fwupdmgr security reports disabled SPI write protection

[lunarlattice0]

Describe the bug
fwdupmgr security reports that SPI write protection is disabled, when it should be enabled. Additionally, CET OS support is marked as "Not supported".

Steps to Reproduce
Run fwupdmgr security

Expected behavior
It is expected that SPI write protection is enabled.

fwupd version information

compile   com.hughsie.libxmlb           0.3.15
compile   com.hughsie.libjcat           0.2.1
runtime   org.freedesktop.fwupd-efi     1.4
compile   org.freedesktop.gusb          0.4.8
runtime   com.hughsie.libjcat           0.2.1
runtime   org.freedesktop.gusb          0.4.8
runtime   org.freedesktop.fwupd         1.9.15
runtime   org.kernel                    6.7.9-200.fc39.x86_64

Please note how you installed it (apt, dnf, pacman, source, etc):
Fedora Silverblue Flatpak Repository

**fwupd device information**

Please provide the output of the fwupd devices recognized in your system.

│
├─Lenovo USB-C Mini Dock:
│ │   Device ID:          da77984c82b59c6fc69516431f467fd9a8d39a7f
│ │   Summary:            USB 3.x hub
│ │   Current version:    4.154
│ │   Vendor:             VIA Labs, Inc. (USB:0x17EF)
│ │   Install Duration:   15 seconds
│ │   GUIDs:              fd4b20d3-2612-5743-ad85-5c3065361c51
│ │                       f281c1df-c3d5-5f8a-984d-e9548ffc95fe ← USB\VID_17EF&PID_3094
│ │                       ce8b3f6c-9ddd-5d50-b3f8-e87e72d2aacc ← USB\VID_17EF&PID_3094&HUB_0012
│ │                       e62c5403-daa6-5482-9e9e-74666884ce43 ← USB\VID_17EF&PID_3094&SPI_C223
│ │                       75b11f2d-86b6-5ecc-912e-a2a649f334d5 ← USB\VID_17EF&PID_3094&SPI_C223&REV_04F4
│ │   Device Flags:       • Updatable
│ │                       • Cryptographic hash verification is available
│ │                       • Device stages updates
│ │                       • Device can recover flash failures
│ │                       • Unsigned Payload
│ │ 
│ ├─Lenovo USB-C Mini Dock:
│ │ │   Device ID:        983c3cffc6fd36d32b00b62928d30721eaeb93db
│ │ │   Summary:          USB 3.x hub
│ │ │   Current version:  4.154
│ │ │   Vendor:           VIA Labs, Inc. (USB:0x17EF)
│ │ │   Install Duration: 15 seconds
│ │ │   GUIDs:            fd4b20d3-2612-5743-ad85-5c3065361c51 ← USB\VID_17EF&PID_3095
│ │ │                     2b337b4f-fc17-520d-8d93-095a9bfd6ba8 ← USB\VID_17EF&PID_3095&HUB_32
│ │ │                     152db1ae-acd6-5b6d-aad2-178ec2af5199 ← USB\VID_17EF&PID_3095&SPI_C223
│ │ │                     8ce1ac09-39f9-51a5-9468-74433dfa575f ← USB\VID_17EF&PID_3095&SPI_C223&REV_04F4
│ │ │   Device Flags:     • Updatable
│ │ │                     • Cryptographic hash verification is available
│ │ │                     • Device stages updates
│ │ │                     • Device can recover flash failures
│ │ │                     • Unsigned Payload
│ │ │ 
│ │ ├─Lenovo USB-C Mini Dock:
│ │ │     Device ID:      d0950b8556ed65b4b8e8bfa3809fdb849005f298
│ │ │     Summary:        USB 3.x hub
│ │ │     Current version:4.93
│ │ │     Vendor:         VIA Labs, Inc. (USB:0x17EF)
│ │ │     Install Duration:15 seconds
│ │ │     GUIDs:          d636c717-44c4-5fcf-9d7f-b96f9c5f6608 ← USB\VID_17EF&PID_3097
│ │ │                     baad4a7c-54ab-5e9e-87e5-d01951331c47 ← USB\VID_17EF&PID_3097&HUB_20
│ │ │                     64e5798a-d055-5c45-a64e-9d8997785f6b ← USB\VID_17EF&PID_3097&SPI_C223
│ │ │                     8ecbf33f-a3a5-5125-af6c-473a51552ba1 ← USB\VID_17EF&PID_3097&SPI_C223&REV_0493
│ │ │     Device Flags:   • Updatable
│ │ │                     • Cryptographic hash verification is available
│ │ │                     • Device stages updates
│ │ │                     • Device can recover flash failures
│ │ │                     • Unsigned Payload
