This was never marketed as a feature of the consumer CPUs and if some malignant actor does get physical access to my (consumer) hardware, then them being able to read out bytes through cryo-freezing the RAM really isn't high up on the list of things I'm going to worry about.
Reminds me of that Seinfeld episode where George tries to move a Frogger arcade machine without powering it off in order to not lose his high score leaderboard.
Transparent communication would have been appreciated nonetheless. You have customers not just lawyers on the other side, it's not just about making sure you're legally covered.
Let me give you an analogy: If you e.g. figure out some undocumented endpoints for a REST API, which are intended for internal use only, and started using them, do you expect the developers to inform you about changes?
As far as AMD is concerned, this was never supported, nor documented. Now pulling the rug with a firmware update isn't a very nice thing to do, but maybe they've had some actual reason for that beyond "this shouldn't be enabled". Nobody should expect undocumented and unsupported features to just continue to work in perpetuity, simply because they did work at some point in the past.
There is more nuance to this. Let me give you a better example that actually happens — SSDs. Manufacturer will tell you some miniscule amount of specifications, such as that the drive reads and writes some amount of MB/s. That's basically the only spec you get. Reviewers review this drive. It is a really good drive, dedicated controller, MLC/TLC flash, all the good stuff. It gets raving reviews. Some months after this, during which the drives have been selling like hot-cakes and have been recommended everywhere, the manufacturer swaps parts, without creating a new SKU/model. Some examples are swapping TLC flash for QLC flash, making the SSD DRAMless when it had a dedicated RAM before and such, all negatively affecting the performance in some way. After the changes, you can still read/write with the advertised speeds, but only for 10GB instead of indefinitely or the drive has much worse latency or what have you, you basically got bait-and-switched and bought an inferior product to what was expected. The question is, is this ok? I think it is not ok, even though the manufacturer technically did not promise all the seemingly undocumented stuff (although one could argue that it has been documented by the reviewers).
That's an asinine take. We're not talking about a remote subscription service changing an undocumented implementation detail. Physical artifacts shouldn't lose features due to the remote action of the company that made them.
And? do you worry about the gaming server owner's neighbour breaking in, freezing the ram, quickly transferring it to another machine and reading it off?
So reading between the lines, you're saying it's bad for AMD to disable undocumented features because people still might have bought them for those undocumented features, particularly for gaming servers?
You shouldn't be remotely disabling hardware features in my opinion at all. It's not really like changing an API or something, this is like an update removing something from your car or another appliance years after you bought it.
Yeah, basically you'd trade uncertainty for the ability to remotely enable/disable hardware features not ready at launch I understand, which totally makes sense as a position, I probably agree with you. I think from AMD's side they like the option of being able to remotely enable things though, so new software updates in the future could be major releases enabling functionality that wasn't quite ready at launch. But, I suppose the uncertainty is the tradeoff here.
Yes, it's AES with a tweak based on the physical address. It adds some protection from RowHammer and the like because flipping a bit in encrypted memory is catastrophic, while it can be done in a controlled manner if it's not encrypted.
If it can be silently removed was it a security feature?
Whilst I hate companies paying engineers to make things worse just to segment their market; I am not really seeing this as an important feature outside the data-center? If an evil-maid has hardware access they hack the USB and/or PCI not the RAM surely?
if anyone does it sneakily, there is alleged wrongdoing attached to it. I can imagine multiple scenarios like some well-known Israeli company "selling their software only to governments", paying quite amount of money for it, because they were unable to break this one.
Probably not from a legal perspective, but morally yes. Apple cause batterygate with good intentions but sneakily. Not being transparent is what shot them in the foot. AMD didn't learn anything or think this is small-time so no blowback (sadly they might be right).
> Apple cause batterygate with good intentions but sneakily.
Sure, the Apple's intentional performance degradation of older iPhones was caused by only good intentions, not a form of planned obsolescence in any way. How could it be?
If you ever had to use an iPhone that would just shut off randomly with like 30% battery "remaining", you'd probably be singing a different tune and appreciative your device became somewhat more usable with the changes.
I'd expect the battery charge estimation to be recalibrated to account for the reduced capacity, not the hardware being deliberately hobbled to hide it.
