AMD

details-on-amd’s-$549-and-$599-radeon-rx-9070-gpus,-which-aim-at-nvidia-and-4k

Details on AMD’s $549 and $599 Radeon RX 9070 GPUs, which aim at Nvidia and 4K

AMD, amd fsr, Blackwell, gaming, GeForce, GPU, NVIDIA, Nvidia Blackwell, Radeon, radeon 9070, radeon rx 9070, rdna4, Tech / /

AMD is releasing the first detailed specifications of its next-generation Radeon RX 9070 series GPUs and the RDNA4 graphics architecture today, almost two months after teasing them at CES.

The short version is that these are both upper-midrange graphics cards targeting resolutions of 1440p and 4K and meant to compete mainly with Nvidia’s incoming and outgoing 4070- and 5070-series GeForce GPUs, including the RTX 4070, RTX 5070, RTX 4070 Ti and Ti Super, and the RTX 5070 Ti.

AMD says the RX 9070 will start at $549, the same price as Nvidia’s RTX 5070. The slightly faster 9070 XT starts at $599, $150 less than the RTX 5070 Ti. The cards go on sale March 6, a day after Nvidia’s RTX 5070.

Neither Nvidia nor Intel has managed to keep its GPUs in stores at their announced starting prices so far, though, so how well AMD’s pricing stacks up to Nvidia in the real world may take a few weeks or months to settle out. For its part, AMD says it’s confident that it has enough supply to meet demand, but that’s as specific as the company’s reassurances got.

Specs and speeds: Radeon RX 9070 and 9070 XT

RX 9070 XT RX 9070 RX 7900 XTX RX 7900 XT RX 7900 GRE RX 7800 XT
Compute units (Stream processors) 64 RDNA4 (4,096) 56 RDNA4 (3,584) 96 RDNA3 (6,144) 84 RDNA3 (5,376) 80 RDNA3 (5,120) 60 RDNA3 (3,840)
Boost Clock 2,970 MHz 2,520 MHz 2,498 MHz 2,400 MHz 2,245 MHz 2,430 MHz
Memory Bus Width 256-bit 256-bit 384-bit 320-bit 256-bit 256-bit
Memory Bandwidth 650 GB/s 650 GB/s 960 GB/s 800 GB/s 576 GB/s 624 GB/s
Memory size 16GB GDDR6 16GB GDDR6 24GB GDDR6 20GB GDDR6 16GB GDDR6 16GB GDDR6
Total board power (TBP) 304 W 220 W 355 W 315 W 260 W 263 W

As is implied by their similar price tags, the 9070 and 9070 XT have more in common than not. Both are based on the same GPU die—the 9070 has 56 of the chip’s compute units enabled, while the 9070 XT has 64. Both cards come with 16GB of RAM (4GB more than the 5070, the same amount as the 5070 Ti) on a 256-bit memory bus, and both use two 8-pin power connectors by default, though the 9070 XT can use significantly more power than the 9070 (304 W, compared to 220 W).

AMD says that its partners are free to make Radeon cards with the 12VHPWR or 12V-2×6 power connectors on them, though given the apparently ongoing issues with the connector, we’d expect most Radeon GPUs to stick with the known quantity that is the 8-pin connector.

AMD says that the 9070 series is made using a 4 nm TSMC manufacturing process and that the chips are monolithic rather than being split up into chiplets as some RX 7000-series cards were. AMD’s commitment to its memory controller chiplets was always hit or miss with the 7000-series—the high-end cards tended to use them, while the lower-end GPUs were usually monolithic—so it’s not clear one way or the other whether this means AMD is giving up on chiplet-based GPUs altogether or if it’s just not using them this time around.

Details on AMD’s $549 and $599 Radeon RX 9070 GPUs, which aim at Nvidia and 4K Read More »

amd’s-fsr-4-upscaling-is-exclusive-to-90-series-radeon-gpus,-won’t-work-on-other-cards

AMD’s FSR 4 upscaling is exclusive to 90-series Radeon GPUs, won’t work on other cards

AMD, AMD FidelityFX Super Resolution, FidelityFX Super Resolution, fsr 4, gaming, Radeon, radeon 9070, rdna4, Tech / /

AMD’s new Radeon RX 90-series cards and the RDNA4 architecture make their official debut on March 5, and a new version of AMD’s FidelityFX Super Resolution (FSR) upscaling technology is coming along with them.

