From 04efb0b0cbb02551797424056058631826fa367c Mon Sep 17 00:00:00 2001
From: Mario Limonciello <mario.limonciello@amd.com>
Date: Mon, 31 Jan 2022 17:21:14 -0600
Subject: [PATCH] Add a new HSI attribute for AMD rollback protection

This will be used by an upcoming AMD plugin
---
 docs/hsi.md                            | 20 ++++++++++++++++++++
 libfwupd/fwupd-security-attr-private.h |  9 +++++++++
 src/fu-security-attr.c                 |  4 ++++
 3 files changed, 33 insertions(+)

diff --git a/docs/hsi.md b/docs/hsi.md
index 653327a21..b62134b7c 100644
--- a/docs/hsi.md
+++ b/docs/hsi.md
@@ -639,6 +639,26 @@ To meet HSI-4 on systems that run this test, the result must be `enabled`. *[v1.
 - [Intel TME Press Release](https://software.intel.com/content/www/us/en/develop/blogs/intel-releases-new-technology-specification-for-memory-encryption.html)
 - [WikiChip SME Overview](https://en.wikichip.org/wiki/x86/sme)
 
+<a id="org.fwupd.hsi.Amd.PlatformRollbackProtection"></a>
+
+### [AMD Rollback protection](#org.fwupd.hsi.Amd.RollbackProtection)
+
+AMD SOCs include the ability to prevent a rollback attack by a rollback protection feature on the firmware.  This feature prevents an attacker from loading an older
+firmware onto the part after a security vulnerability has been fixed.
+
+**Impact:** SOCs without this feature may be attacked by an attacker installing an older firmware that takes advantage of a well-known vulnerability.
+
+**Possible results:**
+
+- `enabled`: rollback protection enabled
+- `not-enabled`: rollback protection disabled
+
+To meet HSI-1 on AMD systems that run this test, the result must be `enabled`. *[v1.8.0]*
+
+**References:**
+
+- [Rollback protection](https://www.psacertified.org/blog/anti-rollback-explained/)
+
 <a id="org.fwupd.hsi.IntelSmap"></a>
 
 ### [Supervisor Mode Access Prevention](#org.fwupd.hsi.IntelSmap)
diff --git a/libfwupd/fwupd-security-attr-private.h b/libfwupd/fwupd-security-attr-private.h
index de2855f92..62675bfdb 100644
--- a/libfwupd/fwupd-security-attr-private.h
+++ b/libfwupd/fwupd-security-attr-private.h
@@ -287,6 +287,15 @@ G_BEGIN_DECLS
  * Since: 1.8.0
  **/
 #define FWUPD_SECURITY_ATTR_ID_SUPPORTED_CPU "org.fwupd.hsi.SupportedCpu"
+/**
+ * FWUPD_SECURITY_ATTR_ID_AMD_ROLLBACK_PROTECTION
+ *
+ * Host Security ID attribute for Rollback protection of AMD platform
+ * firmware
+ *
+ * Since: 1.8.0
+ **/
+#define FWUPD_SECURITY_ATTR_ID_AMD_ROLLBACK_PROTECTION "org.fwupd.hsi.Amd.RollbackProtection"
 
 GVariant *
 fwupd_security_attr_to_variant(FwupdSecurityAttr *self);
diff --git a/src/fu-security-attr.c b/src/fu-security-attr.c
index eb8940ad4..f3a882a78 100644
--- a/src/fu-security-attr.c
+++ b/src/fu-security-attr.c
@@ -183,6 +183,10 @@ fu_security_attr_get_name(FwupdSecurityAttr *attr)
 		/* TRANSLATORS: Title: if fwupd supports HSI on this chip */
 		return g_strdup(_("Supported CPU"));
 	}
+	if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_AMD_ROLLBACK_PROTECTION) == 0) {
+		/* TRANSLATORS: Title: if firmware enforces rollback protection */
+		return g_strdup(_("Rollback protection"));
+	}
 
 	/* we should not get here */
 	return g_strdup(fwupd_security_attr_get_name(attr));