Device Security: AMD Firmware Write Protection

thusiden · December 18, 2023, 2:01pm

I’ve been checking the Device Security Report on my Thinkpad L13 Yoga G3 AMD Ryzen 5 PRO 5675U running Tumbleweed 20231215 to find out which recommended security practices I’m not currently following. The report states that I’m failing one HSI-2 test:

HSI-2 Tests
  AMD Firmware Write Protection:                 ! Fail (Not Enabled)

I couldn’t really find anything online on what exactly AMD Firmware Write Protection does or how to enable it. Any hints?

malcolmlewis · December 19, 2023, 1:37pm

@thusiden Hi and welcome to the Forum
I suspect you need to check your system BIOS settings since this is part of the hardware firmware update mechanism.

Svyatko · December 19, 2023, 3:08pm

Set passwords in BIOS (user password, admin password).
Then you can restrict BIOS update.

thusiden · December 19, 2023, 3:21pm

Hi, thanks for your reply. Unfortunately there’s no option in the BIOS which strikes me immediately, I only have BIOS Rollback protection, which is enabled.

thusiden · December 19, 2023, 3:24pm

Hello, also thank you for your reply. Is restricting BIOS updates by setting passwords actually what is meant by AMD Firmware Write Protection?

myswtest · December 19, 2023, 3:32pm

You mention a “report” and show some terse output, but it’s unclear how that report is being executed (not shown, and there are no technical details).

Also, sometimes in a BIOS config, some options are not shown, because some other option is not enabled/etc. And some have an “expert settings” or “advanced settings” option, to show additional options. (my desktop BIOS does have an advanced section).

It might be advantageous to post this in a Thinkpad Yoga forum and / or an AMD Ryzen forum for more info and details

malcolmlewis · December 19, 2023, 3:43pm

@myswtest it’s fwupdmgr security --force

thusiden · December 19, 2023, 3:57pm

Ah, I was only checking in the GUI. fwupdmgr security --force actually is a bit different from the GUI version:

HSI-1
✔ BIOS firmware updates:         Enabled
✔ Fused platform:                Locked
✔ TPM empty PCRs:                Valid
✔ TPM v2.0:                      Found
✔ UEFI bootservice variables:    Locked
✔ UEFI platform key:             Valid
✔ UEFI secure boot:              Enabled
✘ Supported CPU:                 Invalid

HSI-2
✔ BIOS rollback protection:      Enabled
✔ IOMMU:                         Enabled
✔ Platform debugging:            Locked
✔ TPM PCR0 reconstruction:       Valid
✘ SPI write protection:          Disabled

HSI-3
✔ SPI replay protection:         Enabled
✔ Pre-boot DMA protection:       Enabled
✔ Suspend-to-idle:               Enabled
✔ Suspend-to-ram:                Disabled

HSI-4
✔ Processor rollback protection: Enabled
✔ Encrypted RAM:                 Encrypted

Runtime Suffix -!
✔ fwupd plugins:                 Untainted
✔ Linux kernel lockdown:         Enabled
✔ Linux kernel:                  Untainted
✘ Linux swap:                    Unencrypted

AMD Firmware Write Protection is apparently SPI write protection? I have enabled BIOS user/supervisor passwords and enabled password authentication for BIOS updates, but it didn’t change anything in the security report.

Svyatko · December 19, 2023, 4:41pm

That means this report is rather useless - anybody who can get access to device, can boot to BIOS and change settings.
Also

SPI write protection:          Disabled
...
Linux swap:                    Unencrypted

you want security or you need good reports?