I knew this was going to be due to the AMD fTPM stuttering. I've had it on my machine since I switched back to AMD in 2019. The BIOS updates haven't helped, and the discrete TPM I tried just made the system unbootable. I'm just used to it now.
Honestly, as much as AMD's processors are often great value for money, I have never had a completely stable glitch-free AMD system.
I’ve built several AMD systems over the past 20 years, and until now all the ones with nvidia GPUs were absolutely rock solid wrt hardware. The Radeon builds suffered various mostly minor GPU driver problems.
But son of a bitcoin, my current PC has this exact stuttering problem! And all this time I just assumed it was Windows being stupid about normal I/O. But come to think of it, I did recently have a conversation with my even-hardware-geekier brother in which I said something like “How in the hell can Windows have become so sloppy that the mouse cursor can be regularly interrupted during normal use? That should be logically impossible by design.”
But now I bet it’s this motherboard thing preempting everything and it all makes sense.
For what it's worth, I use my desktop for work and gaming. All AMD system for the past 3 years (CPU/GPU). No glitches or stuttering. Windows 10 with fTPM disabled since I have no interest in Windows 11.
Been AMD only for CPU in my desktop the past 15 years or so and haven't had these glitch/stutter issues.
All of this anecdotal, but I just find it odd you've never had a "stable glitch-free AMD system." But it might vary depending on motherboard, motherboard OEM and motherboard chipset. (Was on Asus X470, now on MSI X570.)
A long time ago, trying to play a Battlefield 1942 star wars mod with my Radeon 9700pro would crash my computer after ~10 minutes. Base game was fine. EoD was fine. Everything else was fine. Except this mod. No amount of tweaking helped. Later, upgrading to a 9800pro, problems disappeared. I didn't want it to be like that but it did.
My thinking is that it's not the AMD CPUs that are the problem, but rather the Intel chipsets and chipset drivers generally seem to have fewer issues. It could also be that Microsoft and others do more testing on Intel-based systems.
For what it's worth, I also indirectly support quite a lot of corporate systems, and we've had a fair amount of flakiness with AMD Thinkpads. Not every laptop has issues, and not in every situation, but we get issues significantly more often for the AMD machines - this is visible clearly in the stats we keep. Anything involving docks seems to be particularly problematic. It could be that Lenovo are just making terrible devices and I'm unfairly blaming AMD - but the Intel ones are rock solid.
Also I've used TPM for years, possibly since Windows 7 I think, in order to get full disk encryption with Bitlocker. More recently I've been playing with remote attestation.
Installing a TPM module and then failing to get the computer to boot suggests that they don't know how to use the TPM in concert with an operating system. It's possible they don't even know what TPM is for or why they enabled/installed it in the first place.
Of course I know how to use a TPM and why one might use it. It's rather unfair of you to assume that I don't because the hardware I bought doesn't function properly.
The computer failed to POST after I put in the dTPM, nothing to do with the OS. It's either an issue with the dTPM or the motherboard, but I couldn't figure out what the problem was and didn't want to keep spending money. The motherboard manufacturers provide very little information about how their dTPM interfaces work, and nowadays it can be difficult to find genuine OEM dTPMs due to Win11-related stock shortages.
"This particular version of AGESA gains importance to those on Windows 11, as it corrects a performance-stuttering issue caused due to frequent polling of the fTPM by the OS."
Indeed it's supposed to, but it doesn't fix it for me. Even if it did, it's pretty annoying that this problem has been around for at least 3 years without a fix.
I've had a 5900X+X570 machine since late 2020, with fTPM enabled, and never noticed any stuttering. It's a completely flawless system, especially compared to the Intel 4790K machine it replaced, which had loads of random issues like these, unexplainable performance dips and crashes which no tweak could ever fix.
It really seems to vary based on motherboard make and model.
My high-end x570 board from ASUS initially exhibited this behavior, but it was rectified rather quickly with a BIOS update.
I still ended up putting in a real TPM module for convenience reasons. It's hard to experiment with bios settings when half of them end up wiping the fTPM, necessitating me to punch in my BitLocker key on next boot.
Maybe this fiasco combined with Windows 11 will finally push motherboard manufacturers to just build a real TPM into their products rather than relying on these janky fTPM/PTT solutions.
Ok so it -started- glitching eventually, but that was because capacitor plague and not the AMD-ness. But that was a workhorse machine of mine through most of college. The few crashes that I -did- have, were related to other components like video/audio(1) that were no better in a 'full intel' setup.
The other was an unsupported config; Tyan Tiger MPX with Dual 1.0Ghz Morgan Durons, Running Windows 2000. Fun little box.
(1) - At the start of the century, one of the best things I did for system reliability was ditch Creative Labs and their drivers for the Glorious Crystal/HTEnvy cards.
