AMD quietly removes memory encryption from consumer Ryzen CPUs

Key Takeaways

• AMD removed Transparent Secure Memory Encryption from consumer Ryzen CPUs in AGESA firmware 1.2.7.0 without any announcement
• The change is nearly impossible to detect on Windows and requires specialized Linux tools to identify
• AMD engineers offered no clear explanation, and the company now claims TSME was always exclusive to Pro CPUs

AMD has silently stripped Transparent Secure Memory Encryption from its consumer Ryzen processors, leaving users vulnerable to physical memory attacks without any notification. The security feature, which protects against cold boot attacks by encrypting RAM contents, disappeared after AMD rolled out AGESA firmware version 1.2.7.0. The company has offered no public explanation for the change.

The removal came to light through a months-long investigation by Linux researcher Ben Kilpatrick, who discovered the missing feature while setting up a new Ryzen 7 9700X system. His findings, tracked on GitHub and corroborated by MSI's internal testing, reveal that AMD either deliberately restricted the feature to its Pro lineup or introduced a regression that the company refuses to acknowledge.

How the removal was discovered

Kilpatrick, a self-described privacy-conscious Linux hobbyist, stumbled onto the problem while running Host Security ID (HSI), an auditing tool that evaluates firmware and hardware security configurations. Despite having TSME enabled in his BIOS settings, HSI reported the feature as unsupported. The BIOS toggle was effectively doing nothing.

His investigation led him through MSI's support channels and eventually to AMD's public engineering GitHub repository. Two AMD engineers responded: Tom Lendacky, a fellow software engineer, and Mario Limonciello, a senior principal software engineer. Neither could explain why the feature had vanished. Their advice amounted to toggling the BIOS setting off and on, then contacting the motherboard manufacturer if that failed.

The engineers directly at AMD appeared just as confused as the user reporting the problem.

MSI's testing confirms the firmware is responsible

After Kilpatrick pressed MSI harder, the company ran controlled tests comparing older and newer firmware versions. The results were clear: consumer Ryzen chips showed TSME as enabled under older firmware but "not supported" under AGESA 1.2.7.0. Pro versions of the same CPUs supported the feature regardless of firmware version or motherboard.

MSI's engineers found an internal AGESA flag that controls whether TSME activates during boot. On consumer chips, this flag returned FALSE regardless of what users selected in their BIOS. The silicon itself appears capable of running the encryption. Something in the firmware now blocks it.

AMD's only response makes things murkier

When pressed for an official statement, AMD provided a single email response claiming that TSME "is a security feature only applied to PRO CPUs as part of AMD PRO Technologies." This marks the first time the company has publicly stated such a restriction.

“TSME is a security feature only applied to PRO CPUs as part of AMD PRO Technologies.”

— AMD representative, statement to media

The problem with this claim: TSME worked on consumer chips for years. Users bought these processors with the feature functioning, relied on it for security, and had no reason to expect AMD would disable it through a routine firmware update. When Kilpatrick relayed MSI's test results back to AMD engineers and attempted to resume the discussion, one engineer cut the conversation short: "My apologies, but I don't have any more information to share on this topic."

Why most users will never know they lost protection

The removal is nearly invisible. On Windows machines, there's no built-in way to detect whether TSME is actually functioning. Even on Linux, identifying the change requires specialized auditing tools like HSI that most users don't run. The BIOS toggle remains present, creating the illusion that the feature still works.

This means millions of Ryzen users who updated their firmware may be operating under false assumptions about their system security. They see the BIOS option enabled and assume their memory is encrypted. It isn't.

Bug or deliberate segmentation?

Two explanations exist for what happened. The first is that AMD deliberately chose to reserve TSME for its higher-margin Pro lineup, effectively downgrading consumer chips through firmware. The second is that a firmware regression accidentally broke the feature, and AMD's refusal to discuss it stems from internal confusion rather than intentional policy.

Neither explanation flatters AMD. If deliberate, the company stripped security from products users already own without disclosure. If accidental, AMD has known about the bug for months through the GitHub investigation and still hasn't fixed it or acknowledged the issue publicly.

The community response on Reddit and hardware forums has been predictable outrage. Users describe the move as "artificial segmentation" and "bait and switch." The lack of transparency makes it difficult to trust that other security features won't receive similar treatment.

What TSME actually protects against

Transparent Secure Memory Encryption is a hardware-level feature that encrypts all data stored in system RAM. Its primary purpose is defending against cold boot attacks, where an attacker with physical access to a machine can freeze the memory modules and extract sensitive data, including encryption keys, even after the system powers down.

This isn't a theoretical threat. Security researchers have demonstrated cold boot attacks against unencrypted memory for over a decade. For users handling sensitive data, corporate environments requiring compliance, or anyone concerned about physical security, TSME provides meaningful protection.

AMD originally introduced the feature on high-end chips, then extended it to consumer processors. Users came to expect it as part of the platform's security baseline. Removing it silently breaks that expectation.

Frequently Asked Questions

How can I check if TSME is working on my Ryzen system?

On Linux, use Host Security ID (HSI) to audit your system's security configuration. On Windows, there's no built-in method, and the BIOS toggle alone doesn't confirm the feature is active.

Which AGESA firmware version removed TSME from consumer Ryzen CPUs?

AGESA version 1.2.7.0 is the firmware update that disabled TSME on consumer Ryzen processors while leaving Pro CPUs unaffected.

Does this affect AMD Ryzen Pro processors?

No. Testing confirmed that Pro versions of Ryzen CPUs retain TSME functionality regardless of firmware version or motherboard manufacturer.

Can I downgrade my BIOS firmware to restore TSME?

Potentially, but this depends on your motherboard manufacturer and carries risks. Contact your board vendor for guidance on reverting to pre-1.2.7.0 AGESA versions.

Has AMD officially acknowledged the TSME removal?

AMD has not issued any public announcement. The company's only statement claims TSME was always exclusive to Pro CPUs, contradicting years of the feature working on consumer chips.

Source: Latest from Tom's Hardware