> Sneakily and silently removing a feature in a firmware revision is not acceptable
What if said feature was sneakily and silently added in the first place? Wouldn't it be acceptable to sneakily and silently removing it in the future then? Or regardless of if it was documented/announced or not, removing anything sneakily and silently is bad?
I would be fine with this if it meant CPUs became slightly cheaper, but we know that's not going to happen.
And there's been talk that now the so-called "AI companies" will start using more CPUs as well, due to "personal agentic agents", so I hope that people won't be priced out of CPUs too...
It's a shame there is no software-based memory encryption included in the linux kernel. Especially cloud providers can easily snoop all your keys and you have zero recourse.
There was a patch called Tresor that did this, but I don't think it was updated for a long time.
You have to store the encryption key in CPU registers and ensure it's not saved to RAM during task switching or power suspend operations. Tresor used x86-specific debug registers for it, but you could potentially use unused SIMD registers if you masked-off the CPUID bits for them and disabled them for access by user-space.
But securing against attacks from a hostile hypervisor or a server provider needs more than just memory encryption, because they can intercept any part of the boot process and control the hardware/firmware that can lie to your kernel.
To counter that you'd need something like AMD SEV(ES/SNP) with measured boot and remote attestation to switch the only thing you trust to the CPU manufacturer (best you can do IMO).
It's not bad at all. Long story short, this feature prevented people stealing your ram stick off of your machine, super-freezing it and quickly moving it to their machine before the charge runs out and read off whatever bits are still left intact.
It prevented it by having a hardware module on the CPU's memory controller that AES encrypts the contents you are sending to DRAM, and decrypts it before reading it back to the CPUs memory structures. All with hardware keys completely invisible to software (and one that is basically impossible to manipulate physically).
And you need to be able to do it multiple times for the bits of memory that you want to snoop on, to be the bits that survive the transfer.
> To be fair to AMD, there is no clear indication that the company ever publicly advertised TSME as a consumer Ryzen feature.
A feature that was possibly accidentally enabled on consumer chips is now being disabled. I would guess that the number of owners of consumer chips who also relied on them for encryption is exceedingly small.
The primary concern persists. The manufacturer has an exceptional amount of control of the state of your CPU most of which you cannot change and an unknown chunk of which you cannot even see. We are sort of playing in a fools paradise.
How can manufacturers simultaneously have exceptional control over flags and not enough control to know what flags are enabled on their shipping products?
AMD, historically, has taken a "we don't test enterprise features on consumer SKUs, but we don't fuse them off if you really want to qualify it or let them try it" approach to e.g. ECC on consumer chips with Zen.
So it's quite possible they were doing the same with TSME, and either made a rude marketing decision that the people using it on consumer chips would probably pay for PRO chips if they were prevented from doing so, or kept getting people attempting to RMA the chips for a feature they never said worked on them not working, or there's some systemic flaw in the consumer chip's implementation that they didn't feel like trying to qualify fixing versus just killing the not-guaranteed support.
Hard to guess without more data than just them going silent about it.
They always had control. Awareness is a different thing. You could just as well ask "if you've written every line of code, why did you write that bug?".
I'm trying to progress the discussion past "we don't know if it was intentional". We know it was intentional. What was the intention of having it on before and what is the intention of turning it off?
AMD has limited control over what motherboard manufacturers do. And there have been plenty of examples demonstrating motherboard vendors don't fully understand what they are doing. Stuff like shipping builds with example/placeholder keys, ridiculous voltage settings which destroy the cpu.
Even if motherboard vendors don't have full control to configure to freely change every flag, they probably have access to some kind of debug/development firmware which has a lot more features enabled than what you would have in consumer builds.
> A feature that was possibly accidentally enabled on consumer chips is now being disabled.
Bro what are you smoking? The highly paid and experienced engineers designing these chips could have "possibly enabled" the feature on consumer chips.
The chips were designed with the feature as it is cheaper to do everything right from the get go and disable functionality rather than design a less capable chip then tack on the feature afterwards, just as the consumer versions of Windows are the server versions with functionality removed.
I wonder what the additional power draw of these features would be. Parenthetically, I wonder often about the energy impact of all these HTTPS localhost links, and is there a point where defense-in-depth has to give way to other concerns?