│ │ │   
│ │ └─Lenovo USB-C Mini Dock:
│ │   │   Device ID:      42f81e42b1e21ceb211b345766cfd39439cb242f
│ │   │   Summary:        USB 2.x hub
│ │   │   Current version:0.1
│ │   │   Vendor:         VIA Labs, Inc. (USB:0x17EF)
│ │   │   Install Duration:15 seconds
│ │   │   GUIDs:          e4938bb1-4d94-506d-b5c2-f246c5ab678f ← USB\VID_17EF&PID_3093
│ │   │                   5e51f122-8cfa-5f38-b44f-65aeb7a10cdb ← USB\VID_17EF&PID_3093&SPI_C223
│ │   │                   9e15c2bc-b293-55d7-827f-63e32c7edbfd ← USB\VID_17EF&PID_3093&SPI_C223&REV_0001
│ │   │   Device Flags:   • Updatable
│ │   │                   • Cryptographic hash verification is available
│ │   │                   • Device stages updates
│ │   │                   • Device can recover flash failures
│ │   │                   • Unsigned Payload
│ │   │ 
│ │   └─rtd21xx:
│ │         Device ID:    acdd770bff9e8a79a03cab054be4ad01faaec4e4
│ │         Current version:1.3
│ │         Vendor:       VIA Labs, Inc. (USB:0x17EF)
│ │         Install Duration:1 minute
│ │         GUID:         4850cd49-308e-588a-851b-e61e8069a8ae ← USB\VID_17EF&PID_3093&I2C_rtd21xx
│ │         Device Flags: • Updatable
│ │                       • Device stages updates
│ │       
│ └─vl103:
│       Device ID:        fe008de085345975906d64be2af7cc99f36724ca
│       Summary:          USB-C power delivery device
│       Current version:  138.4.25.38
│       Vendor:           VIA Labs, Inc. (USB:0x17EF)
│       Install Duration: 15 seconds
│       GUIDs:            3ae6610b-5c33-5714-96e3-05735eb9b2a5 ← USB\VID_17EF&PID_721C
│                         45c1e8ab-6e61-548e-ae06-5a35394e5c02 ← USB\VID_17EF&PID_721C&DEV_vl103
│                         316f754e-057b-57e9-b820-9020c44a04eb ← USB\VID_17EF&PID_721C&APP_26
│       Device Flags:     • Updatable
│                         • Cryptographic hash verification is available
│                         • Device can recover flash failures
│     
├─AMD Ryzen 5 PRO 5650U with Radeon Graphics:
│ │   Device ID:          4bde70ba4e39b28f9eab1628f9dd6e6244c03027
│ │   Current version:    0x0a50000d
│ │   Vendor:             Advanced Micro Devices, Inc.
│ │   GUIDs:              79759cdc-94db-5098-be7b-eb02521fbbec ← CPUID\PRO_0&FAM_19&MOD_50
│ │                       20b595b0-5892-5870-8e4c-688133ad6e34 ← CPUID\PRO_0&FAM_19&MOD_50&STP_0
│ │   Device Flags:       • Internal device
│ │ 
│ ├─Graphics Processing Unit (GPU):
│ │ │   Device ID:        310f45f1f223064b5c16bf6dff31146755a64480
│ │ │   Summary:          Cezanne Generic VBIOS
│ │ │   Current version:  017.010.000.031.000000
│ │ │   Vendor:           Advanced Micro Devices, Inc. [AMD/ATI] (PCI:0x1002)
│ │ │   GUID:             85ceb154-4376-5557-bdc1-46d9eac0f5f0 ← AMD\113-CEZANNE-021
│ │ │   Device Flags:     • Internal device
│ │ │ 
│ │ └─N140HCG-GQ2:
│ │       Device ID:      aec1a869eb0df71b7cea6b3ac71d39b830faf164
│ │       GUID:           448dbe25-c15c-562a-9329-0b27d235194f ← DRM\VEN_CMN&DEV_14F2
│ │       Device Flags:   • Internal device
│ │     
│ ├─Secure Processor:
│ │     Device ID:        c54ab0237d7a8db8c717b68e0be78e4374a2a079
│ │     Current version:  00.11.00.81
│ │     Bootloader Version:00.11.00.81
│ │     Vendor:           Advanced Micro Devices, Inc. (PCI:0x1022)
│ │     GUIDs:            0e8dc554-a0a2-51fb-b439-1eb72b14ec38 ← PCI\VEN_1022&DEV_15DF
│ │                       32bb3b55-393f-5c5b-a7ea-6232419a4436 ← PCI\VEN_1022&DEV_15DF&SUBSYS_17AA5095
│ │     Device Flags:     • Internal device
│ │   
│ └─System Management Unit (SMU):
│       Device ID:        db0330716216c629bb2c07256e5d018f499eb6ce
│       Summary:          Microcontroller used within CPU/APU program 0
│       Current version:  64.71.0
│       Vendor:           Advanced Micro Devices, Inc.
