I recently got a Thinkpad T14 gen 1 AMD and I’m trying to improve the security level.sudo fwupdmgr security --force to display the current level, I get this:
After a deep research on the internet on how to enable SPI write protection, I found nothing. I checked the BIOS, but there isn’t anything that I found.
So, I’m not sure how to enable this, does anyone know?
sudo fwupdmgr security -v --force
-v stands for verbouse and gives you a bit more infos. Try also
sudo fwupdmgr security --help #to see more options
So I ran the first command and here’s what I got:
Host Security ID: HSI:1 (v1.9.28)
HSI-1
✔ BIOS firmware updates: Enabled
✔ Fused platform: Locked
✔ Supported CPU: Valid
✔ TPM empty PCRs: Valid
✔ TPM v2.0: Found
✔ UEFI bootservice variables: Locked
✔ UEFI platform key: Valid
✔ UEFI secure boot: Enabled
HSI-2
✔ BIOS rollback protection: Enabled
✔ IOMMU: Enabled
✔ Platform debugging: Locked
✔ TPM PCR0 reconstruction: Valid
✘ SPI write protection: Disabled
HSI-3
✔ Pre-boot DMA protection: Enabled
✔ Suspend-to-idle: Enabled
✔ Suspend-to-ram: Disabled
✘ SPI replay protection: Not supported
✘ CET Platform: Not supported
HSI-4
✔ Encrypted RAM: Encrypted
✔ SMAP: Enabled
✘ Processor rollback protection: Disabled
Runtime Suffix -!
✔ fwupd plugins: Untainted
✔ Linux kernel lockdown: Enabled
✔ Linux swap: Encrypted
✔ Linux kernel: Untainted
Host Security Events
2025-03-03 18:47:43: ✔ BIOS rollback protection changed: Disabled → Enabled
2025-03-03 18:47:43: ✔ Suspend-to-idle changed: Disabled → Enabled
2025-03-03 18:47:43: ✔ Suspend-to-ram changed: Enabled → Disabled
2025-03-03 18:47:43: ✔ Encrypted RAM changed: Not supported → Encrypted
I doesn’t seem to specify how to enable it.
Does this happen to work? (source )
sudo flashrom --wp-disable
This page mentions FuPluginPciPsp: fwupdmgr security reports disabled SPI write protection · Issue #432 · fwupd/firmware-lenovo · GitHub
It looks like this might report specifically what’s not working:
sudo fwupdtool security -vv
Does this happen to work?
I’m confused, how would disabling it even help?
After running sudo fwupdtool security -vv, this is the just of what I got.
15:09:08.184 FuPluginPciPsp rollback protection not enforced
15:09:08.184 FuPluginPciPsp no RPMC compatible SPI rom present
15:09:08.184 FuPluginPciPsp ROM armor not enforced
15:09:08.221 FuMain AppstreamId: org.fwupd.hsi.Amd.SpiWriteProtection
Created: 2025-03-04
HsiLevel: 2
HsiResult: not-enabled
HsiResultSuccess: enabled
Flags: action-contact-oem
Name: SPI write protection
Summary: AMD Firmware Write Protection
Description: Firmware Write Protection protects device firmware memory from being tampered with.
Plugin: pci_psp
Uri: https://fwupd.github.io/libfwupdplugin/hsi.html#org.fwupd.hsi.Amd.SpiWriteProtection
Guid: 0e8dc554-a0a2-51fb-b439-1eb72b14ec38
Guid: 66c84470-1ef2-55dd-89c2-3a240a2380b4
So what I’m getting from this is that it’s not enabled. But the question still remains how to enable it.
