Unlock VPro security features on Consumer Intel 12'th, 13'th gen CPU/BIOS?

[Yagma]

ASUS unlocked certain Ryzen features touted only for the "Ryzen Pro" CPU's, such as TSME, (transparent SME), Ryzens version of total memory encryption... that protects against remote throwhammer, rowhammer style bit flip attacks, as well as cold boot attacks.

Intel has a similar feature called TME, (total memory encryption) just like AMD, they also claim it is only available on their VPro lineup of CPU's. They also have VT-Rp. Is there any way OEM's can unlock these features in the consumer 12'th, 13'th gen K series, so they might actually compete with Ryzens consumer product security?

 

[thewan]

No. VPro is chipset dependent. Consumer intel chipsets do not have VPro as part of their feature set and thus there is no option for you to enable it. Motherboard makers can't give you an option to enable something that doesn't exist.

compare

Intel® Z690 Chipset - Product Specifications | Intel

Intel® Z690 Chipset quick reference with specifications, features, and technologies.

www.intel.com

vs

Intel® Q670 Chipset - Product Specifications | Intel

Intel® Q670 Chipset quick reference with specifications, features, and technologies.

www.intel.com

so you will need to buy a business/enterprise/basically non consumer, motherboard.

 

[Yagma]

They say the same thing about Ryzen Pro, AMD's version of VPro, but I have its feature (TSMC) enabled on my consumer Ryzen 3600 cpu, in a bios that was released by ASUS a year or so after the boards initial release. Its baked in into all processors. I have just read elsewhere that TME is available on core products as well. I believe its possible TMC is baked in to all 12'th and 13'th gen CPU's, and can be unlocked with a simple bios setting, just like AMD.

 

[Solaris17]

They say the same thing about Ryzen Pro, AMD's version of VPro, but I have its feature (TSMC) enabled on my consumer Ryzen 3600 cpu, in a bios that was released by ASUS a year or so after the boards initial release. I have just read elsewhere that TME is available on core products as well. I believe its possible TMC is baked in, and can be unlocked with a simple bios setting.

View attachment 272512

Thats literally not an apples to apples comparison. Here are some initial flaws:

Those arent even the same manufacturers
These features may be disabled in diff ways
The feature enable/disable can work diff based on CPU family
The feature enable/disable can work diff based on chipset
Based on mobo manufacturer
Based on mobo revision
Based on mobo model
Based on BIOS
Based on BIOS revision

I believe its possible TMC is baked in, and can be unlocked with a simple bios setting.

Let everyone know how it goes.

 

[tabascosauz]

They say the same thing about Ryzen Pro, AMD's version of VPro, but I have its feature (TSMC) enabled on my consumer Ryzen 3600 cpu, in a bios that was released by ASUS a year or so after the boards initial release. I have just read elsewhere that TME is available on core products as well. I believe its possible TMC is baked in to all 12'th and 13'th gen CPU's, and can be unlocked with a simple bios setting, just like AMD.

View attachment 272512

TSME in BIOS =! working TSME

AGESA doesn't hide the TSME switch in BIOS even if your CPU doesn't support it. You can enable it all you want, it doesn't do anything. TSME is not an Asus feature, it's present in literally any recent BIOS on any board under AMD CBS options menu. It's lived there since (before?) Ryzen 4000 APUs existed, though it's been moved around a bit with time.

TSME only works on PRO chiplet CPUs (ie. Ryzen 3700 PRO), and the APUs (4650G/4750G/5600G/5700G). It's really easy to tell when it's actually doing something, because enabling TSME on the APUs results in an instant and significant penalty to DRAM latency (iirc somewhere around 5-10ns). If you enable it on a 3600 or 5600X, for example, nothing changes.

 

[Yagma]

TSME in BIOS =! working TSME

AGESA doesn't hide the TSME switch in BIOS even if your CPU doesn't support it. You can enable it all you want, it doesn't do anything

TSME only works on PRO chiplet CPUs (ie. Ryzen 3700 PRO), and the APUs (4650G/4750G/5600G/5700G). It's really easy to tell when it's actually doing something, because enabling TSME on the APUs results in an instant and significant penalty to DRAM latency (iirc somewhere around 5-10ns). If you enable it on a 3600 or 5600X, for example, nothing changes.

No, it works on others as well. And yes, the latency goes up about 8-9 ns on my Ryzen 3600 after enabling TSME. Its something I am happy to tolerate given the benefits. It jumps from around 63 to 71. Honk Honk eh.

https://dlcdnets.asus.com/pub/ASUS/mb/13MANUAL/PRIME_PROART_TUF_GAMING_Intel_600_Series_BIOS_EM_WEB_EN.pdf

 

[tabascosauz]

No, it works on others as well. The latency goes up about 9 ns on my Ryzen 3600 after enabling TSME. Its something I gladly tolerate.

