• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.
  • The forums have been upgraded with support for dark mode. By default it will follow the setting on your system/browser. You may override it by scrolling to the end of the page and clicking the gears icon.

SVM SME extensions, [Secure Memory Encryption]. Are they implemented on Ryzen 3000, and Windows 10?

Y

Yagma

Joined
Feb 11, 2020
Messages
44 (0.02/day)
Last I heard in 2019, this feature was only available on Linux systems, I am curious if this support has since been extended to Windows 10 platforms, such as 2004. Recent BIOS updates introduced "Memory Guard" aka TSME on non pro Ryzen chipsets... does enabling this reduce or increase security? Is SME enabled by default on systems that support TSME? I have read conflicting reports suggesting that enabling TSME disables SME extension support for per-VM encryption key support. Does SME protect against Rowhammer/Rambleed? TSME eliminates Rowhammer/Rambleed and similar zero day attack vectors.

What is the benefit of SME over TSME and visa versa? Is there any benefit to enabling TSME on top of SME? I can imagine it would be helpful on dual boot setups where UEFI is not enabled in certain o/s and IS enabled in others.

Here is some data I have gathered from https://en.wikichip.org/wiki/x86/sme

The SME extension attempts to defend against attacks by allowing the entirety of main memory to be encrypted as well as by enforcing full isolation between co-resident VMs. With the addition of SEV, this security can be extended to cloud users that can have fully private memory inaccessible to hypervisor or host software.

Transparent SME
Transparent SME (TSME) as the name implies is a stricter subset of SME that requires no software intervention. Under TSME, all memory pages are encrypted regardless of the C-bit value. TSME is designed for legacy OS and hypervisor software that cannot be modified. Note that when TSME is enabled, standard SME as well as SEV are still available. TSME and SME share a memory encryption key.

Update: with both TSME enabled and disabled, hwinfo64 reports SME is unavailable:

SME Screenshot.png
 
Last edited:
Now it's just there (I have activated SVM, IOMMU, SME in UEFI):

AMD-SME.png
 
@Yagma
have yet to see where its recommended to be used on ryzen, ignoring if you need things like that to prevent infections,
i would look for better AV/AM protection, everything else isnt needed for end user stuff.

@Tanzmusikus
b-die? what your proct?
lucky your on 5800, my 5950 cant do less than RFC320, while on previous 5800 it got 272 with same kit.
i recommend trying 3800/1900@C18 and 1.45v, should net you some bandwidth over C16 if your MC can do it.
 
Last edited:
Waldorf said:
ignoring if you need things like that to prevent infections,
i would look for better AV/AM protection, everything else isnt needed for end user stuff.
Click to expand...
That are different things.
SME is hardware security for not leaking data to attackers from memory when before/while/after standby.
This is especially for virtual machines and server. It also could be interesting for private users.

AV/AM is a software security tool.
 
i know, never said anything different.
avg user on a desktop should not be using standby/hibernation, as it not much faster than proper boot, has less chance of data loss/corruption not using it,
ignoring it uses less power if the unit is completely off.

and the avg user does not use a VM or even a server (thats online), i personally dont know anyone operating a server, that uses stdby/hibernation on it,
as its running to be doing stuff, not sleep.
and i dont see a ryzen pro cpu or server os, havent seen any info from OP, that would show why it would matter, and most boards have (most) encryption features turned off for a reason..
just because there is an option available, doesnt mean its a good idea to use it..
ignoring i that i love ppl doing VM/server stuff on non pro ryzen using non-ECC ram, but are worried about encryption.
says it all.

if someone is worried about leaking data out of memory, with the actor not physically in the room of the server, how are they getting that data?
right, over internet.
a good av/am solution will prevent infection of os/browser and other things, the primary means of getting unauthorized data, so yes, good sw helps more,
than using any encryption of ram/drives for things that dont include ppl stealing it or physical presence.
 
Last edited:
I wonder how much performance one can gain disabling these.
 
You must log in or register to reply here.
Back
Top