Nico Huber has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/33116 )
Change subject: Kconfig: Make stage cache kconfig selection proper
......................................................................
Patch Set 27:
(1 comment)
https://review.coreboot.org/c/coreboot/+/33116/21/src/cpu/intel/smm/gen1/smm...
File src/cpu/intel/smm/gen1/smmrelocate.c:
https://review.coreboot.org/c/coreboot/+/33116/21/src/cpu/intel/smm/gen1/smm...
PS21, Line 124: if (CONFIG(USE_EXTERNAL_STAGE_CACHE)) {
- We may want to deprecate CBMEM as stage cache as a security measure. From what I know CBMEM is mutable from OS (gaining root priviledges on /dev/mem might be enough on some cases?)
Um, what? I don't think all platforms have TSEG. That's a first. If you are
concerned about security, I'd rather check the cache contents cryptogra-
phically. TSEG seems much more like a best-effort solution, than secure.
We'll never know if there is not a weird combination of mapping options
somewhere in these chips that is exploitable.
--
To view, visit
https://review.coreboot.org/c/coreboot/+/33116
To unsubscribe, or for help writing mail filters, visit
https://review.coreboot.org/settings
Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: I45e894ad335a4661cc7916b3768e1614a038b31c
Gerrit-Change-Number: 33116
Gerrit-PatchSet: 27
Gerrit-Owner: Subrata Banik
subrata.banik@intel.com
Gerrit-Reviewer: Aaron Durbin
adurbin@chromium.org
Gerrit-Reviewer: Arthur Heymans
arthur@aheymans.xyz
Gerrit-Reviewer: Damien Zammit
Gerrit-Reviewer: Furquan Shaikh
furquan@google.com
Gerrit-Reviewer: Huang Jin
huang.jin@intel.com
Gerrit-Reviewer: Julius Werner
jwerner@chromium.org
Gerrit-Reviewer: Kyösti Mälkki
kyosti.malkki@gmail.com
Gerrit-Reviewer: Martin Roth
martinroth@google.com
Gerrit-Reviewer: Nico Huber
nico.h@gmx.de
Gerrit-Reviewer: Patrick Georgi
pgeorgi@google.com
Gerrit-Reviewer: Patrick Rudolph
siro@das-labor.org
Gerrit-Reviewer: Philipp Deppenwiese
zaolin.daisuki@gmail.com
Gerrit-Reviewer: Subrata Banik
subrata.banik@intel.com
Gerrit-Reviewer: build bot (Jenkins)
no-reply@coreboot.org
Gerrit-Reviewer: ron minnich
rminnich@gmail.com
Gerrit-CC: Paul Menzel
paulepanter@users.sourceforge.net
Gerrit-Comment-Date: Thu, 01 Aug 2019 19:25:20 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: Kyösti Mälkki
kyosti.malkki@gmail.com
Comment-In-Reply-To: Subrata Banik
subrata.banik@intel.com
Comment-In-Reply-To: Furquan Shaikh
furquan@google.com
Gerrit-MessageType: comment