Consumer Ryzen chips have been silently stripped of a memory encryption feature that worked on them for years, and AMD won't say why.
Transparent Secure Memory Encryption (TSME) encrypts everything in RAM, blocking cold-boot attacks and other physical exploits that siphon data directly off memory modules. AMD introduced it roughly a decade ago in its high-end processors and eventually shipped it across regular Ryzen, Ryzen Pro, Threadripper, and EPYC lines.
Then, without warning, it stopped working on consumer chips. The change came to light in April when Ben Kilpatrick, a self-described privacy-conscious Linux hobbyist, installed a new OS on a Ryzen 7 9700X system. Running Host Security ID (HSI), a tool that audits firmware and hardware security, he saw the line "encrypted RAM: not supported" even though TSME remained enabled in his BIOS.
Earlier logs showed the same system had previously reported RAM as encrypted. Kilpatrick spent months chasing answers. He contacted MSI, his motherboard vendor, and pushed for controlled testing.
MSI engineers confirmed that consumer Ryzen chips showed TSME as supported under older AGESA firmware but reported it as "not supported" under AGESA 1.2.7.0. Pro-branded Ryzen parts kept the feature across both firmware versions and multiple motherboard brands.
MSI went further, swapping a consumer Ryzen 9800X3D and a PRO Ryzen 9945 on the same Asus X870E board. The Pro chip returned tsme_status = 1. The consumer chip returned tsme_status = 0.
Dumps from the AMD Boot Loader revealed an internal flag, DfIsTsmeEnabled, reading FALSE on consumer silicon even when the BIOS had TSME set to AUTO or ENABLED. On the Pro chip, the same flag returned TRUE.
Kilpatrick filed a bug report on AMD's public GitHub repository for secure virtualization. Two AMD engineers responded.
Tom Lendacky, an AMD fellow software engineer, suggested toggling the BIOS setting and told Kilpatrick to contact MSI. Mario Limonciello, a senior principal software engineer, gave similar advice.
Neither appeared to know why the feature had disappeared. When Kilpatrick returned with MSI's test data six weeks later, he put a precise question to the engineers: was the DfIsTsmeEnabled flag set to FALSE on consumer chips because of a silicon limitation or a firmware policy decision? Limonciello shut down the discussion.
"My apologies, but I don't have any more information to share on this topic," he wrote.
AMD's only official response came by email, stating that TSME "is a security feature only applied to PRO CPUs as part of AMD PRO Technologies." It was the first time the company publicly made that restriction explicit, despite the feature working on consumer chips for years. In a 2020 discussion, Lendacky himself had written that a consumer Ryzen 3700X "should support TSME," and in a 2025 comment he recommended using it.
The removal is effectively invisible on Windows machines and requires significant technical work to detect on Linux. That means most consumer Ryzen users have no way of knowing the protection vanished.
TSME differs from AMD's other memory protection, Secure Memory Encryption (SME), which has always been limited to Pro and EPYC tiers. SME is OS-managed and encrypts selected memory pages.
TSME runs in firmware, encrypts all RAM without OS involvement, and activates silently once enabled in BIOS. When active, it blocks cold-boot exploits, DRAM bus snooping, and memory module removal attacks.
Intel ships total memory encryption broadly across its modern consumer chips, making AMD's PRO-only stance a clear product line distinction for buyers who need that protection. For anyone handling sensitive data on a consumer Ryzen machine, the feature that worked for years is simply gone, with no changelog entry to mark its exit and no explanation from the company that removed it.