FSR and Nvidia’s Deep Learning Super Sampling (DLSS) upscalers have the same goal: to take a lower-resolution image rendered by your graphics card, bump up the resolution, and fill in the gaps between the natively rendered pixels to make an image that looks close to natively rendered without making the GPU do all that rendering work. These upscalers can make errors, and they won’t always look quite as good as a native-resolution image. But they’re both nice alternatives to living with a blurry, non-native-resolution picture on an LCD or OLED display.

FSR and DLSS are especially useful for older or cheaper 1080p or 1440p-capable GPUs that are connected to a 4K monitor, where you’d otherwise have to decide between a sharp 4K image and a playable frame rate; it’s also useful for hitting higher frame rates at lower resolutions, which can be handy for high-refresh-rate gaming monitors.

But unlike past versions of FSR, FSR 4 is upscaling images using hardware-backed machine-learning algorithms, hardware newly added to RDNA4 and the RX 90-series graphics cards. This mirrors Nvidia’s strategy with DLSS, which has always leveraged the tensor cores found in RTX GPUs to run machine-learning models to achieve superior image quality for upscaled and AI-generated frames. If you don’t have an RDNA4 GPU, you can’t use FSR 4.

AMD’s FSR 4 upscaling is exclusive to 90-series Radeon GPUs, won’t work on other cards Read More »

now-the-overclock-curious-can-buy-a-delidded-amd-9800x3d,-with-a-warranty

Now the overclock-curious can buy a delidded AMD 9800X3D, with a warranty

AMD, AMD Ryzen, amd ryzen 9800X3D, decapping, delidding, der8auer, gaming, overclocking, Ryzen 9800X3D, Tech, thermal grizzly / /

The integrated heat spreaders put on CPUs at the factory are not the most thermally efficient material you could have on there, but what are you going to do—rip it off at the risk of killing your $500 chip with your clumsy hands?

Yes, that is precisely what enthusiastic overclockers have been doing for years, delidding, or decapping (though the latter term is used less often in overclocking circles), chips through various DIY techniques, allowing them to replace AMD and Intel’s common denominator shells with liquid metal or other advanced thermal interface materials.

As you might imagine, it can be nerve-wracking, and things can go wrong in just one second or one degree Celsius. In one overclocking forum thread, a seasoned expert noted that Intel’s Core Ultra 200S spreader (IHS) needs to be heated above 165° C for the indium (transfer material) to loosen. But then the glue holding the IHS is also loose at this temperature, and there is only 1.5–2 millimeters of space between IHS and surface-mounted components, so it’s easy for that metal IHS to slide off and take out a vital component with it. It’s quite the Saturday afternoon hobby.

That is the typical overclocking bargain: You assume the risk, you void your warranty, but you remove one more barrier to peak performance. Now, though, Thermal Grizzly, led by that same previously mentioned expert, Roman “der8auer” Hartung, has a new bargain to present. His firm is delidding AMD’s Ryzen 9800X3D CPUs with its own ovens and specialty tools, then selling them with two-year warranties that cover manufacturer’s defects and “normal overclocking damage,” but not mechanical damage.

Now the overclock-curious can buy a delidded AMD 9800X3D, with a warranty Read More »

what-we-know-about-amd-and-nvidia’s-imminent-midrange-gpu-launches

What we know about AMD and Nvidia’s imminent midrange GPU launches

AMD, gaming, GeForce, NVIDIA, Radeon, Tech / /

The GeForce RTX 5090 and 5080 are both very fast graphics cards—if you can look past the possibility that we may have yet another power-connector-related overheating problem on our hands. But the vast majority of people (including you, discerning and tech-savvy Ars Technica reader) won’t be spending $1,000 or $2,000 (or $2,750 or whatever) on a new graphics card this generation.

No, statistically, you (like most people) will probably end up buying one of the more affordable midrange Nvidia or AMD cards, GPUs that are all slated to begin shipping later this month or early in March.

There has been a spate of announcements on that front this week. Nvidia announced yesterday that the GeForce RTX 5070 Ti, which the company previously introduced at CES, would be available starting on February 20 for $749 and up. The new GPU, like the RTX 5080, looks like a relatively modest upgrade from last year’s RTX 4070 Ti Super. But it ought to at least flirt with affordability for people who are looking to get natively rendered 4K without automatically needing to enable DLSS upscaling to get playable frame rates.