But yeah 95% of the consumer market don't care about this and it's only adding unnecessary costs
Consumers were always capable of disabling it themselves if they didn't need it. The performance impact seems to be ~3% on average, impact on power consumption is probably similar or less since any extra delay idling can destroy performance while not having as big impact on power consumption. https://www.phoronix.com/review/amd-memory-guard-ram-encrypt...
Any extra cost would be mostly due to power consumption and testing that the feature works (which they probably don't do for consumer skews anyway). The area of silicon used by the feature is probably negligible, from the manufacturing costs it's cheaper to avoid any unnecessary design differences between skews.
It is sad that once again we will be exposed to more criminals trying to steal our data. Memory encryption not only allows to secure memory from physical "cold RAM", but also prevents loss of encryption keys as it hides the content during transfer.
For what it's worth, RAM encryption belongs to professional SKUs. It's the right business decision that should have been made from from the very beginning.
For most consumer users, RAM encryption primarily adds power consumption and heat generation while providing little practical benefit. They simply don't face many of the threat vectors and attack scenarios that certain industries and enterprise environments must contend with.
I disagree, I play a lot around with enterprise stuff. Its insane that I need to buy enterprise grade hardware that costs 1000x more for lab/experimentation/learning. My only alternative is to wait a few years, and get it from Ebay.
I also believe that a strong reason that Optane pdimm's failed, was that it was only available on enterprise servers so hackers didn't get a chance to play with it and build software that took advantage of this special hardware.
Just look at how specialized Infiniband is, even though its awesome and has some great use cases. If it was a commodity tech, there would be 100x times more applications/software that took advantage of it.
ECC passively benefits everyone, even people who don't know what it is or why it's useful. Anyone can be a victim of random bit flips, it's not a targeted threat.
Memory encryption, on the other hand, provides absolutely no benefit to 99.999% of users. If you consider yourself to be such a high value target that you suspect someone might gain physical access to your hardware without your knowledge and carry out extremely sophisticated hardware attacks to extract your data, you are a tiny minority and it makes sense that such niche protections would require buying specialized hardware. Even then, the odds of such an attack being chosen instead of a far less sophisticated software-based approach are also tiny.
Of course, if the hardware itself supports the feature and AMD simply decided to disable it, that's still a shitty thing to do, but let's not pretend that it is in any way comparable to ECC.
This is an absurd take since the referenced chips in the article are all desktop parts, and the power usage is dwarfed by any “modern” (within the last five years) GPU.
There are many people, myself included who opt to use security features like this. All this does is reduce security for folks without any legitimate reason. “Power consumption” is absolutely not a valid excuse to completely disable it.
I’ve been a fan of AMD for a while now but they’re really jumping the shark these days. It’s a real shit situation we’re all in because of the lack of competition in consumer CPUs. I can only hope things like RISCV take off sooner than later.
https://youtu.be/5etwHVarNgI?t=256
As far as AMD is concerned, this was never supported, nor documented. Now pulling the rug with a firmware update isn't a very nice thing to do, but maybe they've had some actual reason for that beyond "this shouldn't be enabled". Nobody should expect undocumented and unsupported features to just continue to work in perpetuity, simply because they did work at some point in the past.
Whilst I hate companies paying engineers to make things worse just to segment their market; I am not really seeing this as an important feature outside the data-center? If an evil-maid has hardware access they hack the USB and/or PCI not the RAM surely?
Probably not from a legal perspective, but morally yes. Apple cause batterygate with good intentions but sneakily. Not being transparent is what shot them in the foot. AMD didn't learn anything or think this is small-time so no blowback (sadly they might be right).
Sure, the Apple's intentional performance degradation of older iPhones was caused by only good intentions, not a form of planned obsolescence in any way. How could it be?
What if said feature was sneakily and silently added in the first place? Wouldn't it be acceptable to sneakily and silently removing it in the future then? Or regardless of if it was documented/announced or not, removing anything sneakily and silently is bad?
And there's been talk that now the so-called "AI companies" will start using more CPUs as well, due to "personal agentic agents", so I hope that people won't be priced out of CPUs too...
