Let me say this upfront: I’ve been building PCs since the Athlon XP days. I’ve watched AMD claw its way back from near-bankruptcy with Bulldozer to the outright dominance of Ryzen. I’ve recommended Ryzen processors to friends, colleagues, and readers of this blog — more times than I can count.
So what I’m about to say doesn’t come from a place of brand hate. It comes from a place of deep disappointment.
AMD just took away a security feature from millions of consumer Ryzen CPUs. Quietly. Without warning. Without a changelog entry. Without even telling customers it was gone.
That feature is Transparent Secure Memory Encryption — TSME. And if you own a Ryzen system, there’s a solid chance you lost it without ever knowing you had it.
What TSME Actually Does (and Why You Should Care)
TSME is one of those rare security features that actually deserves the word “transparent” in its name. It encrypts everything in your system RAM — every byte, every page, every process — using a dedicated AES engine built directly into the CPU. No software needed. No configuration. No performance hit you’d notice in real-world use. AMD’s own benchmarks put the overhead at under 5%.
The practical upshot: if someone steals your laptop, yanks your RAM sticks, or tries a cold-boot attack on your desktop, the data they get is cryptographic noise. Not your passwords. Not your private keys. Not your crypto wallet. Noise.
Contrast this with software-based encryption like BitLocker or LUKS. Those work at the disk level — they protect data at rest on your SSD, but the moment it’s loaded into RAM for actual use, it’s sitting there in plaintext. A determined attacker with physical access can bypass disk encryption by going straight for the memory chips. TSME was the hardware-level shield that closed that gap.
This matters for more people than you might think. Developers storing API keys. Journalists with confidential sources. Anyone running a crypto wallet on their PC. Government employees working from home. Even regular users who assume their machine is reasonably secure against theft.
The Discovery — One Linux User, Months of Digging
The story of how this was uncovered is almost as interesting as the removal itself. It starts with Ben Kilpatrick, a privacy-conscious Linux user who installed a fresh OS on his Ryzen 7 9700X (Zen 5) in April 2026. He ran a firmware security audit tool called Host Security ID and saw something odd: “Encrypted RAM — not supported.”
But Kilpatrick had logs from earlier that showed TSME was active on this same hardware. Something had changed.
Most people would shrug and move on. Kilpatrick dug. He contacted MSI engineers. He filed AMD bug reports. He collected ABL (AMD Boot Loader) dumps and BIOS firmware comparisons across multiple motherboard vendors — MSI, Gigabyte, Asus. What he found is damning.
On identical motherboards running the same AGESA firmware:
- Consumer Ryzen 9800X3D: TSME disabled, regardless of BIOS setting
- Ryzen PRO 9945: TSME enabled and working
The internal firmware flag DfIsTsmeEnabled returned FALSE on consumer parts and TRUE on PRO parts — even when the BIOS toggle was set to ENABLED.
MSI’s product team eventually confirmed to Kilpatrick what AMD wouldn’t say publicly: “AMD officially communicated to MSI that TSME is exclusively supported on PRO series processors.”
The Silence Is the Story
Here’s where it gets worse. When confronted with this evidence on AMD’s public engineering GitHub, the company’s response was essentially a door slam.
Tom Lendacky, an AMD fellow, initially suggested toggling the BIOS option or contacting the motherboard vendor — standard tech-support deflection. Mario Limonciello, a senior principal engineer, gave similar advice. But when presented with MSI’s detailed testing showing the DfIsTsmeEnabled flag discrepancy and asked point-blank whether this was a silicon limitation or a firmware policy decision, Limonciello closed the thread with: “My apologies; but I don’t have any more information to share on this topic.”
That’s it. Seven weeks of investigation. Multiple vendors confirming the behavior. An internal flag that tells the truth even when the BIOS lies. And AMD’s answer is basically “no comment.”
Ars Technica’s Dan Goodin reached out to AMD directly. The company’s only statement: TSME “is a security feature only applied to PRO CPUs as part of AMD PRO Technologies.” That single sentence — buried in an email response — is, as Ars notes, the first time AMD has ever made this restriction public. After years of engineers confirming TSME support on consumer chips. After years of users relying on it. After years of the feature working just fine.
This Isn’t About One Feature — It’s About Trust
Let’s be clear about what happened here, because it’s worse than a feature removal.