RTX 5070 Ti RTX 4070 Ti Super RTX 5070 RTX 4070 Super
CUDA Cores 8,960 8,448 6,144 7,168
Boost Clock 2,452 MHz 2,610 MHz 2,512 MHz 2,475 MHz
Memory Bus Width 256-bit 256-bit 192-bit 192-bit
Memory Bandwidth 896 GB/s 672 GB/s 672 GB/s 504 GB/s
Memory size 16GB GDDR7 16GB GDDR6X 12GB GDDR7 12GB GDDR6X
TGP 300 W 285 W 250 W 220 W

That said, if the launches of the 5090 and 5080 are anything to go by, it may not be easy to find and buy the RTX 5070 Ti for anything close to the listed retail price; early retail listings are not promising on this front. You’ll also be relying exclusively on Nvidia’s partners to deliver unadorned, relatively minimalist MSRP versions of the cards since Nvidia isn’t making a Founders Edition version.

As for the $549 RTX 5070, Nvidia’s website says it’s launching on March 5. But it’s less exciting than the other 50-series cards because it has fewer CUDA cores than the outgoing RTX 4070 Super, leaving it even more reliant on AI-generated frames to improve performance compared to the last generation.

What we know about AMD and Nvidia’s imminent midrange GPU launches Read More »

arm-to-start-making-server-cpus-in-house

Arm to start making server CPUs in-house

AMD, ARM, intel, Meta, syndication, Tech / /

Cambridge-headquartered Arm has more than doubled in value to $160 billion since it listed on Nasdaq in 2023, carried higher by explosive investor interest in AI. Arm’s partnerships with Nvidia and Amazon have driven its rapid growth in the data centers that power AI assistants from OpenAI, Meta, and Anthropic.

Meta is the latest big tech company to turn to Arm for server chips, displacing those traditionally provided by Intel and AMD.

During last month’s earnings call, Meta’s finance chief Susan Li said it would be “extending our custom silicon efforts to [AI] training workloads” to drive greater efficiency and performance by tuning its chips to its particular computing needs.

Meanwhile, an Arm-produced chip is also likely to eventually play a role in Sir Jony Ive’s secretive plans to build a new kind of AI-powered personal device, which is a collaboration between the iPhone designer’s firm LoveFrom, OpenAI’s Sam Altman, and SoftBank.

Arm’s designs have been used in more than 300 billion chips, including almost all of the world’s smartphones. Its power-efficient designs have made its CPUs, the general-purpose workhorse that sits at the heart of any computer, an increasingly attractive alternative to Intel’s chips in PCs and servers at a time when AI is making data centers much more energy-intensive.

Arm, which started out in a converted turkey barn in Cambridgeshire 35 years ago, became ubiquitous in the mobile market by licensing its designs to Apple for its iPhone chips, as well as Android suppliers such as Qualcomm and MediaTek. Maintaining its unique position in the center of the fiercely competitive mobile market has required a careful balancing act for Arm.

But Son has long pushed for Arm to make more money from its intellectual property. Under Haas, who became chief executive in 2022, Arm’s business model began to evolve, with a focus on driving higher royalties from customers as the company designs more of the building blocks needed to make a chip.

Going a step further by building and selling its own complete chip is a bold move by Haas that risks putting it on a collision course with customers such as Qualcomm, which is already locked in a legal battle with Arm over licensing terms, and Nvidia, the world’s most valuable chipmaker.

Arm, SoftBank, and Meta declined to comment.

Additional reporting by Hannah Murphy.

© 2025 The Financial Times Ltd. All rights reserved. Not to be redistributed, copied, or modified in any way.

Arm to start making server CPUs in-house Read More »

amd-promises-“mainstream”-4k-gaming-with-next-gen-gpus-as-current-gen-gpu-sales-tank

AMD promises “mainstream” 4K gaming with next-gen GPUs as current-gen GPU sales tank

AMD, gaming, GeForce, NVIDIA, Radeon, radeon rx 9000, radeon rx 9070, Tech / /

AMD announced its fourth-quarter earnings yesterday, and the numbers were mostly rosy: $7.7 billion in revenue and a 51 percent profit margin, compared to $6.2 billion and 47 percent a year ago. The biggest winner was the data center division, which made $3.9 billion thanks to Epyc server processors and Instinct AI accelerators, and Ryzen CPUs are also selling well, helping the company’s client segment earn $2.3 billion.

But if you were looking for a dark spot, you’d find it in the company’s gaming division, which earned a relatively small $563 million, down 59 percent from a year ago. AMD’s Lisa Su blamed this on both dedicated graphics card sales and sales from the company’s “semi-custom” chips (that is, the ones created specifically for game consoles like the Xbox and PlayStation).