You have to store the encryption key in CPU registers and ensure it's not saved to RAM during task switching or power suspend operations. Tresor used x86-specific debug registers for it, but you could potentially use unused SIMD registers if you masked-off the CPUID bits for them and disabled them for access by user-space.
But securing against attacks from a hostile hypervisor or a server provider needs more than just memory encryption, because they can intercept any part of the boot process and control the hardware/firmware that can lie to your kernel.
To counter that you'd need something like AMD SEV(ES/SNP) with measured boot and remote attestation to switch the only thing you trust to the CPU manufacturer (best you can do IMO).
Interesting insight. Any reason why the key can't be kept exclusively in the secure enclave / trusted platform module / crypto coprocessor?
It prevented it by having a hardware module on the CPU's memory controller that AES encrypts the contents you are sending to DRAM, and decrypts it before reading it back to the CPUs memory structures. All with hardware keys completely invisible to software (and one that is basically impossible to manipulate physically).
And you need to be able to do it multiple times for the bits of memory that you want to snoop on, to be the bits that survive the transfer.
A feature that was possibly accidentally enabled on consumer chips is now being disabled. I would guess that the number of owners of consumer chips who also relied on them for encryption is exceedingly small.
The primary concern persists. The manufacturer has an exceptional amount of control of the state of your CPU most of which you cannot change and an unknown chunk of which you cannot even see. We are sort of playing in a fools paradise.
They either have that control or they don't.
So it's quite possible they were doing the same with TSME, and either made a rude marketing decision that the people using it on consumer chips would probably pay for PRO chips if they were prevented from doing so, or kept getting people attempting to RMA the chips for a feature they never said worked on them not working, or there's some systemic flaw in the consumer chip's implementation that they didn't feel like trying to qualify fixing versus just killing the not-guaranteed support.
Hard to guess without more data than just them going silent about it.
I guarantee you that there's one small company that put 1,000 of these chips in a server room or datacentre though, and they're now completely boned.
Bro what are you smoking? The highly paid and experienced engineers designing these chips could have "possibly enabled" the feature on consumer chips.
The chips were designed with the feature as it is cheaper to do everything right from the get go and disable functionality rather than design a less capable chip then tack on the feature afterwards, just as the consumer versions of Windows are the server versions with functionality removed.
But yeah 95% of the consumer market don't care about this and it's only adding unnecessary costs
Any extra cost would be mostly due to power consumption and testing that the feature works (which they probably don't do for consumer skews anyway). The area of silicon used by the feature is probably negligible, from the manufacturing costs it's cheaper to avoid any unnecessary design differences between skews.
For most consumer users, RAM encryption primarily adds power consumption and heat generation while providing little practical benefit. They simply don't face many of the threat vectors and attack scenarios that certain industries and enterprise environments must contend with.
I also believe that a strong reason that Optane pdimm's failed, was that it was only available on enterprise servers so hackers didn't get a chance to play with it and build software that took advantage of this special hardware.
Just look at how specialized Infiniband is, even though its awesome and has some great use cases. If it was a commodity tech, there would be 100x times more applications/software that took advantage of it.
this is approximately the same discussion as with ECC RAM: the benefits vastly outweigh the slight performance loss and die area increases.
Memory encryption, on the other hand, provides absolutely no benefit to 99.999% of users. If you consider yourself to be such a high value target that you suspect someone might gain physical access to your hardware without your knowledge and carry out extremely sophisticated hardware attacks to extract your data, you are a tiny minority and it makes sense that such niche protections would require buying specialized hardware. Even then, the odds of such an attack being chosen instead of a far less sophisticated software-based approach are also tiny.
Of course, if the hardware itself supports the feature and AMD simply decided to disable it, that's still a shitty thing to do, but let's not pretend that it is in any way comparable to ECC.
There are many people, myself included who opt to use security features like this. All this does is reduce security for folks without any legitimate reason. “Power consumption” is absolutely not a valid excuse to completely disable it.
I’ve been a fan of AMD for a while now but they’re really jumping the shark these days. It’s a real shit situation we’re all in because of the lack of competition in consumer CPUs. I can only hope things like RISCV take off sooner than later.