Which board, which BIOS? Must be a recent thing. Interesting.

VPro doesn't work the same way, it has a number of hardware components. From what I can tell, AMD's idea of control is mostly exerted through firmware (AGESA).

Are you sure TME is even still locked to VPro only? Confirm on your own LGA1700 hardware? That's not what the ARK page suggests.

 

[Yagma]

Which board, which BIOS? Must be a recent thing. Interesting.

VPro doesn't work the same way, it has a number of hardware components. From what I can tell, AMD's idea of control is mostly exerted through firmware (AGESA).

Are you sure TME is even still locked to VPro only? Confirm on your own LGA1700 hardware? That's not what the ARK page suggests.

TUF GAMING X570-PLUS, I'm not sure exactly which bios this started with... but its been in all of the bios' for at least a year now, I believe across all their x570 line up, possibly others as well.

Thats literally not an apples to apples comparison. Here are some initial flaws:

Those arent even the same manufacturers
These features may be disabled in diff ways
The feature enable/disable can work diff based on CPU family
The feature enable/disable can work diff based on chipset
Based on mobo manufacturer
Based on mobo revision
Based on mobo model
Based on BIOS
Based on BIOS revision



Let everyone know how it goes.

Just bought a Tuf Gaming z690, partly because TME was not in the Gigabyte Gaming X z690 bios. I guess we'll see...

 

[tabascosauz]

TUF GAMING X570-PLUS, I'm not sure exactly which bios this started with... but its been in all of the bios' for at least a year now, I believe across all their x570 line up, possibly others as well.

You sure you don't have one of these?

AMD Ryzen™ 5 PRO 3600 Processor | AMD

The TSME setting has been there for a very long time, I don't think its presence is a reliable indicator. I can say with certainty that the Ryzen 5000 retail CPUs I've used can't make use of TSME. My 3700X couldn't either on B550M TUF Wifi. Unfortunately I don't have any 3000 CPUs anymore that I can test.

VPro used to be a very strict walled garden, but iirc in recent years Intel has been softening their approach and allowing more security features outside of VPro. Case in point, the -K SKUs now have the same security suite as the non-K SKUs (which used to be Intel's consumer level VPro product). Not sure about chipsets though in LGA1700.

 

[Solaris17]

I guess we'll see...

I wish it was as simple as bridging pins for feature unlocks. miss you NF4

 

[Yagma]

You sure you don't have one of these?

AMD Ryzen™ 5 PRO 3600 Processor | AMD

Pros are not unlocked, mine is, with benefits. TSMC runs transparent to the system, meaning it does not interfere with or have any relation to software, (unlike SME) only the memory bus and CPU. Its completely undetectable as far as I am aware... except for the obvious increase in latency. And the encryption scrambles rowhammer attacks by randomizing the data, so bit flips are completely random. hackers might notice that

You sure you don't have one of these?

AMD Ryzen™ 5 PRO 3600 Processor | AMD

I can say with certainty that the Ryzen 5000 retail CPUs I've used can't make use of TSME. My 3700X couldn't either on B550M TUF Wifi. Unfortunately I don't have any 3000 CPUs anymore that I can test.

As far as I know Asus was one of the only if not the only developers who released a bios with TSMC accessible... maybe others followed suit. What kind of board were you using?

 

[tabascosauz]

View attachment 272517

Oh forgot to ask, do you have a link to source on asus unlocking TSME?

My point was that a lot of AMD's segmentation (outside of core count, which is fused obviously) is done via firmware. When they say no OC it usually involves hiding options in BIOS that can just be modded back in, or making changes to AGESA that are harder to get around. Hell, they said no OC for A520 but you can still PBO the hell out of it. I think I have seen someone static OC a 3700 PRO on this forum before - it's not until 5800X3D that AMD really started trying new ways to lock things down.

Hence, I wonder if your CPU is a one-off that they forgot to disable. Knowing AMD's track record of QC, not ready to rule that out lol

I had a B550M TUF Wifi, so we could have been on basically the same BIOS at some point.

 

[Yagma]

Oh forgot to ask, do you have a link to source on asus unlocking TSME?

My point was that a lot of AMD's segmentation (outside of core count, which is fused obviously) is done via firmware. When they say no OC it usually involves hiding options in BIOS that can just be modded back in, or making changes to AGESA that are harder to get around. Hell, they said no OC for A520 but you can still PBO the hell out of it. I think I have seen someone static OC a 3700 PRO on this forum before - it's not until 5800X3D that AMD really started trying new ways to lock things down.