Other data sources suggest that the response from GPU buyers to AMD’s Radeon RX 7000 series, launched between late 2022 and early 2024, has been lackluster. The Steam Hardware Survey, a noisy but broadly useful barometer for GPU market share, shows no RX 7000-series models in the top 50; only two of the GPUs (the 7900 XTX and 7700 XT) are used in enough gaming PCs to be mentioned on the list at all, with the others all getting lumped into the “other” category. Jon Peddie Research recently estimated that AMD was selling roughly one dedicated GPU for every seven or eight sold by Nvidia.

But hope springs eternal. Su confirmed on AMD’s earnings call that the new Radeon RX 9000-series cards, announced at CES last month, would be launching in early March. The Radeon RX 9070 and 9070 XT are both aimed toward the middle of the graphics card market, and Su said that both would bring “high-quality gaming to mainstream players.”

An opportunity, maybe

“Mainstream” could mean a lot of things. AMD’s CES slide deck positioned the 9070 series alongside Nvidia’s RTX 4070 Ti ($799) and 4070 Super ($599) and its own RTX 7900 XT, 7900 GRE, and 7800 XT (between $500 and $730 as of this writing), a pretty wide price spread that is still more expensive than an entire high-end console. The GPUs could still rely heavily on upscaling algorithms like AMD’s Fidelity Super Resolution (FSR) to hit playable frame rates at those resolutions, rather than targeting native 4K.

AMD promises “mainstream” 4K gaming with next-gen GPUs as current-gen GPU sales tank Read More »

amd’s-new-laptop-cpu-lineup-is-a-mix-of-new-silicon-and-new-names-for-old-silicon

AMD’s new laptop CPU lineup is a mix of new silicon and new names for old silicon

AMD, CPUs, Ryzen, ryzen 200, ryzen 7000, ryzen 8000, ryzen ai, ryzen ai 300, Tech / /

AMD’s CES announcements include a tease about next-gen graphics cards, a new flagship desktop CPU, and a modest refresh of its processors for handheld gaming PCs. But the company’s largest announcement, by volume, is about laptop processors.

Today the company is expanding the Ryzen AI 300 lineup with a batch of updated high-end chips with up to 16 CPU cores and some midrange options for cheaper Copilot+ PCs. AMD has repackaged some of its high-end desktop chips for gaming laptops, including the first Ryzen laptop CPU with 3D V-Cache enabled. And there’s also a new-in-name-only Ryzen 200 series, another repackaging of familiar silicon to address lower-budget laptops.

Ryzen AI 300 is back, along with high-end Max and Max+ versions

Ryzen AI is back, with Max and Max+ versions that include huge integrated GPUs. Credit: AMD

We came away largely impressed by the initial Ryzen AI 300 processors in August 2024, and new processors being announced today expand the lineup upward and downward.

AMD is announcing the Ryzen AI 7 350 and Ryzen AI 5 340 today, along with identically specced Pro versions of the same chips with a handful of extra features for large businesses and other organizations.

Midrange Ryzen AI processors should expand Copilot+ features into somewhat cheaper x86 PCs.

Credit: AMD

The 350 includes eight CPU cores split evenly between large Zen 5 cores and smaller, slower but more efficient Zen 5C cores, plus a Radeon 860M with eight integrated graphics cores (down from a peak of 16 for the Ryzen AI 9). The 340 has six CPU cores, again split evenly between Zen 5 and Zen 5C, and a Radeon 840M with four graphics cores. But both have the same 50 TOPS NPUs as the higher-end Ryzen AI chips, qualifying both for the Copilot+ label.

For consumers, AMD is launching three high-end chips across the new “Ryzen AI Max+” and “Ryzen AI Max” families. Compared to the existing Strix Point-based Ryzen AI processors, Ryzen AI Max+ and Max include more CPU cores, and all of their cores are higher-performing Zen 5 cores, with no Zen 5C cores mixed in. The integrated graphics also get significantly more powerful, with as many as 40 cores built in—these chips seem to be destined for larger thin-and-light systems that could benefit from more power but don’t want to make room for a dedicated GPU.

AMD’s new laptop CPU lineup is a mix of new silicon and new names for old silicon Read More »

amd-launches-new-ryzen-9000x3d-cpus-for-pcs-that-play-games-and-work-hard

AMD launches new Ryzen 9000X3D CPUs for PCs that play games and work hard

3d V-cache, am5, AMD, CPUs, gaming, Ryzen, ryzen 9000, Tech, zen 5 / /

AMD’s batch of CES announcements this year includes just two new products for desktop PC users: the new Ryzen 9 9950X3D and 9900X3D. Both will be available at some point in the first quarter of 2025.

