<html><head></head><body><div style="color:#000; background-color:#fff; font-family:標楷體, dfkai-sb;font-size:16px"><div id="yui_3_16_0_ym19_1_1498956035096_8145" dir="ltr">I don't have a computer with BIOS Guard, but doesn't that move flash writes to BIOS_ACM instead of SMM</div><div id="yui_3_16_0_ym19_1_1498956035096_8145" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1498956035096_8145" dir="ltr">Melvin</div> <div class="qtdSeparateBR"><br><br></div><div class="yahoo_quoted" style="display: block;"> <div style="font-family: 標楷體, dfkai-sb; font-size: 16px;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div dir="ltr"><font size="2" face="Arial"> On Friday, June 30, 2017 3:06 AM, Igor Skochinsky via coreboot <coreboot@coreboot.org> wrote:<br></font></div>  <br><br> <div class="y_msg_container"><div dir="ltr">Hello ron,<br clear="none"><br clear="none">Friday, June 30, 2017, 6:25:06 AM, you wrote:<br clear="none"><br clear="none">rm> there's something I am certain I don't understand about SMM on intel chipsets.<br clear="none">rm> The question is pretty simple. Consider a system with a recent<br clear="none">rm> intel chipset and flash. Is there some special secret sauce that<br clear="none">rm> disables writing to flash unless in SMM and if so, what is it?<br clear="none"><br clear="none">Originally there were two bits in BIOS_CNTL used to effectively enable this[1]:<br clear="none"><br clear="none">> When BIOS_CNTL.BLE is set to 1, attempts to write enable the BIOS by<br clear="none">> setting BIOS_CNTL.BIOSWE to 1 will immediately generate a System<br clear="none">> Management Interrupt (SMI). It is the job of this SMI to determine<br clear="none">> whether or not it is permissible to write enable to the BIOS, and if<br clear="none">> not, immediately set BIOS_CNTL.BIOSWE back to 0; the end result being<br clear="none">> that the BIOS is not writable.<br clear="none"><br clear="none">As described in the link, this logic is vulnerable to race conditions,<br clear="none">so Intel added yet another bit:<br clear="none"><br clear="none">> This issue is mitigated by setting the SMM_BWP bit in the BIOS<br clear="none">> Control Register along with setting BIOS Lock Enable (BLE) and<br clear="none">> clearing BIOS Write Enable (BIOSWE). The SMM_BWP bit requires the<br clear="none">> processor to be in SMM in order to honor writes to the BIOS region<br clear="none">> of SPI flash, thereby mitigating the issue.<br clear="none"><br clear="none">So in theory all recent BIOSes should set SMM_BWP. Whether they<br clear="none">actually do it can be checked with Chipsec[4].<br clear="none"><br clear="none">For more background see [2] and [3]<br clear="none"><br clear="none">[1] <a shape="rect" href="https://www.kb.cert.org/vuls/id/766164" target="_blank">https://www.kb.cert.org/vuls/id/766164</a><br clear="none"><br clear="none">[2] <a shape="rect" href="http://opensecuritytraining.info/IntroBIOS_files/Day2_03_Advanced%20x86%20-%20BIOS%20and%20SMM%20Internals%20-%20SPI%20Flash%20Protection%20Mechanisms.pdf" target="_blank">http://opensecuritytraining.info/IntroBIOS_files/Day2_03_Advanced%20x86%20-%20BIOS%20and%20SMM%20Internals%20-%20SPI%20Flash%20Protection%20Mechanisms.pdf</a><br clear="none"><br clear="none">[3] <a shape="rect" href="http://composter.com.ua/documents/Exploiting_Flash_Protection_Race_Condition.pdf" target="_blank">http://composter.com.ua/documents/Exploiting_Flash_Protection_Race_Condition.pdf</a><br clear="none"><br clear="none">[4] <a shape="rect" href="https://github.com/chipsec/chipsec/blob/master/chipsec/modules/common/bios_wp.py" target="_blank">https://github.com/chipsec/chipsec/blob/master/chipsec/modules/common/bios_wp.py</a><br clear="none">-- <br clear="none">WBR,<br clear="none"> Igor                            mailto:<a shape="rect" ymailto="mailto:roxfan@skynet.be" href="mailto:roxfan@skynet.be">roxfan@skynet.be</a><div class="yqt6731198282" id="yqtfd18954"><br clear="none"><br clear="none"><br clear="none">-- <br clear="none">coreboot mailing list: <a shape="rect" ymailto="mailto:coreboot@coreboot.org" href="mailto:coreboot@coreboot.org">coreboot@coreboot.org</a><br clear="none"><a shape="rect" href="https://mail.coreboot.org/mailman/listinfo/coreboot" target="_blank">https://mail.coreboot.org/mailman/listinfo/coreboot</a><br clear="none"></div></div><br><br></div>  </div> </div>  </div></div></body></html>