thephatlee
March 4, 2025, 3:33pm
7
BIOS settings to enable stuff that was what i did to get HSI 3 since my NVIDIA taints Kernel
Idle…: 0%
Host Security ID: HSI:3! (v1.9.28)
HSI-1
✔ BIOS firmware updates: Enabled
✔ MEI key manifest: Valid
✔ csme manufacturing mode: Locked
✔ csme override: Locked
✔ csme v0:15.0.50.2633: Valid
✔ Platform debugging: Disabled
✔ SPI write: Disabled
✔ SPI lock: Enabled
✔ SPI BIOS region: Locked
✔ Supported CPU: Valid
✔ TPM empty PCRs: Valid
✔ TPM v2.0: Found
✔ UEFI bootservice variables: Locked
✔ UEFI platform key: Valid
✔ UEFI secure boot: Enabled
HSI-2
✔ BIOS rollback protection: Enabled
✔ Intel BootGuard ACM protected: Valid
✔ Intel BootGuard: Enabled
✔ Intel BootGuard OTP fuse: Valid
✔ Intel BootGuard verified boot: Valid
✔ Intel GDS mitigation: Enabled
✔ IOMMU: Enabled
✔ Platform debugging: Locked
✔ TPM PCR0 reconstruction: Valid
HSI-3
✔ Intel BootGuard error policy: Valid
✔ CET Platform: Supported
✔ Pre-boot DMA protection: Enabled
✔ Suspend-to-idle: Enabled
✔ Suspend-to-ram: Disabled
HSI-4
✔ SMAP: Enabled
✘ Encrypted RAM: Not supported
Runtime Suffix -!
✔ fwupd plug-ins: Untainted
✔ CET OS Support: Supported
✔ Linux kernel lockdown: Enabled
✔ Linux swap: Encrypted
✘ Linux kernel: Tainted
This system has HSI runtime issues.
» https://fwupd.github.io/hsi.html#hsi-runtime-suffix
Host Security Events
2025-02-26 13:30:37: ✘ Kernel is tainted
catanzaro
March 4, 2025, 4:54pm
8
I bet you can’t. This is probably something Lenovo has to fix via a firmware update. fwupdmgr security reports disabled SPI write protection · Issue #432 · fwupd/firmware-lenovo · GitHub seems like the correct issue report for this; Lenovo actively monitors that GitHub repo.
1 Like
I was thinking the setting could be flipped to enable if it did anything, but it seems that’s not related.
opened 10:09AM - 16 Dec 21 UTC
enhancement
help wanted
I have investigated how to implement a check that the BIOS sets the correct flag… s on AMD platforms to prevent SPI overwrite.
AMD PPR for family 17h has the following text:
> 9.1.7.3.1 Enable SPI ROM Protection
> 1. Program D14F3x050 FCH::ITF::LPC::RomProtect to enable protection for Read or Write memory accesses to SPI
> flash memory space. Up to four memory ranges specified by Rom Protect registers can be protected.
> 2. Program SPIx04 FCH::ITF::SPI::SPIRestrictedCmd or SPIx08 FCH::ITF::SPI::SPIRestrictedCmd2 with SPI
> commands that are required before doing write accesses to the SPI ROM. Use commands such as WR_EN,
> WR_Status and Erase when programming these restricted command registers.
> 3. Program SPIx00 FCH::ITF::SPI::SPICntrl0[SpiHostAccessRomEn] = 0 to protect the registers above from being
> reprogrammed.
> 4. Program SPIx1D FCH::ITF::SPI::AltSPICS[SpiProtectEn0] = 1 to apply Read/Write protection on ranges defined
> by Rom Protect registers (D14F3x50, D14F3x54, D14F3x58, D14F3x5C).
> 5. Program SPIx1D FCH::ITF::SPI::AltSPICS[SpiProtectLock] = 1 to make bits 3, 4, and 5 non-writable.
> Accesses are now blocked by the SPI host preventing write accesses to the SPI ROM.
RomProtect in point 1 lives in PCI configuration space, so should be accessible via sysfs. However, the rest of the registers are mapped in main memory: SPIx04 means SPI_BASE_ADDRESS + 0x04, where SPI_BASE_ADDRESS is outside of PCI config space (in practice it's 0xFEC10000, but it's also stored as a PCI config if we don't want to hard code it). Therefore, I don't see a way to access it on a locked down or [strict_dev_mem](https://cateee.net/lkddb/web-lkddb/STRICT_DEVMEM.html) kernel. Debian — and I guess other distributions — has [a patch to enable lock down](https://salsa.debian.org/kernel-team/linux/-/blob/master/debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch) automatically when secure boot is enabled.
