I’m on a FW13 AMD Ryzen AI 9 HX 370 running Fedora 43. Current kernel is 3.17.10.
Just happened to notice a change to the HSI level recently, dropped from 3 down to 1. I keep Fedora up to date, the only other change recently was the 3.05 bios update. Before the update, I was always showing HSI-3.
The only value that is now newly red/disabled is the UEFI memory protection under HSI-2. Not sure if this was expected behavior or not. I’m not terribly concerned about it, just happened to notice the change which is what caught my attention.
I really disagree with you on TPM and suspend to RAM being a red flag.
TPM being a standardized way to store encrypted keys offline and suspend to RAM being an ancient thing of the past destined to die in the age of fast-booting SSDs and S0ix power states (a.k.a. Modern Standby).
I’m just saying that HSI is not a standard and shouldn’t be taken seriously.
The TPM2.0 requirement for Windows 11 installation shouldn’t spill over to Linux users, saying the lack of TPM is “insecure”.
Regardless of the opinion of whether S0ix or S3 are better, it has nothing to do with “security”, and I don’t like using security as an excuse to change consumer behavior. Also even in 2024 and 2025, mainboards that still support S3 are still more efficient in S3 than S0ix, spending less % per hour of suspend
You should probably ask @Quin_Chou.
If they don’t not know, then you should submit a bug report.
Maybe cross-reference this issue in Laptop 13 (Ryzen AI 300) latest UEFI/BIOS version thread. The chance they reply there is higher.
It is interesting. The list of hsi things are different when tested on linux.
One of the X items is not even listed, so maybe it is not tested for, so that is whybit is missed.
This is the test I do on an ubuntu 24.04 system. It has secure boot and tpm disabled, so that accounts for many of the crosses. But you can see the list of things are different.
It is for a FW16 AMD 7840HS CPU on BIOS 03.05
It does not list “UEFI memory protection”, that is under your HSI-2.
Device Security Report
======================
Report details
Date generated: 2025-12-04 17:46:20
fwupd version: 1.9.31
System details
Hardware model: Framework Laptop 16 (AMD Ryzen 7040 Series)
Processor: AMD Ryzen 7 7840HS w/ Radeon 780M Graphics
OS: Ubuntu 24.04.3 LTS
Security level: HSI:0! (v1.9.31)
HSI-1 Tests
UEFI Platform Key: Pass (Valid)
UEFI Bootservice Variables: Pass (Locked)
TPM v2.0: ! Fail (Not Found)
BIOS Firmware Updates: Pass (Enabled)
Fused Platform: Pass (Locked)
UEFI Secure Boot: ! Fail (Not Enabled)
HSI-2 Tests
AMD Firmware Write Protection: Pass (Enabled)
IOMMU Protection: Pass (Enabled)
Platform Debugging: Pass (Locked)
HSI-3 Tests
Suspend To RAM: Pass (Not Enabled)
Pre-boot DMA Protection: Pass (Enabled)
AMD Firmware Replay Protection: Pass (Enabled)
Control-flow Enforcement Technology: Pass (Supported)
Suspend To Idle: Pass (Enabled)
HSI-4 Tests
Encrypted RAM: ! Fail (Not Supported)
Supervisor Mode Access Prevention: Pass (Enabled)
AMD Secure Processor Rollback Protection: ! Fail (Not Enabled)
Runtime Tests
Linux Kernel Verification: ! Fail (Tainted)
Firmware Updater Verification: Pass (Not Tainted)
Linux Swap: Pass (Not Enabled)
Linux Kernel Lockdown: ! Fail (Not Enabled)
Control-flow Enforcement Technology: Pass (Supported)
Host security events
2025-10-02 18:08:28 TPM v2.0 ! Fail (Found → Not Found)
2025-10-01 20:16:01 Linux Swap Pass (Not Valid → Not Enabled)
2025-09-27 14:11:21 Linux Swap ! Fail (Not Enabled → Not Valid)
2025-09-26 16:45:03 Linux Swap Pass (Not Valid → Not Enabled)
2025-09-22 12:54:03 Linux Swap ! Fail (Not Enabled → Not Valid)
2025-09-20 19:30:26 Linux Swap Pass (Not Valid → Not Enabled)
2025-05-23 13:18:44 Linux Swap ! Fail (Not Enabled → Not Valid)
2025-05-22 18:55:40 TPM Reconstruction Pass (Not Found → Valid)
For information on the contents of this report, see https://fwupd.github.io/hsi.html
