Users cry foul after AMD stripped memory crypto from its consumer CPUs
25 points by hoistbypetard
25 points by hoistbypetard
A couple people in the Ars comments brought up the possibility that it just never worked and was erroneously reporting that it did. I wonder if anyone ever actually verified that the memory was being encrypted.
Agreed. Even with things like ECC, while the system may report that things are working, it's really, really hard to verify that they are actually working on the hardware itself.
Also seems like a setting that would be recklessly dangerous to use without ECC, as I don't know what encryption they'd have to use where a bit flip wouldn't be disastrously more impactful.
That sounds better not worse?
If I'm going to have a hardware fault corrupt memory containing a pointer, if it happens to flip one of the low bits then it may very well produce another plausible pointer value and lead to my programs silently corrupting data. But if it flips a bit in an encrypted pointer then the corrupted value will be effectively random and there's a >99% chance on a 64 bit machine that it'll be invalid so I'll get a clean crash rather than silent data corruption.
Odds are you'll get both more random crashes AND more rapid and widespread silent corruption. Not everything is a pointer.
I work with AMD SEV (confidential computing suite) pretty often, researching ways to break it. It would not surprise me if this was a deliberate move from AMD.
It's been known for quite some time that AMD Ryzen CPUs support SEV [1], but they just don't get the firmware to run them. The zen cores support running TSME and SEV. The same Zen cores are used to build Ryzens and EPYCs. It's just that one of CPUs makes AMD a lot more money from data centers, who really want confidential computing.
Imagine if Ryzen CPUs supported SEV? Why would data centers buy the incredibly expensive EPYC when the much cheaper Ryzen could do what they want? Thus, AMD locks the SEV feature with proprietary firmware only distributed to EPYCs. Intel does this too. Sapphire Rapids (iirc) was marketed to have TDX (Intel's confidential computing suite). In the end, consumers who bought the Xeons did not end up getting it, but cloud providers did. There was a Github README from an Intel repo that stated the data centers which had TDX-firmware for their Sapphire Rapids Xeons. Our research group bought a Sapphire Rapids Xeon anticipating to use TDX... but in the end we couldn't.
It's the same deal with ECC on their APUs. You have to buy the PRO version to get guaranteed ECC support, while it's a bit 'spotty' with non-PRO CPUs, depending on the motherboard.
I just checked prices: the Pro version of, e.g., the 8700G, costs around ~30€ more. At least you have this option, unlike with Intel. A bit of a caveat is that the Pro versions, on the other hand, have a locked frequency multiplier.
During my research, I noticed AMD calls the RAM encryption "AMD Memory Guard". I think we should not kid ourselves that this stuff is all in the firmware and the CPUs (pro or non-pro) all support this stuff. It's a business decision.