AMD Platform Secure Boot Not enabled!

ggiova · April 24, 2026, 8:33am

Ubuntu Support Template

Ubuntu Version:
Example: 26.04 LTS

Desktop Environment (if applicable):
Example: GNOME 50

Problem Description:

On Ubuntu 25.10 I had hsi level 4 also for fedora 43, now I’ve installed ( fresh install) Ubuntu 26.04 on my lenovo yoga7 arp8 and in fwupdmgr security flags the AMD Platform Secure Boot seems not enabled.
I have checked the bios settings secure boot enabled in standard mode and amd security platform enabled, also i’ve checked this one:
[ 1.418984] ccp 0000:73:00.2: psp enabled
[ 12.627272] amdgpu 0000:73:00.0: detected ip block number 3 <psp_v13_0_0> (psp)
[ 12.666740] amdgpu 0000:73:00.0: [drm] Loading DMUB firmware via PSP: version=0x04000045
[ 12.690764] amdgpu 0000:73:00.0: reserve 0xa00000 from 0xf47e000000 for PSP TMR

Relevant System Information:
Lenovo yoga 7 arp8 amd 7000 series and amd radeon so full amd machine no nvdia out of tree modules

Screenshots or Error Messages:
Device Security Report

Report details
Date generated: 2026-04-24 10:12:41
fwupd version: 2.1.1

System details
Hardware model: LENOVO 82YM
Processor: AMD Ryzen 7 7735U with Radeon Graphics
OS: Ubuntu 26.04 LTS
Security level: HSI:1! (v2.1.1)

HSI-1 Tests
UEFI Bootservice Variables: Pass (Locked)
UEFI Platform Key: Pass (Valid)
TPM v2.0: Pass (Found)
System Management Mode: Pass (Locked)
UEFI Secure Boot: Pass (Enabled)
BIOS Firmware Updates: Pass (Enabled)
Fused Platform: Pass (Locked)
TPM Platform Configuration: Pass (Valid)

HSI-2 Tests
AMD Platform Secure Boot: ! Fail (Not Enabled)
AMD Firmware Write Protection: Pass (Enabled)
TPM Reconstruction: Pass (Valid)
IOMMU Protection: Pass (Enabled)
Platform Debugging: Pass (Locked)

HSI-3 Tests
Pre-boot DMA Protection: Pass (Enabled)
AMD Firmware Replay Protection: Pass (Enabled)
Suspend To RAM: Pass (Not Enabled)
Control-flow Enforcement Technology: Pass (Supported)
Suspend To Idle: Pass (Enabled)

HSI-4 Tests
Encrypted RAM: ! Fail (Not Supported)
Supervisor Mode Access Prevention: Pass (Enabled)
AMD Secure Processor Rollback Protection: ! Fail (Not Enabled)

Runtime Tests
UEFI db: Pass (Valid)
Linux Swap: ! Fail (Not Encrypted)
Firmware Updater Verification: Pass (Not Tainted)
Control-flow Enforcement Technology: Pass (Supported)
Linux Kernel Verification: Pass (Not Tainted)
Linux Kernel Lockdown: Pass (Enabled)

Thank you in advance.

peterwhite23 · April 24, 2026, 9:50am

Today I learned, there is a security report feature to fwupdmgr.

This looks like it is enabled. Is it possible that the criteria have changed?

g-schick · April 24, 2026, 10:11am

The feature in question seems to be AMD Platform Secure Boot (not UEFI Secure Boot).

peterwhite23 · April 24, 2026, 11:32am

I missed that detail. But I don’t even have that with the DEB version in Ubuntu 24.04:

HSI-2
✔ BIOS rollback protection:      Enabled
✔ IOMMU:                         Enabled
✘ SPI write protection:          Unknown
✘ Platform debugging:            Unknown

which strengthens my belief that someone moved the goal posts. I’ve just checked with the snap version, which has that one. It’s a new test, and your system doesn’t pass it, @ggiova, so the buck stops at HSI-1:

BTW, fwupd is a snap now with 26.04.