Both processors include additional CPU cores compared to the 9800X3D that launched in November. The 9900X3D includes 12 Zen 5 CPU cores with a maximum clock speed of 5.5 GHz, and the 9950X3D includes 16 cores with a maximum clock speed of 5.7 GHz. Both include 64MB of extra L3 cache compared to the regular 9900X and 9950X, for a total cache of 144MB and 140MB, respectively; games in particular tend to benefit disproportionately from this extra cache memory.

But the 9950X3D and 9900X3D aren’t being targeted at people who build PCs primarily to game—the company says their game performance is usually within 1 percent of the 9800X3D. These processors are for people who want peak game performance when they’re playing something but also need lots of CPU cores for chewing on CPU-heavy workloads during the workday.

AMD estimates that the Ryzen 9 9950X3D is about 8 percent faster than the 7950X3D when playing games and about 13 percent faster in professional content creation apps. These modest gains are more or less in line with the small performance bump we’ve seen in other Ryzen 9000-series desktop CPUs.

AMD launches new Ryzen 9000X3D CPUs for PCs that play games and work hard Read More »

amd’s-new-ryzen-z2-cpus-boost-gaming-handhelds,-if-you-buy-the-best-one

AMD’s new Ryzen Z2 CPUs boost gaming handhelds, if you buy the best one

AMD, AMD Ryzen, gaming, Tech / /

Nearly two years ago, AMD announced its first Ryzen Z1 processors. These were essentially the same silicon that AMD was putting in high-end thin-and-light laptops but tuned specifically for handheld gaming PCs like the Steam Deck and Asus ROG Ally X. As part of its CES announcements today, AMD is refreshing that lineup with three processors, all slated for an undisclosed date in the first quarter of 2025.

Although they’re all part of the “Ryzen Z2” family, each of these three chips is actually much different under the hood, and some of them are newer than others.

The Ryzen Z2 Extreme is what you’d expect from a refresh: a straightforward upgrade to both the CPU and GPU architectures of the Ryzen Z1 Extreme. Based on the same “Strix Point” architecture as the Ryzen AI 300 laptop processors, the Z2 Extreme includes eight CPU cores (three high-performance Zen 5 cores, five smaller and efficiency-optimized Zen 5C cores) and an unnamed RDNA 3.5 GPU with 16 of AMD’s compute units (CUs). These should both provide small bumps to CPU and GPU performance relative to the Ryzen Z1 Extreme, which used eight Zen 4 CPU cores and 12 RDNA 3 GPU cores.

AMD’s full Ryzen Z2 lineup, which obfuscates the fact that these three chips are all using different CPU and GPU architectures. Credit: AMD

The Ryzen Z2, on the other hand, appears to be exactly the same chip as the Ryzen Z1 Extreme, but with a different name. Like the Z1 Extreme, it has eight Zen 4 cores with a 5.1 GHz maximum clock speed and an RDNA 3 GPU with 12 cores.

AMD’s new Ryzen Z2 CPUs boost gaming handhelds, if you buy the best one Read More »

new-radeon-rx-9000-gpus-promise-to-fix-two-of-amd’s-biggest-weaknesses

New Radeon RX 9000 GPUs promise to fix two of AMD’s biggest weaknesses

AMD, amd radeon, Tech / /

Nvidia is widely expected to announce specs, pricing, and availability information for the first few cards in the new RTX 50 series at its CES keynote later today. AMD isn’t ready to get as specific about its next-generation graphics lineup yet, but the company shared a few morsels today about its next-generation RDNA 4 graphics architecture and its 9000-series graphics cards.

AMD mentioned that RDNA 4 cards were on track to launch in early 2025 during a recent earnings call, acknowledging that shipments of current-generation RX 7000-series cards were already slowing down. CEO Lisa Su said then that the architecture would include “significantly higher ray-tracing performance” as well as “new AI capabilities.”

AMD’s RDNA 4 launch will begin with the 9070 XT and 9070, which are both being positioned as upper-midrange GPUs like the RTX 4070 series. Credit: AMD

The preview the company is providing today provides few details beyond those surface-level proclamations. The compute units will be “optimized,” AI compute will be “supercharged,” ray-tracing will be “improved,” and media encoding quality will be “better,” but AMD isn’t providing hard numbers for anything at this point. The RDNA 4 launch will begin with the Radeon RX 9070 XT and 9070 at some point in Q1 of 2025, and AMD will provide more information “later in the quarter.”

