This was never marketed as a feature of the consumer CPUs and if some malignant actor does get physical access to my (consumer) hardware, then them being able to read out bytes through cryo-freezing the RAM really isn't high up on the list of things I'm going to worry about.
If it can be silently removed was it a security feature?
Whilst I hate companies paying engineers to make things worse just to segment their market; I am not really seeing this as an important feature outside the data-center? If an evil-maid has hardware access they hack the USB and/or PCI not the RAM surely?
if anyone does it sneakily, there is alleged wrongdoing attached to it. I can imagine multiple scenarios like some well-known Israeli company "selling their software only to governments", paying quite amount of money for it, because they were unable to break this one.
I would be fine with this if it meant CPUs became slightly cheaper, but we know that's not going to happen.
And there's been talk that now the so-called "AI companies" will start using more CPUs as well, due to "personal agentic agents", so I hope that people won't be priced out of CPUs too...
> To be fair to AMD, there is no clear indication that the company ever publicly advertised TSME as a consumer Ryzen feature.
A feature that was possibly accidentally enabled on consumer chips is now being disabled. I would guess that the number of owners of consumer chips who also relied on them for encryption is exceedingly small.
The primary concern persists. The manufacturer has an exceptional amount of control of the state of your CPU most of which you cannot change and an unknown chunk of which you cannot even see. We are sort of playing in a fools paradise.
How can manufacturers simultaneously have exceptional control over flags and not enough control to know what flags are enabled on their shipping products?
They always had control. Awareness is a different thing. You could just as well ask "if you've written every line of code, why did you write that bug?".
It's a shame there is no software-based memory encryption included in the linux kernel. Especially cloud providers can easily snoop all your keys and you have zero recourse.
There was a patch called Tresor that did this, but I don't think it was updated for a long time.
You have to store the encryption key in CPU registers and ensure it's not saved to RAM during task switching or power suspend operations. Tresor used x86-specific debug registers for it, but you could potentially use unused SIMD registers if you masked-off the CPUID bits for them and disabled them for access by user-space.
But securing against attacks from a hostile hypervisor or a server provider needs more than just memory encryption, because they can intercept any part of the boot process and control the hardware/firmware that can lie to your kernel.
To counter that you'd need something like AMD SEV(ES/SNP) with measured boot and remote attestation to switch the only thing you trust to the CPU manufacturer (best you can do IMO).
It is sad that once again we will be exposed to more criminals trying to steal our data. Memory encryption not only allows to secure memory from physical "cold RAM", but also prevents loss of encryption keys as it hides the content during transfer.
For what it's worth, RAM encryption belongs to professional SKUs. It's the right business decision that should have been made from from the very beginning.
For most consumer users, RAM encryption primarily adds power consumption and heat generation while providing little practical benefit. They simply don't face many of the threat vectors and attack scenarios that certain industries and enterprise environments must contend with.
I disagree, I play a lot around with enterprise stuff. Its insane that I need to buy enterprise grade hardware that costs 1000x more for lab/experimentation/learning. My only alternative is to wait a few years, and get it from Ebay.
I also believe that a strong reason that Optane pdimm's failed, was that it was only available on enterprise servers so hackers didn't get a chance to play with it and build software that took advantage of this special hardware.
Just look at how specialized Infiniband is, even though its awesome and has some great use cases. If it was a commodity tech, there would be 100x times more applications/software that took advantage of it.
This is an absurd take since the referenced chips in the article are all desktop parts, and the power usage is dwarfed by any “modern” (within the last five years) GPU.
There are many people, myself included who opt to use security features like this. All this does is reduce security for folks without any legitimate reason. “Power consumption” is absolutely not a valid excuse to completely disable it.
I’ve been a fan of AMD for a while now but they’re really jumping the shark these days. It’s a real shit situation we’re all in because of the lack of competition in consumer CPUs. I can only hope things like RISCV take off sooner than later.
I had this enabled as it protects against RAMbleed/ECC errors, so it's not limited to physical attacks.
This was never marketed as a feature of the consumer CPUs and if some malignant actor does get physical access to my (consumer) hardware, then them being able to read out bytes through cryo-freezing the RAM really isn't high up on the list of things I'm going to worry about.
If it can be silently removed was it a security feature?
Whilst I hate companies paying engineers to make things worse just to segment their market; I am not really seeing this as an important feature outside the data-center? If an evil-maid has hardware access they hack the USB and/or PCI not the RAM surely?
