An EPYC-ly Bad Decision?
AMD added a feature called TSME, Transparent Secure Memory Encryption, to their Ryzen Pro and EPYC processors. It ensures that any data stored in your memory is encrypted so that even if someone managed to get physical access to one of your systems there was no way to extract data from your RAM. TSME started to be available on all AMD processors starting in 2020 or so, which was a brilliant decision as it didn’t require special hardware. There was no good reason not to offer this level of protection to all of their customers.
Unfortunately, as of AGESA 1.2.7.0 however, TSME protection has been disabled on non-Pro or EPYC processors. As is tradition with AMD there was no public announcement whatsoever. A security minded individual was doing an audit of their Linux box and discovered that their memory was no longer encrypted after an update and started digging.
After filing a bug report on AMD’s public engineering GitHub repository it was suggested this was actually disabled by the motherboard as opposed to the chip. A bit of testing and contact with MSI proved this to be incorrect. Unfortunately when he returned to update the bug report, the response the engineers gave ran along the lines of no comment. This is a bad decision on AMD’s part, if they are making our chips less secure they should at least own up to, if not reveal why this decision was made.
