD PRO Technologies.”
In April, Linux hobbyist Ben Kilpatrick installed a new operating system on a Ryzen 7 9700X system and ran Host Security ID to check firmware and hardware protections. He found HSI reporting “encrypted RAM: not supported”, even though TSME had been enabled in BIOS and had previously shown as “encrypted”.
Kilpatrick’s digging led MSI engineers to test consumer Ryzen chips on MSI and Gigabyte boards, where older AGESA firmware enabled TSME but newer AGESA 1.2.7.0 showed it as unsupported.
Pro Ryzen chips supported TSME across motherboard brands and firmware versions, which rather spoiled the idea that this was just a random board-level wobble.
“The big outstanding question is whether this is a deliberate policy decision by AMD to restrict TSME to PRO chips, or an unintentional regression that was introduced in AGESA 1.2.7.0,” Kilpatrick told Ars.
After Kilpatrick filed a bug report on AMD’s public engineering GitHub, AMD fellow software engineer Tom Lendacky suggested toggling the BIOS option and then speaking to MSI if that failed.
AMD senior principal software engineer Mario Limonciello gave similar advice, telling him: “If it still doesn’t work; then yes please report it to your board vendor to debug.”
Kilpatrick later said MSI had been told by AMD that TSME was officially supported only on PRO processors, and tests showed TSME active on a Ryzen 9945 PRO but off on a consumer Ryzen 9800X3D.
MSI’s ABL dump comparisons reportedly showed the internal AGESA flag DfIsTsmeEnabled returning FALSE for consumer chips, even when TSME was set to AUTO or ENABLED in BIOS.
Kilpatrick pressed AMD on whether this was a silicon limitation or a firmware policy decision, because one is fixed and the other could be changed.
Limonciello replied: “My apologies, but I don’t have any more information to share on this topic.”
This is embarrassing as Lendacky said in 2020 that a consumer Ryzen 3700X “should support TSME”, and in 2025 recommended using it if the BIOS exposed the option.
Silicon-level security expert Joe Fitzgerald said: “But I really feel like an explanation should be in order, even if it was ‘TSME was never supposed to be supported. We did ship some firmwares that erroneously enabled it, but you shouldn’t use them since we can’t guarantee it’ll work properly.’”
Â