You'd need physical access while it is running as the target is using it.

Judging by the Reddit threads I saw, A LOT of people were upset even though it was clear that they had not idea what the feature actually provided beyond “encryption”. I’d guess that the majority assumed that the change would result in them basically having to “encryption” in affected AMD devices any more in some vague general sense.

Physical hardware products shouldn't lose features after launch. If this was a "mistaken" feature which they suggested it was they should have disabled it on future chips.

And it does reduce memory speed by about 0.5-1%.

> I wonder if this was also something they just accidentally broke

Their statement suggests it was a calculated decision, reversed after public backlash. I greatly appreciate they listened to user feedback, but they shouldn't have done it secretly to begin with.

> Based on valuable community feedback, we will reinstate this option in an upcoming BIOS release in July.

The encryption/decryption is done in the memory controller so it doesn't matter where the access is coming from.

There are many ways it can work depending on the cpu:

1. No dma, instead you use bounce buffers and the cpu manually encrypts and decrypts on behalf of the pcie

2. The IOMMU sets certain pages as unencrypted and ensures the pcie only accesses those pages and that part of ram alone is now not encrypted.

3. Newer pcie devices use the TDISP(handshake) and IDE(aes gcm hardware module related stuff) protocols to do encrypted communication with the CPUs PCIe root hub, where this functionality is called TIO i.e trusted io on amd and TX connect on intel. As far as nvidia GPUs go which is where I have used this, H100 onwards have the feature. Only server xeons and turins etc support this feature on the cpu side. I think some server SSDs do too. Here you get full encryption full DMA at full bandwidth.