In principle, this is something similar to Intel's BIOS Lock Enable and friends, and we'd like the kernel to export it. Given that the [latest attempt I could find](https://lore.kernel.org/all/20200930163714.12879-1-daniel.gutson@eclypsium.com/) to do that for Intel was abandoned a year ago, I'm not sure how much hope there is on that front. cc @dgutson
There *is* one driver right now in the kernel that accesses this memory space: the [amd-spi driver](https://elixir.bootlin.com/linux/latest/source/drivers/spi/spi-amd.c). I'm not clear how SPI drivers are plumbed in the kernel, but looking at the code and the AMD spec, I can guess that SPI_BASE_ADDRESS ends up being assigned to `amd_spi.io_remap_addr` in that code. The code does not access or checks the lock flags though, and I'm don't think it belongs to a SPI driver to do that. We could try and reach out to the AMD maintainer of that driver.
Any thought?
SPI replay protection requires hardware and firmware support. SPI write protection requires firmware support.
opened 03:41PM - 15 Nov 22 UTC
closed 05:33PM - 15 Nov 22 UTC
bug
**Describe the bug**
AMD Rollback Protection and/or Firmware Replay Protection … show as disabled/not supported but the feature is enabled on the UEFI BIOS on an ASUS PRIME X670E-PRO WIFI AMD motherboard:
In this context the option on the UEFI BIOS set as disabled means the feature is actually enabled.
**Steps to Reproduce**
1. Check that "BIOS Image Rollback Support" is Disabled on the UEFI BIOS on an ASUS PRIME X670E-PRO WIFI AMD motherboard.
2. Open GNOME Settings
3. Then go to Device Security
4. "AMD Rollback Protection" on Level 1 security should say it's enabled but it doesn't and says it's disabled instead.
**Expected behavior**
AMD Rollback Protection and/or Firmware Replay Protection should show as enabled.
**fwupd version information**
fwupd-1.8.7-2.fc37.x86_64
```shell
fwupdmgr --version
```
runtime org.freedesktop.fwupd 1.8.7
runtime org.freedesktop.fwupd-efi 1.3
runtime com.dell.libsmbios 2.4
runtime com.hughsie.libjcat 0.1.12
compile com.hughsie.libjcat 0.1.12
runtime org.kernel 6.0.8-300.fc37.x86_64
compile org.freedesktop.gusb 0.4.1
compile org.freedesktop.fwupd 1.8.7
runtime org.freedesktop.gusb 0.4.2
Please note how you installed it (`apt`, `dnf`, `pacman`, source, etc):
It was already installed with fedora 37.
<details>
<summary>**fwupd device information**</summary>
Please provide the output of the fwupd devices recognized in your system.
