diff --git a/docs/hsi.md b/docs/hsi.md
index b62134b7c..ba10ae0eb 100644
--- a/docs/hsi.md
+++ b/docs/hsi.md
@@ -661,6 +661,36 @@ To meet HSI-1 on AMD systems that run this test, the result must be `enabled`. *
+### [AMD SPI Write protections](#org.fwupd.hsi.Amd.SpiWriteProtection)
+
+SOCs may enforce control of the SPI bus to prevent writes other than by verified entities.
+
+**Impact:** SOCs without this feature may be attacked by an attacker modifying the SPI.
+
+**Possible results:**
+
+- `enabled`: spi protections enabled
+- `not-enabled`: spi protections disabled
+
+To meet HSI-2 on systems that run this test, the result must be `enabled`. *[v1.8.0]*
+
+
+
+### [AMD SPI Replay protections](#org.fwupd.hsi.Amd.SpiReplayProtection)
+
+SOCs may include support for replay-protected monotonic counters to prevent replay attacks.
+
+**Impact:** SOCs without this feature may be attacked by an attacker modifying the SPI.
+
+**Possible results:**
+
+- `enabled`: spi protections enabled
+- `not-enabled`: spi protections disabled
+
+To meet HSI-3 on systems that run this test, the result must be `enabled`. *[v1.8.0]*
+
+
+
### [Supervisor Mode Access Prevention](#org.fwupd.hsi.IntelSmap)
Without Supervisor Mode Access Prevention, the supervisor code usually has full read and write access to user-space memory mappings.
diff --git a/libfwupd/fwupd-security-attr-private.h b/libfwupd/fwupd-security-attr-private.h
index 62675bfdb..c352a202f 100644
--- a/libfwupd/fwupd-security-attr-private.h
+++ b/libfwupd/fwupd-security-attr-private.h
@@ -296,6 +296,22 @@ G_BEGIN_DECLS
* Since: 1.8.0
**/
#define FWUPD_SECURITY_ATTR_ID_AMD_ROLLBACK_PROTECTION "org.fwupd.hsi.Amd.RollbackProtection"
+/**
+ * FWUPD_SECURITY_ATTR_ID_AMD_SPI_WRITE_PROTECTION
+ *
+ * Host Security ID attribute for SPI Write protection
+ *
+ * Since: 1.8.0
+ **/
+#define FWUPD_SECURITY_ATTR_ID_AMD_SPI_WRITE_PROTECTION "org.fwupd.hsi.Amd.SpiWriteProtection"
+/**
+ * FWUPD_SECURITY_ATTR_ID_AMD_SPI_REPLAY_PROTECTION
+ *
+ * Host Security ID attribute for SPI replay protection
+ *
+ * Since: 1.8.0
+ **/
+#define FWUPD_SECURITY_ATTR_ID_AMD_SPI_REPLAY_PROTECTION "org.fwupd.hsi.Amd.SpiReplayProtection"
GVariant *
fwupd_security_attr_to_variant(FwupdSecurityAttr *self);
diff --git a/src/fu-security-attr.c b/src/fu-security-attr.c
index f3a882a78..3dd30e74c 100644
--- a/src/fu-security-attr.c
+++ b/src/fu-security-attr.c
@@ -187,6 +187,14 @@ fu_security_attr_get_name(FwupdSecurityAttr *attr)
/* TRANSLATORS: Title: if firmware enforces rollback protection */
return g_strdup(_("Rollback protection"));
}
+ if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_AMD_SPI_REPLAY_PROTECTION) == 0) {
+ /* TRANSLATORS: Title: if hardware enforces control of SPI replays */
+ return g_strdup(_("SPI replay protection"));
+ }
+ if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_AMD_SPI_WRITE_PROTECTION) == 0) {
+ /* TRANSLATORS: Title: if hardware enforces control of SPI writes */
+ return g_strdup(_("SPI write protection"));
+ }
/* we should not get here */
return g_strdup(fwupd_security_attr_get_name(attr));