Sneakily and silently removing a feature in a firmware revision is not acceptable, security or otherwise.
if anyone does it sneakily, there is alleged wrongdoing attached to it. I can imagine multiple scenarios like some well-known Israeli company "selling their software only to governments", paying quite amount of money for it, because they were unable to break this one.
I would be fine with this if it meant CPUs became slightly cheaper, but we know that's not going to happen.
And there's been talk that now the so-called "AI companies" will start using more CPUs as well, due to "personal agentic agents", so I hope that people won't be priced out of CPUs too...
I'm curious about Denuvo's opinion on that.
Any idea what's happening? This sounds _bad_.
Market segmentation.
I would also like to know. Surely some people here have at least second-hand knowledge, and silence can sometimes be deafening.
> To be fair to AMD, there is no clear indication that the company ever publicly advertised TSME as a consumer Ryzen feature.
A feature that was possibly accidentally enabled on consumer chips is now being disabled. I would guess that the number of owners of consumer chips who also relied on them for encryption is exceedingly small.
The primary concern persists. The manufacturer has an exceptional amount of control of the state of your CPU most of which you cannot change and an unknown chunk of which you cannot even see. We are sort of playing in a fools paradise.
How can manufacturers simultaneously have exceptional control over flags and not enough control to know what flags are enabled on their shipping products?
They either have that control or they don't.
They always had control. Awareness is a different thing. You could just as well ask "if you've written every line of code, why did you write that bug?".
You choose every piece of food you eat, how do you not know all the macros?
To be fair same can't be said of ECC, even though ECC should be basic feature out of the box.
Hint: NSA said no.
It's a shame there is no software-based memory encryption included in the linux kernel. Especially cloud providers can easily snoop all your keys and you have zero recourse.
There was a patch called Tresor that did this, but I don't think it was updated for a long time.
You have to store the encryption key in CPU registers and ensure it's not saved to RAM during task switching or power suspend operations. Tresor used x86-specific debug registers for it, but you could potentially use unused SIMD registers if you masked-off the CPUID bits for them and disabled them for access by user-space.
But securing against attacks from a hostile hypervisor or a server provider needs more than just memory encryption, because they can intercept any part of the boot process and control the hardware/firmware that can lie to your kernel.
To counter that you'd need something like AMD SEV(ES/SNP) with measured boot and remote attestation to switch the only thing you trust to the CPU manufacturer (best you can do IMO).
In a cloud provider situation there is no pure software solution to this, the hypervisor can always dump your memory pages / register states
Another example on how AMD is hardly the good guys.
This will be re-added in a few years. The current flip-flop is just enshittification.
It is sad that once again we will be exposed to more criminals trying to steal our data. Memory encryption not only allows to secure memory from physical "cold RAM", but also prevents loss of encryption keys as it hides the content during transfer.
For what it's worth, RAM encryption belongs to professional SKUs. It's the right business decision that should have been made from from the very beginning.
For most consumer users, RAM encryption primarily adds power consumption and heat generation while providing little practical benefit. They simply don't face many of the threat vectors and attack scenarios that certain industries and enterprise environments must contend with.
how do you know what threats I face? how do you know what threats journalists and whistleblowers face?
this is approximately the same discussion as with ECC RAM: the benefits vastly outweigh the slight performance loss and die area increases.
I disagree, I play a lot around with enterprise stuff. Its insane that I need to buy enterprise grade hardware that costs 1000x more for lab/experimentation/learning. My only alternative is to wait a few years, and get it from Ebay.
I also believe that a strong reason that Optane pdimm's failed, was that it was only available on enterprise servers so hackers didn't get a chance to play with it and build software that took advantage of this special hardware.
Just look at how specialized Infiniband is, even though its awesome and has some great use cases. If it was a commodity tech, there would be 100x times more applications/software that took advantage of it.
This is an absurd take since the referenced chips in the article are all desktop parts, and the power usage is dwarfed by any “modern” (within the last five years) GPU.
There are many people, myself included who opt to use security features like this. All this does is reduce security for folks without any legitimate reason. “Power consumption” is absolutely not a valid excuse to completely disable it.
I’ve been a fan of AMD for a while now but they’re really jumping the shark these days. It’s a real shit situation we’re all in because of the lack of competition in consumer CPUs. I can only hope things like RISCV take off sooner than later.
Weird, maybe you should start posting about the Epstein stuff and you'll quickly learn about your threat situation.