https://bugs.kde.org/show_bug.cgi?id=521659
Bug ID: 521659
Summary: KInfoCenter Firmware Security: "Encrypted RAM"
reported as Not supported when memory is encrypted via
AMD TSME (transparent SME)
Classification: I don't know
Product: kde
Version First unspecified
Reported In:
Platform: Other
OS: Linux
Status: REPORTED
Severity: normal
Priority: NOR
Component: general
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Created attachment 193305
--> https://bugs.kde.org/attachment.cgi?id=193305&action=edit
Diag dump: KInfoCenter/fwupd report "Encrypted RAM: Not supported" but AMD MSR
SYS_CFG 0xC0010010 bit23=1 on all CPUs confirms TSME active. Includes versions,
BIOS/AGESA, GUI-vs-hardware evidence.
**DESCRIPTION**
In the Firmware Security page (KInfoCenter → Firmware Security,
`kcm_firmware_security`), the "Encrypted RAM" attribute is reported as failed /
"Not supported" even on systems where system memory **is** actually encrypted
via AMD **TSME** (Transparent SME).
The current check only detects **SME** (the OS/kernel-managed mode, exposed
through `/sys/kernel/mm/mem_encrypt/active`). With **TSME**, the BIOS/hardware
encrypts all of DRAM transparently and the kernel is never involved, so that
sysfs path reports nothing and the GUI wrongly concludes the RAM is
unencrypted.
The result is misleading: a user with fully encrypted RAM is shown a red ✘
"Encrypted RAM: Not supported", suggesting their memory is exposed when it is
not.
Request: either (a) distinguish that the kernel-visible encryption is **SME**,
not **TSME**, and/or (b) add an additional check that detects TSME so the two
cases can be told apart (e.g. reading bit 23 `MemEncryptionModeEn` of the AMD
MSR `SYS_CFG` / `MSR_AMD64_SYSCFG` `0xC0010010`, which is set to 1 when TSME is
active).
**STEPS TO REPRODUCE**
1. Use an AMD system with TSME enabled in the BIOS/UEFI (e.g. AMD CBS → TSME =
On) but with kernel-managed SME inactive (no `mem_encrypt=on`).
2. Open KInfoCenter → Firmware Security (or run `fwupdmgr security`).
3. Look at the "Encrypted RAM" attribute.
**OBSERVED RESULT**
"Encrypted RAM" is shown as ✘ / "Not supported" (failed), even though memory is
being encrypted by the hardware.
Verification that RAM is in fact encrypted (TSME active), bit 23 = 1 on all
logical CPUs:
$ sudo rdmsr -a -f 23:23 0xC0010010
1
1
... (1 on every thread)
**EXPECTED RESULT**
The attribute should reflect the real hardware state — either reporting
"Encrypted RAM: Enabled (TSME)" when MSR `SYS_CFG` bit 23 is set, or at minimum
clearly differentiating SME (kernel-managed) from TSME (transparent/BIOS)
instead of reporting encrypted memory as unprotected.
**SOFTWARE/OS VERSIONS**
- Operating System: CachyOS (Arch-based, rolling)
- KDE Plasma Version: 6.6.5
- KDE Frameworks Version: 6.27.0
- Qt Version: 6.11.1
**ADDITIONAL INFORMATION**
- Component: kinfocenter 6.6.5, module `kcm_firmware_security`
(`/usr/lib/qt6/plugins/plasma/kcms/kinfocenter/kcm_firmware_security.so`).
- Backend: fwupd 2.1.5 — `fwupdmgr security` reports the same
`org.fwupd.hsi.EncryptedRam` as failed, so the KCM is faithfully displaying
fwupd's HSI data. The underlying detection limitation may need to be addressed
in fwupd upstream; this report asks KDE to surface the SME/TSME distinction (or
carry the additional check) so the GUI does not present encrypted RAM as
unprotected.
- Hardware: AMD Ryzen 9 9950X3D (Zen 5), BIOS AGESA ComboAm5PI 1.3.0.0a, TSME
enabled in UEFI.
- Reference (kernel docs, MSR semantics):
https://docs.kernel.org/arch/x86/amd-memory-encryption.html —
`MSR_AMD64_SYSCFG` (`0xC0010010`) bit 23: `0 = memory encryption disabled, 1 =
enabled`.
--
You are receiving this mail because:
You are watching all bug changes.