The GPUs will be built on a 4 nm process, presumably from TSMC, an upgrade from the 5 nm process used for the 7000-series GPUs and the 6 nm process used for the separate memory controller chiplets (AMD hasn’t said whether RDNA 4 GPUs are using chiplets; the 7000 series used them for high-end GPUs but not lower-end ones).

FSR 4 will be AMD’s first ML-powered upscaling algorithm, similar to Nvidia’s DLSS, Intel’s XeSS (on Intel GPUs), and Apple’s MetalFX. This generally results in better image quality but more restrictive hardware requirements. Credit: AMD

We do know that AMD’s next-generation upscaling algorithm, FidelityFX Super Resolution 4, has been “developed for AMD RDNA 4,” and it will be the first version of FSR to use machine learning-powered upscaling. Nvidia’s DLSS and Intel’s XeSS (when running on Intel GPUs) also use ML-powered upscaling, which generally leads to better results but also has stricter hardware requirements than older versions of FSR. AMD isn’t saying whether FSR 4 will work on any older Radeon cards.

New Radeon RX 9000 GPUs promise to fix two of AMD’s biggest weaknesses Read More »

amd’s-trusted-execution-environment-blown-wide-open-by-new-badram-attack

AMD’s trusted execution environment blown wide open by new BadRAM attack

AMD, Biz & IT, Cloud Computing, Security, sev-snp / /

Attack bypasses AMD protection promising security, even when a server is compromised.

One of the oldest maxims in hacking is that once an attacker has physical access to a device, it’s game over for its security. The basis is sound. It doesn’t matter how locked down a phone, computer, or other machine is; if someone intent on hacking it gains the ability to physically manipulate it, the chances of success are all but guaranteed.

In the age of cloud computing, this widely accepted principle is no longer universally true. Some of the world’s most sensitive information—health records, financial account information, sealed legal documents, and the like—now often resides on servers that receive day-to-day maintenance from unknown administrators working in cloud centers thousands of miles from the companies responsible for safeguarding it.

Bad (RAM) to the bone

In response, chipmakers have begun baking protections into their silicon to provide assurances that even if a server has been physically tampered with or infected with malware, sensitive data funneled through virtual machines can’t be accessed without an encryption key that’s known only to the VM administrator. Under this scenario, admins inside the cloud provider, law enforcement agencies with a court warrant, and hackers who manage to compromise the server are out of luck.

On Tuesday, an international team of researchers unveiled BadRAM, a proof-of-concept attack that completely undermines security assurances that chipmaker AMD makes to users of one of its most expensive and well-fortified microprocessor product lines. Starting with the AMD Epyc 7003 processor, a feature known as SEV-SNP—short for Secure Encrypted Virtualization and Secure Nested Paging—has provided the cryptographic means for certifying that a VM hasn’t been compromised by any sort of backdoor installed by someone with access to the physical machine running it.

If a VM has been backdoored, the cryptographic attestation will fail and immediately alert the VM admin of the compromise. Or at least that’s how SEV-SNP is designed to work. BadRAM is an attack that a server admin can carry out in minutes, using either about $10 of hardware, or in some cases, software only, to cause DDR4 or DDR5 memory modules to misreport during bootup the amount of memory capacity they have. From then on, SEV-SNP will be permanently made to suppress the cryptographic hash attesting its integrity even when the VM has been badly compromised.

“BadRAM completely undermines trust in AMD’s latest Secure Encrypted Virtualization (SEV-SNP) technology, which is widely deployed by major cloud providers, including Amazon AWS, Google Cloud, and Microsoft Azure,” members of the research team wrote in an email. “BadRAM for the first time studies the security risks of bad RAM—rogue memory modules that deliberately provide false information to the processor during startup. We show how BadRAM attackers can fake critical remote attestation reports and insert undetectable backdoors into _any_ SEV-protected VM.”

Compromising the AMD SEV ecosystem

On a website providing more information about the attack, the researchers wrote:

Modern computers increasingly use encryption to protect sensitive data in DRAM, especially in shared cloud environments with pervasive data breaches and insider threats. AMD’s Secure Encrypted Virtualization (SEV) is a cutting-edge technology that protects privacy and trust in cloud computing by encrypting a virtual machine’s (VM’s) memory and isolating it from advanced attackers, even those compromising critical infrastructure like the virtual machine manager or firmware.

