AMD Secure Memory Encryption Has a Flaw, Now Disabled by Default in Linux Kernel

According to a report from Phoronix, the Linux 5.15 kernel is receiving a new fix that involves disabling AMD's Secure Memory Encryption, or SME. This feature is normally enabled by default, but due to unexpected boot failures on some AMD machines, SME will now be disabled by default. Devs will update the Linux 5.15 kernel first, but the change will also move to prior kernels.

AMD Secure Memory Encryption is a feature exposed to AMD's EPYC and Ryzen Pro processors that allows the CPUs to encrypt the memory at a hardware level. AMD says the feature offers no significant impact on system performance and works with any OS and application because it's hardware-accelerated and doesn't rely upon software.

Despite the benefits, the feature has caused bugs to appear in the Linux drivers with the interaction with the IOMMU and graphics drivers, causing Linux machines to fail at startup. Impacted systems also aren't recognizing the encrypted RAM, particularly because some devices don't have the correct Direct Memory Acces API or firmware to support the SMU.

Phoronix notes this bug happens mostly on Raven Ridge APUs, but it can also happen with other Ryzen chips as well. For now, the Linux kernel maintainers will disable SME temporarily until a solution comes about that can intelligently determine when to enable and disable SME. The issue does not impact Windows users.