AMD's fTPM is a gratis bonus as far as I'm concerned. Bitlocker's disk encryption can be used without TPM. It's less convenient - Windows needs to read the cryptographic key from a USB flash drive at boot - but I'm willing to bet it's much easier to get used to than 3 years of glitching and stuttering.
It's not a "gratis bonus" when I specifically buy a device because I require that feature.
Besides Windows 11 requiring a TPM, which was known to be on the cards for a while now, storing the key on a USB drive is not functionally the same as the TPM. It means either the key material is stored in plaintext on the USB, which is pointless, or I still need to use a PIN. I need my computer to be able to boot without intervention, so that isn't an option.
> It's not a "gratis bonus" when I specifically buy a device because I require that feature.
I don't understand, since fTPM specifically isn't a requirement. Any TPM will work. If you had bought Intel you would have paid more for just the CPU alone, regardless of the cost of a discrete TPM.
> Besides Windows 11 requiring a TPM, which was known to be on the cards for a while now, storing the key on a USB drive is not functionally the same as the TPM. It means either the key material is stored in plaintext on the USB, which is pointless, or I still need to use a PIN. I need my computer to be able to boot without intervention, so that isn't an option.
With f/TPM and no PIN you're storing the keys in plain-text right next to the encrypted content. It's like hanging the keys to your door on the knob. This effectively cancels the point of full-disk encryption for your implied personal use. I cannot believe what I'm reading.
Why is this hard to understand? The CPU and platform is marketed as having an fTPM, but everyone's experience over the last 3 years is that it's faulty. It doesn't matter if there's an alternative solution involving buying a separate device, and it doesn't matter if you think the fTPM isn't necessary. The point is that the features they claimed to support were faulty, untested, and unfixed for many years. That's not acceptable.
Also, your description of how an fTPM works is wrong. The fTPM on AMD is provided by the AMD PSP TEE, which measures your execution environment then seals the drive encryption key. The platform garauntees that it will not unseal the drive encryption key other than to the same combination of trusted hardware and cryptographically verified software that previously sealed the key. The hardware is tamper resistent and has a relatively good track record. dTPM vs fTPM is an active debate, but so far the most practical sniff attack on the TPM only works on dTPMs, though that's partially Microsoft's fault.
If a hard drive is stolen, it is useless without the CPU. If a whole computer is stolen, the data will only be accessible to a very advanced adversary. The list of people on earth who can tamper or trace a CPU to successfully exfiltrate an fTPM key is probably a short list, and nearly all of them will be security researchers, state-level adversaries or APTs. In fact, many government and other highly secure organisations rely on the security of the TPM for disk encryption.
Analogy wise, it's more like having a bouncer guarding your door who only lets you in once he's carefully checked all your biometrics. And if you try to push past him, he blows up the house so you can't get in.
However, would I trust a TPM in isolation if I was likely to be physically raided by the CIA? Probably not.
> With f/TPM and no PIN you're storing the keys in plain-text right next to the encrypted content.
Not true. If you change the boot parameters it won't release the key. If you were to try and boot a live OS to try and extract the data without respecting ACLs or something, you wouldn't be able to access the key. You also can't actively read the key from the TPM once the system has booted.
Sure, there might be some attackers who may be able to mess with the OS post-boot to have it give up its info, but even the above-average thief off the street isn't going to be able to access my data.
I have the fTPM enabled on a few AMD Ryzen CPU computers I own. I like using Bitlocker even on my personal machines. I've got a lot of personal information on my computers, FDE helps to keep my data safe in case a drive goes missing.
BitLocker can be used without TPM, for example with a password or a key file on a USB drive. And those are probably safer options if your whole computer gets stolen.
The experience of doing it with a password is pretty poor compared to using a TPM. Every time the computer reboots, I need to type in the password. If it is a remote machine, I have to physically be at the station to type in the password.
Keeping the key file on a USB drive isn't exactly safe either, as there's a high likelihood that flash drive is probably going to be near my computer when stolen. Also, that flash drive may be active and plugged when the system is running, exposing it to the machine directly. Having that key material easily accessible on a flash drive makes it less protected than using the TPM.
Using the TPM gives me a better experience and depending on how things are handled a far more secure way of handling the key. Its way easier to grab the key file off the flash drive than coaxing it out of the TPM without booting the trusted boot process.
They are only safer if you always unplug the USB drive and take it with you. Which I know I would never do reliably enough to offer protection(and I would probably lose the drive eventually which is then actually a complete loss of data unless you have a backup, but if you have a backup then that's yet another weakness in the system). A built in TPM module might have some unknown fault that hasn't been disclosed yet, but I think that's about 10000x less likely than the chance of me forgetting/losing the USB drive with encryption key.
Bitlocker/FDE is a valid use case. I personally prefer to protect sensitive information with software-based solutions that are portable between various operating systems.
Honestly, as much as AMD's processors are often great value for money, I have never had a completely stable glitch-free AMD system.