Following user outcry, AMD reinstates memory encryption in consumer CPUs
Following user outcry, AMD reinstates memory encryption in consumer CPUs
在用户强烈抗议后,AMD 恢复了消费级 CPU 的内存加密功能
Consumer AMD CPUs will once again offer encryption protections against physical attacks after facing user backlash for silently removing the feature. As Ars reported last week, AMD stripped the protection, known as TSME, from consumer Ryzen processors. Short for Transparent Secure Memory Encryption, TSME encrypts the entire contents stored in memory, making the data useless to adversaries performing cold boot attacks and similar intrusions requiring physical access.
在面临用户因静默移除该功能而引发的强烈抵制后,AMD 的消费级 CPU 将再次提供针对物理攻击的加密保护。正如 Ars 上周报道的那样,AMD 此前从消费级 Ryzen 处理器中剥离了这项被称为 TSME 的保护功能。TSME 是“透明安全内存加密”(Transparent Secure Memory Encryption)的缩写,它会对内存中存储的全部内容进行加密,使得攻击者在进行冷启动攻击或类似需要物理访问的入侵时,无法获取有效数据。
Now you see it, now you don’t, soon you’ll see it again. About a decade ago, AMD added TSME to its high-end CPUs. Over the next few years, AMD added the protection to lower-end processors, including the consumer version of its Ryzen chips, a CPU that costs less than the Pro version. Over the years, users of these lower-end chips have gotten used to the added security, although some security experts (and plenty of novices, too) note that consumer chips are far less likely to be targeted by physical attacks.
忽隐忽现,不久后又将重现。大约十年前,AMD 将 TSME 加入其高端 CPU 中。在随后的几年里,AMD 将这一保护功能扩展到了更低端的处理器上,包括其消费级 Ryzen 芯片——这类 CPU 的价格低于 Pro 版本。多年来,这些低端芯片的用户已经习惯了这种额外的安全性,尽管一些安全专家(以及许多新手)指出,消费级芯片遭受物理攻击的可能性要小得多。
Recently and without warning or notice, the lower-end line of AMD chips suddenly dropped the protection, and it did so in a way that was impossible to detect on Windows machines and required a fair amount of technical work when using Linux. AMD last week declined to explain or acknowledge the change. Following the revelation, social media was deluged by comments from AMD consumers decrying the move. They noted that AMD’s quiet removal of TSME after supporting it for so long seemed underhanded.
最近,AMD 在没有任何警告或通知的情况下,突然取消了低端芯片系列的这一保护功能。这种做法在 Windows 机器上几乎无法察觉,而在 Linux 系统下则需要相当多的技术操作才能发现。AMD 上周拒绝解释或承认这一变动。在消息曝光后,社交媒体上充斥着 AMD 消费者的批评声。他们指出,AMD 在长期支持 TSME 后又悄悄将其移除,这种做法显得非常不地道。
The move came solely as a result of firmware changes made in a recent update. With no physical changes required to silicon, continued support was largely, if not purely, a matter of will rather than a necessity required by changes to hardware. The critics called on AMD to reverse the move. Over the weekend, AMD said it planned to do just that in a firmware update scheduled for release next month. More often than not, the chipmaker refers to TSME as Memory Guard.
此举完全是近期固件更新所致。由于无需对硅片进行物理更改,是否继续支持该功能在很大程度上(如果不是完全)取决于厂商的意愿,而非硬件变更带来的必然结果。批评者呼吁 AMD 撤回这一决定。上周末,AMD 表示计划在下个月发布的固件更新中恢复该功能。这家芯片制造商通常将 TSME 称为“内存卫士”(Memory Guard)。
“Regarding certain non-PRO Ryzen 9000-series desktop processors, a BIOS option to enable Memory Guard was previously available but was removed in a recent update,” AMD said in an email. “Based on valuable community feedback, we will reinstate this option in an upcoming BIOS release in July.”
“关于某些非 PRO 版 Ryzen 9000 系列台式机处理器,此前曾提供启用 Memory Guard 的 BIOS 选项,但在最近的更新中被移除了,”AMD 在一封电子邮件中表示,“基于社区的宝贵反馈,我们将在 7 月份发布的 BIOS 更新中恢复该选项。”
The company has yet to explain why it removed the protection. Critics speculate that AMD dropped it in an attempt to steer customers toward more costly CPUs. It’s possible, though, that there were less nefarious reasons, such as the difficulty of continued support as chip designs changed. Another possibility is that AMD made the move for performance reasons. Encrypting and decrypting data in memory creates latency. Slowdowns are the enemy of gamers, one of the more popular customer segments using the 9000-line of Ryzen processors. Since many gamers already voluntarily disabled TSME and had little need for it in the first place, AMD may not have considered the change of much consequence.