```shell
fwupdmgr get-devices --show-all-devices
```
ASUS System Product Name
│
├─Dispositivo desconhecido:
│ ID do dispositivo: f685512aa07369c9e77742acef941d779d31e766
│ GUID: 37b440a9-2473-5087-a39b-db84f32a8ed8 ← GPIO\ID_AMDI0030:00
│
├─Dispositivo desconhecido:
│ ID do dispositivo: 0785bd3eac5b152d9fc34e5549136304ca025e4c
│ GUID: bc9f6c6f-473f-5bc2-a0d1-3171c965d0d3 ← GPIO\ID_AMDIF031:00
│
├─Mass storage controller:
│ ID do dispositivo: 26430eaf915ee60285f1ee05944b7629be3c01ea
│ Versão atual: 01
│ Fornecedor: Advanced Micro Devices, Inc. [AMD] (PCI:0x1022)
│ GUIDs: c12a74b6-78b0-5cfb-95a3-cd65a12f9e94 ← PCI\VEN_1022&DEV_43F6
│ eb935b99-5869-5b16-ba2c-e2815a2ff8bd ← PCI\VEN_1022&DEV_43F6&REV_01
│ b5ead2d1-eba8-5d36-8943-fe306b1f2bd7 ← PCI\VEN_1022&DEV_43F6&SUBSYS_1B213328
│ 8ed2e32c-3b83-5ccd-a310-d3141360fe3a ← PCI\VEN_1022&DEV_43F6&SUBSYS_1B213328&REV_01
│ 67d3b17f-d200-5c56-979e-8a3a4ab46c2b ← PCI\VEN_1022&DEV_43F5
│ a221019f-651b-56e2-ad6e-7460fd558d9b ← PCI\VEN_1022&DEV_43F5&REV_01
│ 6b2e126d-81a8-530b-a8d3-a93e65bd30b2 ← PCI\VEN_1022&DEV_43F5&SUBSYS_1B213328
│ 63647588-a7c1-5c44-b2d4-72128628c523 ← PCI\VEN_1022&DEV_43F5&SUBSYS_1B213328&REV_01
│ Opções do dispositivo:• Dispositivo interno
│ • A verificação criptográfica de hash está disponível
│
├─Mass storage controller:
│ ID do dispositivo: 9c9e35b58089f8ce84c28ec3a5685fd6489eb912
│ Versão atual: 01
│ Fornecedor: Advanced Micro Devices, Inc. [AMD] (PCI:0x1022)
│ GUIDs: c12a74b6-78b0-5cfb-95a3-cd65a12f9e94 ← PCI\VEN_1022&DEV_43F6
│ eb935b99-5869-5b16-ba2c-e2815a2ff8bd ← PCI\VEN_1022&DEV_43F6&REV_01
│ b5ead2d1-eba8-5d36-8943-fe306b1f2bd7 ← PCI\VEN_1022&DEV_43F6&SUBSYS_1B213328
│ 8ed2e32c-3b83-5ccd-a310-d3141360fe3a ← PCI\VEN_1022&DEV_43F6&SUBSYS_1B213328&REV_01
│ 67d3b17f-d200-5c56-979e-8a3a4ab46c2b ← PCI\VEN_1022&DEV_43F5
│ a221019f-651b-56e2-ad6e-7460fd558d9b ← PCI\VEN_1022&DEV_43F5&REV_01
│ 6b2e126d-81a8-530b-a8d3-a93e65bd30b2 ← PCI\VEN_1022&DEV_43F5&SUBSYS_1B213328
│ 63647588-a7c1-5c44-b2d4-72128628c523 ← PCI\VEN_1022&DEV_43F5&SUBSYS_1B213328&REV_01
│ Opções do dispositivo:• Dispositivo interno
│ • A verificação criptográfica de hash está disponível
│
├─Ryzen 5 7600X 6-Core Processor:
│ │ ID do dispositivo: 4bde70ba4e39b28f9eab1628f9dd6e6244c03027
│ │ Versão atual: 0x0a601203
│ │ Fornecedor: AMD
│ │ GUIDs: b9a2dd81-159e-5537-a7db-e7101d164d3f ← cpu
│ │ 22f9ecf4-588d-5c0a-8326-6ebff3655c6d ← CPUID\PRO_0&FAM_19
│ │ 16dd7d28-eade-5077-adb8-0775fdfbb2e5 ← CPUID\PRO_0&FAM_19&MOD_61
│ │ 6c9f4098-a058-5cd6-a1ce-36bfe27404fb ← CPUID\PRO_0&FAM_19&MOD_61&STP_2
│ │ Opções do dispositivo:• Dispositivo interno
│ │
│ └─Secure Processor:
│ ID do dispositivo:c54ab0237d7a8db8c717b68e0be78e4374a2a079
│ Fornecedor: AMD (PCI:0x1022)
│ GUIDs: 9844da3e-1df2-52fe-9413-d4378af6221e ← PCI\VEN_1022&DEV_1649
│ 2f07ce4f-42d2-5848-a963-a58e6fcad38e ← PCI\VEN_1022&DEV_1649&REV_00
│ f3ba4376-77c1-5b2d-bf2e-a6a144b809c1 ← PCI\VEN_1022&DEV_1649&SUBSYS_10438877
│ b32e6f72-5e4a-5fb9-bded-f8a5c556ca4e ← PCI\VEN_1022&DEV_1649&SUBSYS_10438877&REV_00
│ Opções do dispositivo:• Dispositivo interno
│
├─System Firmware:
│ │ ID do dispositivo: a45df35ac0e948ee180fe216a5f703f32dda163f
│ │ Resumo: UEFI ESRT device
│ │ Versão atual: 2057
│ │ Versão mínima: 2057
│ │ Fornecedor: ASUS (DMI:American Megatrends Inc.)
