Users cry foul after AMD stripped memory crypto from its consumer CPUs
Users cry foul after AMD stripped memory crypto from its consumer CPUs
AMD 在未告知的情况下取消了消费级 CPU 的内存加密功能,引发用户不满
A decade ago, AMD added a protection to its high-end CPUs to protect them against cold boot attacks and other types of physical exploits that siphon sensitive data out of the connected memory chips. Short for Transparent Secure Memory Encryption, TSME encrypts the entire contents stored in memory, making the data useless to physical attackers.
十年前,AMD 为其高端 CPU 增加了一项保护措施,以抵御冷启动攻击及其他旨在从连接的内存芯片中窃取敏感数据的物理攻击。TSME(透明安全内存加密)会对内存中存储的全部内容进行加密,使物理攻击者无法获取有效数据。
Over time, AMD added TSME to lower-end processors, including the consumer version of its Ryzen chips, a CPU that costs less than the Pro version. Over the years, users of these lower-end chips have gotten used to the added security. Recently and without warning or notice, this lower-end line of AMD chips suddenly dropped the protection, and did so in a way that was impossible to detect on Windows machines and required a fair amount of technical work when using Linux.
随着时间的推移,AMD 将 TSME 扩展到了更低端的处理器上,包括价格低于 Pro 版本的消费级 Ryzen 芯片。多年来,这些低端芯片的用户已经习惯了这种额外的安全性。然而最近,AMD 在没有任何警告或通知的情况下,突然取消了这一产品线的保护功能。这种变化在 Windows 机器上几乎无法察觉,而在 Linux 系统下则需要相当复杂的专业技术手段才能发现。
AMD has yet to say why TSME worked on these CPUs, or even to confirm the change. AMD declined to answer questions sent by email other than to say TSME “is a security feature only applied to PRO CPUs as part of AMD PRO Technologies.” The statement is the first known time the chipmaker has explicitly made this restriction public.
AMD 尚未说明为何这些 CPU 此前支持 TSME,甚至没有正式确认这一变更。除了表示 TSME 是“作为 AMD PRO 技术的一部分,仅应用于 PRO 系列 CPU 的安全功能”外,AMD 拒绝回答通过电子邮件发送的询问。这是该芯片制造商首次公开明确这一限制。
In April, Ben Kilpatrick, who describes himself as a “privacy-conscious Linux hobbyist,” was installing a new OS on his machine running a Ryzen 7 9700X from the Zen 5 architecture. To check that all security protections were enabled, he had his machine run Host Security ID (HSI), an auditing feature that evaluates the firmware and hardware security configurations. To his surprise, HSI showed TSME was no longer possible, as indicated by the “encrypted RAM: not supported” line near the bottom of the screenshot below.
今年 4 月,自称为“注重隐私的 Linux 爱好者”的 Ben Kilpatrick 在其搭载 Zen 5 架构 Ryzen 7 9700X 的机器上安装新操作系统时,运行了主机安全 ID (HSI) 审计功能以检查安全配置。令他惊讶的是,HSI 显示 TSME 已不再可用,屏幕截图底部显示“加密内存:不支持”。
This sent Kilpatrick into a monthslong investigation to figure out what had happened. After sending an inquiry to both the support and engineering teams at MSI, the manufacturer of his motherboard, he finally convinced company engineers to run tests. They found that consumer versions of Ryzen running on MSI and Gigabyte motherboards had TSME enabled when an older firmware version, available exclusively through the AMD Generic Encapsulated Software Architecture (AGESA), was used during the boot process. When the firmware in a newer AGESA, specifically version 1.2.7.0, ran instead, TSME showed as “not supported.”
这促使 Kilpatrick 进行了长达数月的调查。在向主板制造商微星 (MSI) 的支持和工程团队咨询后,他最终说服了公司工程师进行测试。他们发现,当使用旧版 AGESA(AMD 通用封装软件架构)固件时,微星和技嘉主板上的消费级 Ryzen 芯片确实启用了 TSME。而当使用较新的 AGESA 1.2.7.0 版本固件时,TSME 则显示为“不支持”。
“The big outstanding question is whether this is a deliberate policy decision by AMD to restrict TSME to PRO chips, or an unintentional regression that was introduced in AGESA 1.2.7.0,” Kilpatrick told Ars. He continued: The reason that distinction matters is that if it is deliberate policy, AMD made a conscious decision to remove a working feature from consumer hardware and restrict it to enterprise customers. If it is an accidental regression, it is a firmware bug that AMD should fix.
“目前最大的疑问是,这是 AMD 将 TSME 限制在 PRO 芯片上的蓄意政策决定,还是 AGESA 1.2.7.0 中引入的无意回归,”Kilpatrick 对 Ars 说道。他补充道:“这种区别很重要:如果是蓄意政策,说明 AMD 有意从消费级硬件中移除一项可用功能并将其限制给企业客户;如果是意外回归,那这就是 AMD 应该修复的固件漏洞。”
Six weeks later, Kilpatrick resumed the discussion. After getting the results of MSI’s investigations, he reported them to the AMD engineers. “MSI’s product marketing team has informed me that AMD officially communicated to MSI that TSME is exclusively supported on PRO series processors,” he wrote. “They also conducted controlled testing on an Asus X870E motherboard with a Ryzen 9800X3D (consumer) and a Ryzen 9945 (PRO), finding tsme_status = 1 on the PRO processor and tsme_status = 0 on the consumer processor with the same board and BIOS.”
六周后,Kilpatrick 继续跟进此事。在获得微星的调查结果后,他将其反馈给了 AMD 工程师。“微星产品营销团队告知我,AMD 已正式通知微星,TSME 仅在 PRO 系列处理器上受支持,”他写道。“他们还在华硕 X870E 主板上进行了对照测试,结果显示在相同主板和 BIOS 下,Ryzen 9945 (PRO) 的 tsme_status 为 1,而 Ryzen 9800X3D (消费级) 的 tsme_status 为 0。”