Hence, I wonder if your CPU is a one-off that they forgot to disable. Knowing AMD's track record of QC, not ready to rule that out lol

I had a B550M TUF Wifi, so we could have been on basically the same BIOS at some point.

https://www.reddit.com/r/Amd/comments/hkju2u
I'm not sure... I wonder if it could also be that memory controllers on newer models than mine (like X variants on) have improved hardware memory encryption capabilities that reduce latency. What did you see that was locked down on the 5800x3d, other than the overclock to prevent damage/overheating?

 

[tabascosauz]

View attachment 272541 https://www.reddit.com/r/Amd/comments/hkju2u
I'm not sure... I wonder if it could also be that memory controllers on newer models than mine (like X variants on) have improved hardware memory encryption capabilities that reduce latency. What did you see that was locked down on the 5800x3d, other than the overclock to prevent damage/overheating?

Scratch that, I think you're right. TSME seems to be functional on mine as well.

Makes sense, the 3000 and 5000 CPUs share the exact same IO die.

 

[Yagma]

Scratch that, I think you're right. TSME seems to be functional on mine as well.

Makes sense, the 3000 and 5000 CPUs share the exact same IO die.

Nice! I'll send a few emails around and put some pressure on Gigabyte to unlock TME if it is in fact possible. How did you confirm that TSME was functional? It should be listed in HWINFO or some other app. Ah thats right, I did confirm it in HWiNFO a few years ago. Update: In fact, TME is available for my i7-13700k. It just needs to be unlocked.

Update 2: in fact green suggests it may be already enabled. Perhaps that is the default.

Not sure if this means anything, only VMX suggests the (grey/red/green) color coding on mouse over.

Scratch that, I think you're right. TSME seems to be functional on mine as well.

Makes sense, the 3000 and 5000 CPUs share the exact same IO die.

Could you do me a favor and check what happens when you enable/disable TSME in HWINFO? I'd like to know if it is 'red' when it is disabled but supported. If I recall correctly in my testing, when TSME was disabled (but supported) on my computer, it showed red in HWINFO, and green when it was enabled.

Scratch that, I think you're right. TSME seems to be functional on mine as well.

Makes sense, the 3000 and 5000 CPUs share the exact same IO die.

Yes, and the 5000 variants did update security features, possibly the X variants as well, with hardware backed stack enforcement, possibly other features also.

 

[tabascosauz]

Nice! I'll send a few emails around and put some pressure on Gigabyte to unlock TME if it is in fact possible. How did you confirm that TSME was functional? It should be listed in HWINFO or some other app. Ah thats right, I did confirm it in HWiNFO a few years ago. Update: In fact, TME is available for my i7-13700k. It just needs to be unlocked.

Just going off the memory results, the usual negative impact when TSME is on.

AMD-V looks about right, I disable fTPM and I think I usually disable virtualization-related stuff too

I don't think HWInfo can tell the TSME difference whether on or off:

 

[Yagma]

Interesting, its not even listed. I know it used to a couple years ago, or did for the 3600 on my computer. But its dissassembeled. I'll have to report on my findings there after Christmas once I have the gear to put it together. There is a newer HWiNFO64 release, V7.34. You might want to try an old one too. I'd suggest v6.24 or v6.30

 

[P4-630]

 

[Yagma]

View attachment 273776

Interesting to note you have VMX & SMX as well. VMX is enabled in my bios, but showing unavailable in HWinfo. Strange. Why do you think that could be? I opened a thread here. Do you have HVCI enabled / core memory isolation?

 

[tabascosauz]

Interesting, its not even listed. I know it used to a couple years ago, or did for the 3600 on my computer. But its dissassembeled. I'll have to report on my findings there after Christmas once I have the gear to put it together. There is a newer HWiNFO64 release, V7.34. You might want to try an old one too. I'd suggest v6.24 or v6.30

Pre-v7 HWInfo isn't great on newer Ryzens for sensor monitoring, which is pretty much the only thing I use HWInfo for.

v7.34 still reports SME as being enabled when it's disabled.

 

[Yagma]

Pre-v7 HWInfo isn't great on newer Ryzens for sensor monitoring, which is pretty much the only thing I use HWInfo for.

v7.34 still reports SME as being enabled when it's disabled.

View attachment 273777

Yeah... I found a way around this, using Hirens Boot CD (Windows 10 PE), gets around windows hardware obfuscations... running HWINFO inside that allows you to determine what features are actually available.

On 13'th gen intel, SMX is available and active according to HWINFO, but there is a bit in the bios that prevents it from loading, well, windows reads the bit and then refuses to load certain firmware protections,

From what I read, "OS usually expects BIOS to set certain bits in MSR_IA32_FEATURE_CONTROL for some features (e.g. VMX and LMCE)."

I'm not sure if there are any futher hardware limitations beyond the bios bit... hwinfo claims it is available, so it could be entirely a form of planned obsolescence, software restricted to prevent pro features from being available on non vpro hardware.