│       GUID:             165feb35-d368-5388-b2ab-c513021bf019 ← /sys/devices/platform/AMDI0005:00
│       Device Flags:     • Internal device
│     
├─GPIO controller:
│     Device ID:          f685512aa07369c9e77742acef941d779d31e766
│     GUID:               37b440a9-2473-5087-a39b-db84f32a8ed8 ← GPIO\ID_AMDI0030:00
│   
├─Integrated Camera:
│     Device ID:          301046452a49d84af6356d23e43a684b8f10660f
│     Current version:    58.18
│     Vendor:             Chicony Electronics Co.,Ltd. (USB:0x04F2)
│     Serial Number:      0001
│     GUID:               95b07a8e-2063-5025-80b5-1fcf4ca8e9e3 ← USB\VID_04F2&PID_B6CB
│     Device Flags:       • Updatable
│   
├─System Firmware:
│ │   Device ID:          349bb341230b1a86e5effe7dfe4337e1590227bd
│ │   Summary:            UEFI ESRT device
│ │   Current version:    0.1.28
│ │   Vendor:             Lenovo (DMI:LENOVO)
│ │   Update State:       Success
│ │   GUID:               66d47c53-a746-4495-a444-e6b26a04906d
│ │   Device Flags:       • Internal device
│ │                       • Updatable
│ │                       • System requires external power source
│ │                       • Supported on remote server
│ │                       • Needs a reboot after installation
│ │                       • Cryptographic hash verification is available
│ │                       • Device is usable for the duration of the update
│ │   Device Requests:    • Message
│ │ 
│ └─UEFI dbx:
│       Device ID:        362301da643102b9f38477387e2193e57abaa590
│       Summary:          UEFI revocation database
│       Current version:  220
│       Minimum Version:  220
│       Vendor:           UEFI:Linux Foundation
│       Install Duration: 1 second
│       GUIDs:            5971a208-da00-5fce-b5f5-1234342f9cf7 ← UEFI\CRT_A9087D1044AD18F7A94916D284CBC01827CF23CD8F60B79072C9CAA1FEF4D649&ARCH_X64
│                         f8ba2887-9411-5c36-9cee-88995bb39731 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64
│       Device Flags:     • Internal device
│                         • Updatable
│                         • Supported on remote server
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│                         • Only version upgrades are allowed
│                         • Signed Payload
│     
├─TPM:
│     Device ID:          c6a80ac3a22083423992a3cb15018989f37834d6
│     Current version:    7.2.2.0
│     Vendor:             Nuvoton Technology (TPM:NTC)
│     GUIDs:              fac1c8f3-73c8-5cd6-8330-07a3690b5140 ← TPM\VEN_NTC&DEV_0000
│                         e4a6bfd6-81ba-5d6a-bb28-84be07ee7a29 ← TPM\VEN_NTC&MOD_NPCT75x"!!4rls
│                         e9ccc1dc-960a-5e09-afe9-e59a904b776d ← TPM\VEN_NTC&DEV_0000&VER_2.0
│                         5a6b5ab6-c483-5eec-8a34-23a6d6d120bd ← TPM\VEN_NTC&MOD_NPCT75x"!!4rls&VER_2.0
│     Device Flags:       • Internal device
│                         • System requires external power source
│                         • Needs a reboot after installation
│                         • Device can recover flash failures
│                         • Full disk encryption secrets may be invalidated when updating
│                         • Signed Payload
│   
├─UEFI Device Firmware:
│     Device ID:          a45df35ac0e948ee180fe216a5f703f32dda163f
│     Summary:            UEFI ESRT device
│     Current version:    22552
│     Minimum Version:    1
│     Vendor:             DMI:LENOVO
│     Update State:       Success
│     GUID:               c57877cd-5f62-4d07-a449-06a15cbb1d8e
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│     Device Requests:    • Message
│   
├─UEFI Device Firmware:
│     Device ID:          2292ae5236790b47884e37cf162dcf23bfcd1c60
│     Summary:            UEFI ESRT device
