HN Debrief

AMD will reinstate memory encryption on Ryzen 9000 CPUs via BIOS update in July

  • Hardware
  • Security
  • Infrastructure

Tom's Hardware reports that AMD will bring back Transparent Secure Memory Encryption, or TSME, on Ryzen 9000 desktop CPUs via a BIOS update in July after reversing an earlier decision to remove it. TSME encrypts data in RAM at the memory controller, which helps against attacks that rely on reading memory directly from a running machine. It is not a general-purpose disk or app encryption feature, and several people pointed out that many desktop users probably never enabled it, may not even see it exposed in BIOS, and would not notice it beyond a small memory performance hit.

If you ship hardware or low-level software, treat firmware updates as sacred. Security and stability fixes are one thing, but retroactively removing capabilities trains users to stop updating and creates a bigger long-term risk than the feature itself.

Discussion mood

Mostly negative toward AMD’s original removal and relieved about the reversal. The frustration was driven less by dependence on TSME itself than by anger at post-sale feature removal, suspicion of market segmentation, and general distrust created by firmware changes that quietly reduce capability.

Key insights

  1. 01

    Memory encryption does not automatically block DMA

    The practical implementation detail is that TSME sits at the memory controller, so raw RAM is encrypted regardless of whether the access comes from the CPU or another device. That still leaves tradeoffs around direct memory access. Some systems use unencrypted bounce buffers, some rely on an Input-Output Memory Management Unit to mark selected pages unencrypted, and newer server gear pushes the problem into encrypted PCI Express links with protocols like TDISP, IDE, Trusted IO, and Intel's TDX Connect path. That makes clear why desktop TSME is useful but also why full end-to-end protection is a more advanced platform story than flipping one BIOS option.

    Do not treat memory encryption as a binary feature check. If your threat model includes peripherals, accelerators, or hostile PCI Express devices, verify how DMA is handled on your exact platform before assuming RAM is protected.

      Attribution:
    • wmf #1
    • porridgeraisin #1
    • jolmg #1
  2. 02

    Firmware feature removal poisons update behavior

    The biggest long-term risk here is behavioral, not cryptographic. If BIOS updates become a channel for taking capabilities away from machines that customers already bought, people stop trusting firmware releases and defer them wholesale. That is a bad equilibrium because BIOS and AGESA updates often carry real security fixes and ugly stability repairs that users should install.

    If you own a hardware platform, separate bug fixes from segmentation decisions. If you buy one, snapshot firmware versions and read release notes carefully before rolling updates across a fleet.

      Attribution:
    • saghm #1 #2
    • jdsully #1
  3. 03

    Physical access is a real desktop threat

    The common dismissal that physical compromise means 'game over' was pushed back on hard. TSME protects a narrower but still realistic case where an attacker gets hands on a machine while it is powered on or suspended and tries to read RAM directly. That is not just a datacenter problem. Home break-ins, office theft, repair chains, border inspections, and brief unattended access all fit the model.

    If your machines leave controlled spaces or hold sensitive customer data locally, treat memory encryption as a relevant defense layer even on desktops and laptops. It is not enough on its own, but it closes off a class of cheap physical attacks.

      Attribution:
    • CivBase #1
    • hnuser123456 #1
    • theandrewbailey #1
  4. 04

    Commenters see a broader segmentation pattern

    People did not read this as an isolated tweak. They tied it to a wider complaint that AMD now gates more platform capability behind server and workstation lines, from memory and I/O limits to feature support that used to feel more permissive on desktop parts. That framing made the TSME removal feel symbolic. Even a niche feature becomes a sign that desktop buyers are getting fenced in on purpose.

    Watch vendor segmentation at the platform level, not just core counts and benchmarks. For workstation-like desktop use, check memory, I/O, ECC, and firmware feature support early because those are often where product lines are quietly differentiated.

      Attribution:
    • RachelF #1
    • helterskelter #1

Against the grain

  1. 01

    Most desktop users should prefer the speed

    The most credible pushback was simple. For a typical home desktop, an attack that requires physical access to a running machine is far down the risk list, and even a small performance penalty can be a worse trade than the protection. That camp viewed TSME as optional at best and in many setups effectively wasted overhead.

    Set this by threat model, not by principle. Consumer gaming systems and low-risk office boxes can reasonably leave TSME off if the BIOS exposes the toggle and the performance budget is tight.

      Attribution:
    • WillPostForFood #1
    • cwillu #1
    • dist-epoch #1
  2. 02

    Some backlash came from misunderstanding encryption

    Part of the outrage was driven by people treating the word 'encryption' as if AMD had removed broad security for the whole system. That overstates what TSME does. It protects RAM contents in specific physical attack scenarios. It does not replace disk encryption, software isolation, or rowhammer mitigations.

    When a vendor removes a security feature, pin down exactly what layer it protects before escalating the impact. The response should match the actual control, not the emotional weight of the term.

      Attribution:
    • stefanfisk #1
    • Havoc #1

In plain english

AGESA
AMD Generic Encapsulated Software Architecture, AMD's firmware code used by motherboard vendors to boot and configure Ryzen systems.
BIOS
Basic Input/Output System, the low-level firmware that initializes a PC and exposes hardware settings before the operating system starts.
IDE
Integrated development environment, a programming application that combines editing, building, and debugging tools.
RAM
Random Access Memory, the computer's main working memory that holds data while programs are running.
Rowhammer
A hardware attack that repeatedly accesses memory rows to induce bit flips in nearby RAM cells.
TDISP
Trusted Device Interface Security Protocol, a protocol used to establish trusted communication between devices and a host platform.
Trusted IO
AMD's platform feature for securing input-output device communication, including encrypted device traffic in supported systems.
TSME
Transparent Secure Memory Encryption, an AMD feature that encrypts data stored in RAM so raw memory contents are harder to read during certain physical attacks.

Reference links

Related coverage and prior discussion