Patrick Rudolph has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/37392 )
Change subject: cpu/x86/smm/smm_stub: Add x86_64 support ......................................................................
Patch Set 4:
Patch Set 4:
Patch Set 4:
Patch Set 4: Code-Review-1
(1 comment)
For security reasons, the page tables used in SMM must be located in SMRAM.
Please explain your threat model and why it is a security issue if the page table are not in SMRAM.
I imagine it is because th SMM page tables can then be accessed from outside SMM, which could be exploited to escalate privileges to SMM. Which would not be fun.
As page tables currently reside in ROM, it's as secure as the remaining firmware code. If someone is able to change that, the one already has full control over the system on next reboot, so caring about a firmware substate here is futile.
I'll add that to the documentation as TODO, but it's not worth touching the SMM relocation code for a PoC that only runs on emulated hardware.