│     Current version:    252051731
│     Vendor:             DMI:LENOVO
│     Update State:       Success
│     GUID:               88440680-8493-43d8-b1cb-51992223a226
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│     Device Requests:    • Message
│   
├─UEFI Device Firmware:
│     Device ID:          f95c9218acd12697af946874bfe4239587209232
│     Summary:            UEFI ESRT device
│     Current version:    16777221
│     Minimum Version:    1
│     Vendor:             DMI:LENOVO
│     Update State:       Success
│     GUID:               79716052-11cc-49c8-a36e-b23f3e6e5936
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│     Device Requests:    • Message
│   
├─UEFI Device Firmware:
│     Device ID:          d96de5c124b60ed6241ebcb6bb2c839cb5580786
│     Summary:            UEFI ESRT device
│     Current version:    117572096
│     Minimum Version:    117572096
│     Vendor:             DMI:LENOVO
│     Update State:       Success
│     GUID:               cba4dba6-7351-ba69-7d7c-994f0c84f98d
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│     Device Requests:    • Message
│   
├─UEFI Device Firmware:
│     Device ID:          f37fb01122dd62c773f4e84ec89737e059712d59
│     Summary:            UEFI ESRT device
│     Current version:    65564
│     Minimum Version:    65564
│     Vendor:             DMI:LENOVO
│     Update State:       Success
│     GUID:               4bea12df-56e3-4cdb-97dd-f133768c9051
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│     Device Requests:    • Message
│   
├─UEFI Device Firmware:
│     Device ID:          36efb79c255f402f619fa9eb53cd659db51f2a04
│     Summary:            UEFI ESRT device
│     Current version:    0
│     Vendor:             DMI:LENOVO
│     Update State:       Success
│     GUID:               3954e118-d997-4499-b917-d4c454e4b124
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│     Device Requests:    • Message
│   
├─UEFI Platform Key:
│     Device ID:          6924110cde4fa051bfdc600a60620dc7aa9d3c6a
│     Summary:            Lenovo Ltd. PK CA 2012
│     Vendor:             Lenovo Ltd.
│     GUID:               71599d14-9b31-5270-b3bd-74c494585820 ← UEFI\CRT_9AEF2123F4DE7C19AFABD909BB2C8CAC4411E07E
│   
├─Unifying Receiver:
│     Device ID:          4caa6e59d5a867dbb4e8f699b39a875f63afc6ec
│     Summary:            Miniaturised USB wireless receiver
│     Current version:    RQR12.10_B0032
│     Bootloader Version: BOT01.02_B0014
│     Vendor:             Logitech, Inc. (HIDRAW:0x046D, USB:0x046D)
│     Install Duration:   30 seconds
│     GUIDs:              9d131a0c-a606-580f-8eda-80587250b8d6
│                         279ed287-3607-549e-bacc-f873bb9838c4 ← HIDRAW\VEN_046D&DEV_C52B
│     Device Flags:       • Updatable
│                         • Supported on remote server
│                         • Unsigned Payload
│   
└─WDC PC SN730 SDBQNTY-512G-1001:
      Device ID:          71b677ca0f1bc2c5b804fa1d59e52064ce589293
      Summary:            NVM Express solid state drive
      Current version:    11170101
      Vendor:             Sandisk Corp (NVME:0x15B7)
      Serial Number:      213758801583
      GUIDs:              fccbb6ea-e20e-58ad-bf8a-7fb7d43ff4c2 ← NVME\VEN_15B7&DEV_5006
                          12c86995-0b90-5ec5-98f3-7a6ed4ca50e0 ← NVME\VEN_15B7&DEV_5006&SUBSYS_15B75006
                          06b4e2aa-91af-508b-b06e-65e3b3189e97 ← WDC PC SN730 SDBQNTY-512G-1001
      Device Flags:       • Internal device
                          • Updatable
                          • System requires external power source
                          • Supported on remote server
                          • Needs a reboot after installation
                          • Device is usable for the duration of the update
    