AMD did not announce this change. They did not document it in the AGESA 1.2.7.0 release notes. They did not warn motherboard vendors to update their BIOS descriptions (many still show TSME as an available option that simply does nothing). They did not provide any detection mechanism for Windows users — if you’re on Windows, you have no way to know whether TSME is actually encrypting your RAM or just pretending to.
This is the architectural equivalent of removing the deadbolt from your front door, leaving the handle lock, and not telling you. The door still looks the same. It still feels like it locks. But the actual protection you thought you had is gone.
When I wrote about SSH server hardening recently, the underlying message was simple: security isn’t just about what you configure — it’s about what you can trust. And hardware trust is supposed to be the foundation everything else sits on. When your CPU vendor silently degrades that foundation, the whole stack gets wobblier.
The timing makes this particularly suspect. TSME has been working on consumer Ryzen chips for years. It was confirmed functional by AMD engineers. It was documented. It was tested. Then, quietly, a firmware update flips an internal flag and it’s gone — just as the company rolls out a new generation of PRO processors that conveniently keep the feature as a paid “enterprise” differentiator.
Is this a deliberate market segmentation play? A bug that AMD won’t acknowledge? An overcorrection by a legal department worried about enterprise feature parity? We don’t know — because AMD won’t say. And that’s exactly the problem.
The Bigger Picture: Hardware Trust in 2026
This story lands at an uncomfortable moment for hardware security. We’re at a point where supply chain attacks are getting more sophisticated, where state-sponsored threat actors are targeting the tech industry at scale, and where the distinction between consumer and enterprise hardware is becoming less a matter of features and more a matter of safety.
I’ve written before about Privacy by Design — the idea that security should be built into systems from the start, not bolted on later. TSME was the hardware embodiment of that principle. It just worked. No configuration, no opt-in, no user education required. The CPU handled encryption below the OS level, and you didn’t have to think about it.
Now, if you want that protection on an AMD system, you need to pay for a PRO or EPYC processor. That’s a significant price jump — often hundreds of dollars — for a feature that was already in the silicon you bought.
What You Can Actually Do
If you’re sitting there wondering whether your Ryzen system still has TSME, here’s the practical advice.
On Linux: Run a security audit tool. Host Security ID (HSI) is built into fwupd — just run fwupdmgr security in a terminal and look for “Encrypted RAM.” If it says “Not supported” and you have AGESA 1.2.7.0 or newer, TSME is likely gone even if your BIOS shows it as enabled.
On Windows: You can’t easily check. There is no built-in Windows tool that reports TSME status, and the BIOS setting is misleading. This is a gaping hole that AMD should have addressed before making the change.
Your options: If you need memory encryption on a consumer system, you’re now limited to software-based approaches. Full-disk encryption (BitLocker on Windows, LUKS on Linux) protects data at rest but not data actively in RAM. For most users, that’s still the baseline you should have anyway. For higher-security scenarios, Intel’s Total Memory Encryption (TME) remains available on their consumer parts — at least for now — though it’s worth noting that Intel has its own history of market segmentation around security features.
Roll back your firmware? Technically possible on some boards, but not recommended. Older AGESA versions lack other important security patches and platform fixes. You’d be trading one set of vulnerabilities for another.
The Bottom Line
AMD built its Ryzen reputation on giving consumers more for less — more cores, more performance, more features at every price point. That’s what made the platform exciting. That’s what convinced a generation of builders to go team red.
Removing TSME isn’t just a feature regression. It’s a breach of the implicit contract between a hardware company and its users: that the product you bought will keep working the way it did when you bought it, and that if something changes, you’ll be told.
I still think Ryzen processors are excellent. The performance, the efficiency, the platform longevity — all of that remains true. But I can’t look at this the same way I did a month ago. AMD just demonstrated that a firmware update can silently remove a working security feature from your CPU, and they won’t even explain why. That’s the kind of thing that makes you wonder what else might quietly disappear.
This isn’t the first time a tech company has made a consumer-hostile decision in the name of market segmentation. It won’t be the last. But when it’s done silently — when customers don’t even know what they lost — it crosses a line from disappointing to dishonest.
AMD, if you’re listening: your users deserve an explanation. Not a canned PR line about PRO Technologies. Not a closed GitHub thread. A real answer. Because trust, unlike a firmware flag, is very hard to flip back on.