diff --git a/src/soc/amd/common/block/psp/psp.c b/src/soc/amd/common/block/psp/psp.c
index 6368e028c5..b8e908a928 100644
--- a/src/soc/amd/common/block/psp/psp.c
+++ b/src/soc/amd/common/block/psp/psp.c
@@ -112,6 +112,9 @@ bool psp_get_hsti_state_rom_armor_enforced(void)
 {
 	uint32_t hsti_state;
 
+	if (!CONFIG(SOC_AMD_COMMON_BLOCK_PSP_ROM_ARMOR3))
+		return false;
+
 	static bool enforced;
 	if (enforced)
 		return true; /* ROM Armor already enforced, no need to check again */
diff --git a/src/soc/amd/common/block/spi/Kconfig b/src/soc/amd/common/block/spi/Kconfig
index 085c02a2f6..10e88a98bb 100644
--- a/src/soc/amd/common/block/spi/Kconfig
+++ b/src/soc/amd/common/block/spi/Kconfig
@@ -132,3 +132,41 @@ config TPM_SPI_SPEED
 	    3: 16.66MHz
 	    4: 100MHz
 	    5: 800KHz
+
+config SOC_AMD_COMMON_BLOCK_PSP_ROM_ARMOR3
+	bool "Enable ROM Armor 3"
+	select BOOT_DEVICE_NOT_SPI_FLASH
+	select BOOT_DEVICE_MEMORY_MAPPED
+	select BOOT_DEVICE_SUPPORTS_WRITES
+	select SPI_FLASH
+	select SPI_FLASH_SMM
+	depends on HAVE_SMI_HANDLER
+	depends on SOC_AMD_COMMON_BLOCK_PSP
+	depends on SOC_AMD_COMMON_BLOCK_SPI
+	depends on !SOC_AMD_COMMON_BLOCK_PSP_SMI
+	help
+	  Select this option to use PSP ROM Armor3 protocol for SPI flash
+	  operations. This routes SPI read/write/erase operations through
+	  the SMM PSP firmware mailbox interface instead of direct FCH SPI
+	  controller access. After MPinit the SPI will become read only from
+	  x86 perspective and the SPI Ctrl interface will be deactived.
+
+	  You will be only able to write SPI regions that are marked 'writable' or
+	  are whitelisted by BIOS directory entries 0x6d (AMD_BIOS_NV_ST). To gain
+	  direct access to the SPI flash, you must issue a reboot.
+
+	  WARNING: Since the flash access in the SMI handler is a blocking
+	  operation during which all cores stay in SMM, an erase operation may
+	  lock up the system for a long enough time to be noticeable. Reads and
+	  writes with small data sizes are less problematic. This is AMD
+	  specific design and should be enabled when you don't want to service
+	  PSP SMI requests (see CONFIG_SOC_AMD_COMMON_BLOCK_PSP_SMI).
+
+config SOC_AMD_PSP_ROM_ARMOR_64K_ERASE
+	bool
+	depends on SOC_AMD_COMMON_BLOCK_PSP_ROM_ARMOR3
+	default n
+	help
+	  Enable 64KB erase block size support in addition to 4KB blocks.
+	  This can improve erase performance when erasing large regions.
+	  The PSP firmware must support 64KB erase commands for this to work.
diff --git a/src/soc/amd/common/block/spi/fch_spi_ctrl.c b/src/soc/amd/common/block/spi/fch_spi_ctrl.c
index 114c733244..79010a60c9 100644
--- a/src/soc/amd/common/block/spi/fch_spi_ctrl.c
+++ b/src/soc/amd/common/block/spi/fch_spi_ctrl.c
@@ -1,6 +1,7 @@
 /* SPDX-License-Identifier: GPL-2.0-only */
 
 #include <amdblocks/lpc.h>
+#include <amdblocks/psp.h>
 #include <amdblocks/smi.h>
 #include <amdblocks/spi.h>
 #include <console/console.h>
@@ -342,6 +343,11 @@ static int spi_ctrlr_claim_bus(const struct spi_slave *slave)
 {
 	uint8_t reg8;
 
+	if (psp_get_hsti_state_rom_armor_enforced()) {
+		printk(BIOS_ERR, "PSP ROM Armor is enforced, cannot access SPI flash directly\n");
+		return -1;
+	}
+
 	if (CONFIG(SOC_AMD_COMMON_BLOCK_PSP_SMI)) {
 		if (ENV_RAMSTAGE || ENV_SMM) {
 			reg8 = spi_read8(SPI_MISC_CNTRL);