ggiova · April 24, 2026, 12:49pm

Could be a new check from the fwupd version 2.1.1, the fact is I have a modern hardware (2024) and in my bios (firmware settings) I have enabled all the possible security options for that, in fact the amd security protocol is enabled on my machine. So I really dunno where this test/options comes from…

ps: on ubuntu 26.04 fwupd is still a deb package not a snap

peterwhite23 · April 24, 2026, 12:52pm

Look closely, it’s a transitional package which installs the snap. As for the new test, it is in the new version of fwupd; doesn’t really matter where it came from.

ggiova · April 24, 2026, 12:59pm

oh I understand sorry for the misunderstanding.
I can confirm it’s a new check from fwupd version 2.1.1:

The thing is I would know how to enable it

peterwhite23 · April 24, 2026, 1:09pm

But maybe you can’t because it isn’t there on your machine. Do you know any details as to which “platform” they mean? Maybe this is an Epyc/server thing?

ggiova · April 24, 2026, 1:16pm

Probably I can’t.
From what I’ve saw the amd secure boot it’s something that manufacters burn-in ( correct me if I’m wrong) the cpu so there isn’t a toggle for that and it’s for enterprise level machines.
Could be more appropriate for them to put an “Unsupported” instead of the currently “Not Enabled“ if this is the case…

peterwhite23 · April 24, 2026, 1:17pm

A quick search turned up this, which links to this. The latter looks like somebody must have read that and thought “we need a now HSI test!”

peterwhite23 · April 24, 2026, 1:19pm

Well, if your machine isn’t properly secure (in the strictest Secure Boot context), even if you can’t change anything about it, wouldn’t you want to know? That’s what that test is for, after all.

ggiova · April 24, 2026, 1:21pm

From the article:
Lenovo

“Platform Secure Boot was introduced as a standard feature on all consumer Lenovo laptops in 2022, and laptops manufactured prior to this date were not designed with this feature in mind. Enabling it on devices now in the field would be likely to frustrate consumers if any unexpected issues arise.”
Mine was released in 2024 so mh I should search more deeply…

ggiova · April 24, 2026, 1:23pm

Yep, I agree but saying “not enabled” means that there is a toggle to enable or disable it witch this is not the case AFAIK.

ggiova · April 24, 2026, 1:26pm

Could be this.
I should revive my old ssd with windows cuz my laptop sadly is not supported in the lvfs
Thanks Peter!

peterwhite23 · April 24, 2026, 1:30pm

I did manage to install FW upgrades by burning them to a USB thumb drive, setting UEFI to BIOS mode, and booting the thumb drive. You need the “CD” version for that, or whatever it’s called, not the Windows EXE one.

My Lenovo Thinkpad E495 also lacks LVFS support. And I refuse to boot Windows for such menial tasks.

ggiova · April 24, 2026, 1:32pm

sadly Lenovo push only .exe files for my laptop
My future laptop will totally be linux 100% compatible.

peterwhite23 · April 24, 2026, 1:32pm

Are you sure? Sometimes one just needs to dig a little?

~~Link please?~~ Never mind.

ggiova · April 24, 2026, 1:39pm

You were faster than me!
Sadly when I bought this pc I wasn’t on linux at all so my bad.
Thanks btw for your help.

peterwhite23 · April 24, 2026, 1:49pm

On a more general note, circling back to the question of how much value to put on those tests, I cannot help but notice:

Suspend To RAM: Pass (Not Enabled)

How suspending to RAM is somehow a security hole remains the stuff of legend. Especially with soldered LPDDR RAM there is not a snowball’s chance in hell to recover any data from the modules. I’ve read that paper, which claimed they were able to read DDR3 RAM when doing some pretty crazy freezing, as in literally freezing the modules. Lots of moving parts, which only line up just so under pretty tight lab conditions.
Plus, by that logic even suspend to idle is just as vulnerable.

g-schick · April 24, 2026, 1:53pm

As far as I know ‘Not enabled’ means your processor has this functionality but it is not in use. If a processor doesn’t support AMD PSB the message is probably skipped.

As far as I know this toggle is often not available for users. If the manufacturer has not enabled AMD Platform Secure Boot on your device and there is no switch, you probably can not use it.

The source code fu-security-attr-common.c on line 634 provides a short description for AMD Platform Secure Boot. It reads “Platform Secure Boot prevents unsigned software from being loaded when the device starts.” As far as I know PSB should protect UEFI bios from being altered like UEFI Secure Boot protects the kernel/os.