Why Linus Torvalds Wants to Disable AMD’s fTPM RNG – A Hidden Kernel Issue

21CTO editorial: Ongoing problems with Linux and AMD’s fTPM (firmware‑based TPM) are unsettling kernel overseers and even Linus Torvalds, who suggests completely disabling the module’s random number generator.

Linus Torvalds recently expressed strong dissatisfaction on the Linux kernel mailing list about AMD fTPM’s hardware RNG, which has caused noticeable stalls on AMD Ryzen systems, first observed on Windows and now affecting Linux users.

Although patches have been back‑ported to earlier kernels, several stubborn issues related to the AMD fTPM RNG remain unresolved, with some users still reporting freezes.

A new bug report indicates that on certain AMD platforms, using fTPM (firmware version 0x3005700020005) can trigger stalls, and existing kernel patches have not alleviated the problem.

"Let's disable the stupid fTPM hwrnd." "Maybe it can be used at boot to collect entropy from different sources, but it clearly should not run at runtime." "Why would anyone use this broken thing when a supposedly fixed machine still has no issues with the CPU’s rdrand instruction?" "If you don’t trust the CPU’s rdrand implementation (it has its own vulnerabilities), why trust an fTPM version that causes more problems? I see no downside to saying ‘that fTPM thing isn’t working.’ Even if it works later, there are alternatives that aren’t worse."

He added:

"So, problems with RDRAND seem unlikely, but who knows… Microcode can do anything, and the original fTPM issue appears to stem from BIOS doing something crazy, like SPI flash access." "I can imagine BIOS fTPM code using a terrifying global EFI synchronization lock, causing unrelated random issues. If CPU microcode could do similar things, I’d be surprised, but it’s possible – HP once used SMI to mess up the timestamp counter, and I can imagine similar tricks on rdrand." "Compared to an ‘EFI BIOS uses one big lock’ approach, this sounds less likely. Thus rdrand (especially rdseed) may be slow, but we’re talking hundreds to a few thousand CPU cycles, which is far different from the stalls reported for fTPM."

Torvalds’s full comments are available at the linked kernel mailing list archive.

While fTPM can be disabled in the BIOS, doing so limits system functionality, especially for hardware encryption and security features that Windows 11 relies on.

AMD previously recommended using a physical TPM module as a replacement for firmware TPM on many motherboards, though this requires disabling TPM‑dependent encryption and a compatible motherboard, which is not guaranteed to be reliable.

Edited by the author. Reference: https://www.theregister.com/2023/07/31/linus_torvalds_ftpm/