AMD Secure Memory Encryption feature is flawed and currently disabled by default in the Linux kernel

AMD’s Secure Memory Encryption (SME) feature was found to be flawed, which may cause problems for some Linux systems. This was discovered by Linux engineer Paul Menzel a few days ago. The secure memory encryption function caused some APUs with the code name Raven Ridge to fail to start.

According to Phoronix, the Linux 5.15 kernel is receiving a new fix, which includes disabling AMD’s secure memory encryption feature. This feature is enabled by default, but after it was discovered that a startup failure occurred on a certain AMD system, it is now disabled by default. Developers will first update the Linux 5.15 kernel, but this change will also be transferred to the previous kernel.
AMD EPYC 128 cores

AMD’s Secure Memory Encryption is a feature provided to EPYC and Ryzen Pro series processors, allowing the processor to encrypt memory at the hardware level. AMD said that this feature has no significant impact on performance and is suitable for any operating system and application. Because it is hardware accelerated, it will not rely on software.

Although it seems to have many benefits, the secure memory encryption function has an error in the interaction with the IOMMU and graphics driver in the Linux driver, which causes the Linux system host to fail to start. The affected system also does not recognize encrypted memory, especially because some devices do not have the correct direct memory access API or firmware to support SMU. This error mainly occurs on the APU code-named Raven Ridge, other Ryzen series processors may also encounter. Of course, this problem will not affect users of Windows systems.