│ │ Estado da atualização:Sucesso
│ │ GUIDs: e16b08e2-0157-535d-8e2f-d6de5e4efda2
│ │ 230c8b18-8d9b-53ec-838b-6cfc0383493a ← main-system-firmware
│ │ Opções do dispositivo:• Dispositivo interno
│ │ • Atualizável
│ │ • O sistema exige uma fonte de alimentação externa
│ │ • Precisa de uma reinício após a instalação
│ │ • A verificação criptográfica de hash está disponível
│ │ • O dispositivo pode ser usado durante a atualização
│ │
│ ├─UEFI Platform Key:
│ │ ID do dispositivo:6924110cde4fa051bfdc600a60620dc7aa9d3c6a
│ │ Resumo: ASUSTeK MotherBoard PK Certificate
│ │ GUID: 54ef26b1-94d9-51d5-9e46-91732769a3c2 ← UEFI\CRT_6F52EF400A8634497D726A7A7D469FCA5905BADD
│ │
│ └─UEFI dbx:
│ ID do dispositivo:362301da643102b9f38477387e2193e57abaa590
│ Resumo: UEFI revocation database
│ Versão atual: 217
│ Versão mínima: 217
│ Fornecedor: UEFI:Linux Foundation
│ Duração de instalação:1 segundo
│ GUIDs: fda6234b-adcb-5105-8515-9af647d29775 ← UEFI\CRT_D7F66BE77CEF858C174BF4338A99263C8795B74E02026411F5F532F716AE3263
│ f8ff0d50-c757-5dc3-951a-39d86e16f419 ← UEFI\CRT_D7F66BE77CEF858C174BF4338A99263C8795B74E02026411F5F532F716AE3263&ARCH_X64
│ c6682ade-b5ec-57c4-b687-676351208742 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503
│ f8ba2887-9411-5c36-9cee-88995bb39731 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64
│ 7d5759e5-9aa0-5f0c-abd6-7439bb11b9f6 ← UEFI\CRT_ED1FE72CB9CA31C9AF5B757AFCD733323D675825032E6CED7FE1AE9EB767998C
│ 0c7691e1-b6f2-5d71-bc9c-aabee364c916 ← UEFI\CRT_ED1FE72CB9CA31C9AF5B757AFCD733323D675825032E6CED7FE1AE9EB767998C&ARCH_X64
│ Opções do dispositivo:• Dispositivo interno
│ • Atualizável
│ • Suporte no servidor remoto
│ • Precisa de uma reinício após a instalação
│ • O dispositivo pode ser usado durante a atualização
│ • Apenas atualizações de versão são permitidas
│ • Signed Payload
│
├─TPM:
│ ID do dispositivo: c6a80ac3a22083423992a3cb15018989f37834d6
│ Resumo: TPM 2.0 Device
│ Versão atual: 6.24.0.6
│ Fornecedor: AMD (TPM:AMD)
│ GUIDs: ff71992e-52f7-5eea-94ef-883e56e034c6 ← system-tpm
│ 9305de1c-1e12-5665-81c4-37f8e51219b8 ← TPM\VEN_AMD&DEV_0001
│ 78a291ae-b499-5b0f-8f1d-74e1fefd0b1c ← TPM\VEN_AMD&MOD_AMD
│ 65a3fced-b423-563f-8098-bf5c329fc063 ← TPM\VEN_AMD&DEV_0001&VER_2.0
│ 5e704f0d-83cb-5364-8384-f46d725a23b8 ← TPM\VEN_AMD&MOD_AMD&VER_2.0
│ Opções do dispositivo:• Dispositivo interno
│
├─Unifying Receiver:
│ ID do dispositivo: f45dd49c8d3986730837ee81361f96bf13f82fb1