────────────────────────────────────────────────
Devices that have been updated successfully:
 • System Firmware (0.1.27 → 0.1.28)
 • UEFI dbx (371 → 371)
Uploading firmware reports helps hardware vendors to quickly identify failing and successful updates on real devices.

Additional questions

• Operating system and version: Fedora Silverblue 39
• Have you tried rebooting? Yes, and I have tried resetting BIOS to defaults, and resetting secure boot keys to defaults.
• Is this a regression? Unsure if this is an issue with the laptop, or with fwupd.

[lunarlattice0]

fwupd security report:

HSI-1
✔ BIOS firmware updates:         Enabled
✔ Fused platform:                Locked
✔ Supported CPU:                 Valid
✔ TPM empty PCRs:                Valid
✔ TPM v2.0:                      Found
✔ UEFI bootservice variables:    Locked
✔ UEFI platform key:             Valid
✔ UEFI secure boot:              Enabled

HSI-2
✔ BIOS rollback protection:      Enabled
✔ IOMMU:                         Enabled
✔ Platform debugging:            Locked
✔ TPM PCR0 reconstruction:       Valid
✘ SPI write protection:          Disabled

HSI-3
✔ SPI replay protection:         Enabled
✔ CET Platform:                  Supported
✔ Pre-boot DMA protection:       Enabled
✔ Suspend-to-idle:               Enabled
✔ Suspend-to-ram:                Disabled

HSI-4
✔ Processor rollback protection: Enabled
✔ Encrypted RAM:                 Encrypted
✔ SMAP:                          Enabled

Runtime Suffix -!
✔ fwupd plugins:                 Untainted
✔ Linux kernel lockdown:         Enabled
✔ Linux swap:                    Encrypted
✔ Linux kernel:                  Untainted
✘ CET OS Support:                Not supported

This system has HSI runtime issues.
 » https://fwupd.github.io/hsi.html#hsi-runtime-suffix

[hughsie]

What hardware is that? Both failures look legitimate to me..

[lunarlattice0]

What hardware is that? Both failures look legitimate to me..

It is a Thinkpad T14s Gen 2 (AMD), with model code 20XF004RUS.

[hughsie]

@lunarlettuce can you attach us the full sudo fwupdtool security -vv output please.

[lunarlattice0]

@hughsie
output.txt

[superm1]

20:48:54.761 FuPluginPciPsp ROM armor not enforced

Looks like fwupd isn't doing anything wrong. fwupd is a messenger for the kernel which is a messenger for what the hardware reports.

Looks to me that this particular security feature is not enabled.

[lunarlattice0]

Good to know, thanks for transferring