We found that tampering with the embedded SPD chip on commercial DRAM modules allows attackers to bypass SEV protections—including AMD’s latest SEV-SNP version. For less than $10 in off-the-shelf equipment, we can trick the processor into allowing access to encrypted memory. We build on this BadRAM attack primitive to completely compromise the AMD SEV ecosystem, faking remote attestation reports and inserting backdoors into any SEV-protected VM.

In response to a vulnerability report filed by the researchers, AMD has already shipped patches to affected customers, a company spokesperson said. The researchers say there are no performance penalties, other than the possibility of additional time required during boot up. The BadRAM vulnerability is tracked in the industry as CVE-2024-21944 and AMD-SB-3015 by the chipmaker.

A stroll down memory lane

Modern dynamic random access memory for servers typically comes in the form of DIMMs, short for Dual In-Line Memory Modules. The basic building block of these rectangular sticks are capacitors, which, when charged, represent a binary 1 and, when discharged, represent a 0. The capacitors are organized into cells, which are organized into arrays of rows and columns, which are further arranged into ranks and banks. The more capacitors that are stuffed into a DIMM, the more capacity it has to store data. Servers usually have multiple DIMMs that are organized into channels that can be processed in parallel.

For a server to store or access a particular piece of data, it first must locate where the bits representing it are stored in this vast configuration of transistors. Locations are tracked through addresses that map the channel, rank, bank row, and column. For performance reasons, the task of translating these physical addresses to DRAM address bits—a job assigned to the memory controller—isn’t a one-to-one mapping. Rather, consecutive addresses are spread across different channels, ranks, and banks.

Before the server can map these locations, it must first know how many DIMMs are connected and the total capacity of memory they provide. This information is provided each time the server boots, when the BIOS queries the SPD—short for Serial Presence Detect—chip found on the surface of the DIMM. This chip is responsible for providing the BIOS basic information about available memory. BadRAM causes the SPD chip to report that its capacity is twice what it actually is. It does this by adding an extra addressing bit.

To do this, a server admin need only briefly connect a specially programmed Raspberry Pi to the SPD chip just once.

The researchers’ Raspberry Pi connected to the SPD chip of a DIMM. Credit: De Meulemeester et al.

Hacking by numbers, 1, 2, 3

In some cases, with certain DIMM models that don’t adequately lock down the chip, the modification can likely be done through software. In either case, the modification need only occur once. From then on, the SPD chip will falsify the memory capacity available.

Next, the server admin configures the operating system to ignore the newly created “ghost memory,” meaning the top half of the capacity reported by the compromised SPD chip, but continue to map to the lower half of the real memory. On Linux, this configuration can be done with the `memmap` kernel command-line parameter. The researchers’ paper, titled BadRAM: Practical Memory Aliasing Attacks on Trusted Execution Environments, provides many more details about the attack.

Next, a script developed as part of BadRAM allows the attacker to quickly find the memory locations of ghost memory bits. These aliases give the attacker access to memory regions that SEV-SNP is supposed to make inaccessible. This allows the attacker to read and write to these protected memory regions.

Access to this normally fortified region of memory allows the attacker to copy the cryptographic hash SEV-SNP creates to attest to the integrity of the VM. The access also permits the attacker to boot an SEV-compliant VM that has been backdoored. Normally, this malicious VM would trigger a warning in the form of a cryptographic hash. BadRAM allows the attacker to replace this attestation failure hash with the attestation success hash collected earlier.

The primary steps involved in BadRAM attacks are:

  1. Compromise the memory module to lie about its size and thus trick the CPU into accessing the nonexistent ghost addresses that have been silently mapped to existing memory regions.
  2. Find aliases. These addresses map to the same DRAM location.
  3. Bypass CPU Access Control. The aliases allow the attacker to bypass memory protections that are supposed to prevent the reading of and writing to regions storing sensitive data.

Beware of the ghost bit

For those looking for more technical details, Jesse De Meulemeester, who along with Luca Wilke was lead co-author of the paper, provided the following, which more casual readers can skip:

In our attack, there are two addresses that go to the same DRAM location; one is the original address, the other one is what we call the alias.

When we modify the SPD, we double its size. At a low level, this means all memory addresses now appear to have one extra bit. This extra bit is what we call the “ghost” bit, it is the address bit that is used by the CPU, but is not used (thus ignored) by the DIMM. The addresses for which this “ghost” bit is 0 are the original addresses, and the addresses for which this bit is 1 is the “ghost” memory.