│ Resumo: Miniaturised USB wireless receiver
│ Versão atual: RQR12.10_B0032
│ Versão do gestor de arranque:BOT01.02_B0014
│ Fornecedor: HIDRAW:0x046D|USB:0x046D
│ Duração de instalação:30 segundos
│ GUIDs: 9d131a0c-a606-580f-8eda-80587250b8d6
│ 279ed287-3607-549e-bacc-f873bb9838c4 ← HIDRAW\VEN_046D&DEV_C52B
│ fcf55bf5-767b-51ce-9c17-f6f538c4ee9f ← HIDRAW\VEN_046D&DEV_C52B&REV_00
│ Opções do dispositivo:• Atualizável
│ • Suporte no servidor remoto
│ • Unsigned Payload
│
└─WDS100T1X0E-00AFY0:
ID do dispositivo: 71b677ca0f1bc2c5b804fa1d59e52064ce589293
Resumo: NVM Express solid state drive
Versão atual: 613200WD
Fornecedor: Sandisk Corp (NVME:0x15B7)
Número de série: 204540802062
GUIDs: 887c0622-74ea-5036-99bd-c6c63082bd37 ← NVME\VEN_15B7&DEV_5011
7b4c7b46-e1da-54fa-97fa-656c216629a2 ← NVME\VEN_15B7&DEV_5011&REV_01
b029d0ec-3f85-5cb7-a403-85c6f3bb4d83 ← NVME\VEN_15B7&DEV_5011&SUBSYS_15B75011
04de4e6b-264e-58a5-8947-a2bd85924418 ← NVME\VEN_15B7&DEV_5011&SUBSYS_15B75011&REV_01
c2f1c6cb-87a3-5a62-99fc-c23d4006b176 ← WDS100T1X0E-00AFY0
Opções do dispositivo:• Dispositivo interno
• Atualizável
• O sistema exige uma fonte de alimentação externa
• Precisa de uma reinício após a instalação
• O dispositivo pode ser usado durante a atualização
</details>
**Additional questions**
- Operating system and version: Fedora 37
- Have you tried rebooting? Yes
- Is this a regression? I don't know
The BIOS setting in the ASUS BIOS does not enable AMD’s secure processor firmware anti rollback (FAR), it is an ASUS specific implementation.
A quick search of that FAR name showed:
AMD Ryzen™ PRO 5000 series mobile processors has a feature called “Firmware Anti -Rollback (FAR )”
Which implies it might not be possible on 4000-series (Lenovo reports 3 4000-series CPUs for T14 )
2 Likes
mpphill2
March 5, 2025, 2:38am
10
I remember when I got into this a year or so ago I was able to get some more check marks by enabling “Use OS defaults” or the like in my UEFI and then resetting the UEFI to default. Even still as someone mentioned I have a failure in every level, so I’m HSI-0. Whatevs, maybe when I get a new laptop when this one dies it will be better about it.
(Found the old thread on this)
======================
Report details
Date generated: 2023-11-08 00:46:01
fwupd version: 1.9.7
System details
Hardware model: ASUSTeK COMPUTER INC ASUSLaptop X509DA
Processor: AMD Ryzen 5 3500
OS: Fedora Linux 39 (Workstation Edition)
Security level: HSI:0! (v1.9.7)
HS…
