AMD stripped memory encryption from your Ryzen, then put it back after the backlash
AMD quietly dropped RAM encryption from consumer Ryzen 9000 chips in a firmware update. A Linux hobbyist caught it, the community revolted, and AMD is reinstating it in July.
AMD stripped a hardware security feature out of its consumer Ryzen chips, said nothing, and got caught. Now, after weeks of public pressure, the company says the feature is coming back in a July firmware update.
The feature is Transparent Secure Memory Encryption, or TSME, a form of AMD’s Secure Memory Encryption that scrambles the entire contents of a system’s RAM in hardware. It vanished from non-PRO Ryzen 9000 parts in a firmware release, quietly, with no changelog note and no setting in the BIOS to flag the change. Most owners never knew it had left. That’s the part that turned a niche firmware tweak into a multi-day argument across Hacker News, Reddit, and the tech press.
What we know
- TSME disappeared from consumer Ryzen 9000 chips with AGESA 1.2.7.0, the firmware layer motherboard vendors fold into their BIOS updates. No silicon change was needed, so the removal was a software decision, not a hardware limit.
- The change was caught by a Linux hobbyist, Ben Kilpatrick, after the
fwupdHost Security ID audit on his Ryzen 7 9700X reported “encrypted RAM: not supported.” He spent months running the regression down before going public. - Windows offered no signal at all. The operating system doesn’t report whether memory encryption is on, so a Windows owner had no way to notice. Detection took Linux tooling.
- The same TSME hardware still ships on AMD PRO business chips and EPYC server parts. Only the consumer line lost the switch.
- After the backlash, AMD reversed course and committed to returning the option in a July BIOS release.
- Asus didn’t wait. It shipped beta BIOS updates for select AM5 boards that put TSME back ahead of AMD’s own timeline.
AMD framed the reversal as a response to its users. “Based on valuable community feedback, we will reinstate this option in an upcoming BIOS release in July,” the company said. What it still won’t say is why the option ever left.
So what does this feature actually do? With SME active, the memory controller encrypts data on its way into RAM and decrypts it on the way out, using a key the CPU generates at boot and never exposes to software. Pull the DIMMs out of a running or recently powered machine, freeze them, and read them in another rig, the classic cold-boot attack, and you get ciphertext instead of your login session, your disk-encryption keys, or whatever else was sitting in memory. It’s protection for data at rest in RAM, aimed squarely at someone with physical access to the box. A stolen laptop. A seized desktop. A server in a colo you don’t fully control.
What we don’t know
The reinstatement closes the immediate gap, but several questions sit open. AMD answered the “what” within weeks. The “why” is still missing.
- Why AMD removed it from Ryzen 9000 in the first place. The company hasn’t explained the original decision, and its engineers reportedly went quiet when pressed.
- Whether it was a deliberate product-segmentation move (push privacy-minded buyers toward pricier PRO chips) or an accidental regression that nobody caught internally.
- Exactly which boards and chips get the fix first, and how fast vendors past Asus will ship the July AGESA down to their AM5 lineups.
- Whether older Ryzen generations were touched by the same firmware path, or only the 9000 series.
Who reported this
The removal was traced by Ben Kilpatrick and surfaced through firmware-security tooling, then picked up by Tom’s Hardware, TechPowerUp, and a Slashdot thread that pulled in the wider community. AMD’s reinstatement statement and the Asus beta-BIOS confirmation closed the loop.
What this means for you
If you run a Ryzen 9000 desktop and you care about someone walking off with your machine, check your firmware. On Linux, fwupd and its Host Security ID report tell you whether encrypted RAM is on. On Windows, you’re flying blind, so the practical move is to update to the July BIOS once your board vendor ships it, or grab an Asus beta now if you’re on a supported AM5 board. For most people, full-disk encryption like BitLocker or LUKS is still the bigger lever, and it’s the one you actually control. But memory encryption is the layer that catches what disk encryption can’t: the keys and live data sitting decrypted in RAM. The real lesson here isn’t about one toggle. It’s that a security feature can disappear from hardware you already own, through a routine firmware update, and you might never find out. That a hobbyist with the right tooling is what stood between “quietly removed” and “quietly reinstated” should bother you more than the bug did.
Share this article
Quick reference
Sources
- AMD silently removes memory encryption from consumer Ryzen CPUs — Tom's Hardware
- AMD Quietly Drops Memory Encryption Feature from Consumer Ryzen CPUs — TechPowerUp
- Asus beta BIOS updates restore Ryzen 9000 memory encryption ahead of AMD's July timeline — Tom's Hardware
- Following user outcry, AMD reinstates memory encryption in consumer CPUs — Slashdot