This explains how we can access protected data like the launch digest. The launch digest is stored at an address with the ghost bit set to 0, and this address is protected; any attempt to access it is blocked by the CPU. However, if we try to access the same address with the ghost bit set to 1, the CPU treats it as a completely new address and allows access. On the DIMM side, the ghost bit is ignored, so both addresses (with ghost bit 0 or 1) point to the same physical memory location.

A small example to illustrate this:

Original SPD: 4 bit addresses:

CPU: address 1101 -> DIMM: address 1101

Modified SPD: Reports 5 bits even though it only has 4:

CPU: address 01101 -> DIMM: address 1101

CPU: address 11101 -> DIMM: address 1101

In this case 01101 is the protected address, 11101 is the alias. Even though to the CPU they seem like two different addresses, they go to the same DRAM location.

As noted earlier, some DIMM models don’t lock down the SPD chip, a failure that likely makes software-only modifications possible. Specifically, the researchers found that two DDR4 models made by Corsair contained this flaw.

In a statement, AMD officials wrote:

AMD believes exploiting the disclosed vulnerability requires an attacker either having physical access to the system, operating system kernel access on a system with unlocked memory modules, or installing a customized, malicious BIOS. AMD recommends utilizing memory modules that lock Serial Presence Detect (SPD), as well as following physical system security best practices. AMD has also released firmware updates to customers to mitigate the vulnerability.

Members of the research team are from KU Leuven, the University of Lübeck, and the University of Birmingham. Specifically, they are:

The researchers tested BadRAM against the Intel SGX, a competing microprocessor sold by AMD’s much bigger rival promising integrity assurances comparable to SEV-SNP. The classic, now-discontinued version of the SGX did allow reading of protected regions, but not writing to them. The current Intel Scalable SGX and Intel TDX processors, however, allowed no reading or writing. Since a comparable Arm processor wasn’t available for testing, it’s unknown if it’s vulnerable.

Despite the lack of universality, the researchers warned that the design flaws underpinning the BadRAM vulnerability may creep into other systems and should always use the mitigations AMD has now put in place.

“Since our BadRAM primitive is generic, we argue that such countermeasures should be considered when designing a system against untrusted DRAM,” the researchers wrote in their paper. “While advanced hardware-level attacks could potentially circumvent the currently used countermeasures, further research is required to judge whether they can be carried out in an impactful attacker model.”

Photo of Dan Goodin

Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.

AMD’s trusted execution environment blown wide open by new BadRAM attack Read More »

amd-unveils-powerful-new-ai-chip-to-challenge-nvidia

AMD unveils powerful new AI chip to challenge Nvidia

AI, AI accelerator, AMD, Biz & IT, GB200, GPU, GPUs, H200, machine learning, MI325X, MI350, NVIDIA, Nvidia H200 / /

On Thursday, AMD announced its new MI325X AI accelerator chip, which is set to roll out to data center customers in the fourth quarter of this year. At an event hosted in San Francisco, the company claimed the new chip offers “industry-leading” performance compared to Nvidia’s current H200 GPUs, which are widely used in data centers to power AI applications such as ChatGPT.

With its new chip, AMD hopes to narrow the performance gap with Nvidia in the AI processor market. The Santa Clara-based company also revealed plans for its next-generation MI350 chip, which is positioned as a head-to-head competitor of Nvidia’s new Blackwell system, with an expected shipping date in the second half of 2025.

In an interview with the Financial Times, AMD CEO Lisa Su expressed her ambition for AMD to become the “end-to-end” AI leader over the next decade. “This is the beginning, not the end of the AI race,” she told the publication.

The AMD Instinct MI325X Accelerator.

The AMD Instinct MI325X Accelerator.

The AMD Instinct MI325X Accelerator. Credit: AMD

According to AMD’s website, the announced MI325X accelerator contains 153 billion transistors and is built on the CDNA3 GPU architecture using TSMC’s 5 nm and 6 nm FinFET lithography processes. The chip includes 19,456 stream processors and 1,216 matrix cores spread across 304 compute units. With a peak engine clock of 2100 MHz, the MI325X delivers up to 2.61 PFLOPs of peak eight-bit precision (FP8) performance. For half-precision (FP16) operations, it reaches 1.3 PFLOPs.

AMD unveils powerful new AI chip to challenge Nvidia Read More »