该公司尚未解释为何移除该保护功能。批评者推测,AMD 此举是为了引导客户购买更昂贵的 CPU。不过,也可能存在非恶意的原因,例如随着芯片设计的变更,持续提供支持变得困难。另一种可能性是 AMD 出于性能考虑。对内存中的数据进行加密和解密会产生延迟。速度下降是游戏玩家的大敌,而游戏玩家正是使用 Ryzen 9000 系列处理器的主要客户群体之一。由于许多游戏玩家本身就会主动禁用 TSME,且最初对该功能的需求就不大,AMD 可能认为这一变动影响不大。
The incident, and AMD’s refusal to discuss it, is emblematic of the public relations landscape that has emerged over the past two decades. Once, Big Tech and corporations in general were willing to acknowledge service and product changes to ensure customers had a predictable experience. They also showed a willingness to admit mistakes and to say how they planned to do better. Now, there’s only silence. As the companies’ power and dominance have mushroomed, their sense of accountability has diminished proportionately. AMD didn’t respond to questions sent for this story.
这次事件以及 AMD 对此拒绝讨论的态度,是过去二十年来公共关系格局的一个缩影。曾经,大型科技公司和企业普遍愿意承认服务和产品的变更,以确保客户获得可预期的体验。他们也表现出承认错误并说明改进计划的意愿。而现在,只有沉默。随着这些公司权力和统治地位的膨胀,它们的责任感也相应地减弱了。AMD 没有回应针对本文提出的问题。
TSME transparently encrypts all physical memory flowing in or out of the processor. It protects against cold boot attacks and similar attacks that use sophisticated techniques to siphon data out of memory chips once an adversary has gained physical access to them. Memory pages are automatically encrypted and decrypted on each write or read. An ephemeral encryption key is created during each system start and isn’t accessible by software. Unlike Secure Memory Encryption, TSME is OS independent, a condition that makes it much easier to enable.
TSME 会透明地加密所有流入或流出处理器物理内存的数据。它能防御冷启动攻击及类似的攻击手段——即攻击者在获得物理访问权限后,利用复杂技术从内存芯片中窃取数据。内存页面在每次写入或读取时都会自动进行加密和解密。系统每次启动时都会创建一个临时的加密密钥,且软件无法访问该密钥。与“安全内存加密”(Secure Memory Encryption)不同,TSME 与操作系统无关,这使得它更容易启用。
The automatic encryption and decryption does come at a performance cost that differs depending on the tasks the chips are performing. Some game developers advise users to disable TSME. Oftentimes, disabling security protections is frowned upon. In this case, the move is less risky since systems running consumer chips are less likely to store data that’s valuable enough to motivate a sophisticated physical attack. The counterargument is that AMD has included TSME in its consumer Ryzen CPUs for about a decade. The company long left the decision to enable or disable the protection to users. Critics argue that the removal deprived them of a capability that had been tacitly promised. Making the move silently only added to the sense AMD was pulling a fast one.
自动加密和解密确实会带来性能损耗,具体程度取决于芯片执行的任务。一些游戏开发者建议用户禁用 TSME。通常情况下,禁用安全保护措施是不被提倡的。但在这种情况下,风险相对较小,因为运行消费级芯片的系统不太可能存储价值高到足以引发复杂物理攻击的数据。反方观点则认为,AMD 在其消费级 Ryzen CPU 中包含 TSME 已有约十年之久。长期以来,该公司一直将启用或禁用该保护功能的决定权留给用户。批评者认为,此次移除剥夺了他们一项被默认为承诺的功能。而静默地进行此项操作,只会让人觉得 AMD 在搞小动作。
Despite AMD’s continued opacity about the incident, the company deserves credit for restoring TSME. Customers complained, some bitterly, and AMD heard and granted their demands.
尽管 AMD 对此次事件的处理依然不够透明,但该公司恢复 TSME 的举动值得肯定。客户提出了投诉,其中一些言辞激烈,而 AMD 听取并满足了他们的要求。