Your Ryzen CPU used to encrypt your RAM. A firmware update silently turned that off.

TL;DRAMD silently disabled TSME memory encryption on consumer Ryzen CPUs via firmware. The silicon still supports it, but AMD says it’s now PRO-only.

AMD has silently disabled a security feature on its consumer Ryzen processors that protected users against physical attacks on their computer’s memory. The feature, Transparent Secure Memory Encryption, encrypts all data stored in RAM using a hardware-generated key that changes on every boot. When active, it renders cold boot attacks, DRAM interface snooping, and physical memory module removal useless because the extracted data is encrypted.

TSME worked on consumer Ryzen chips for years. A firmware update quietly turned it off, and AMD has refused to explain why.

The change was discovered in April by Ben Kilpatrick, a privacy-focused Linux user who was installing a new operating system on a machine running a Ryzen 7 9700X, part of AMD’s Zen 5 architecture. When he ran Host Security ID, an auditing tool that evaluates firmware and hardware security configurations, the output showed that encrypted RAM had changed from “Encrypted” to “Not supported” with no corresponding BIOS update or system change.

Kilpatrick filed a bug report on AMD’s public engineering GitHub repository. Two AMD engineers responded. Tom Lendacky, an AMD fellow software engineer, said he did not know what caused the change and suggested toggling the BIOS setting.