Attention is currently required from: Arthur Heymans, Robert Zieba, Martin Roth, Karthik Ramasubramanian, Felix Held.
Nico Huber has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/67931 )
Change subject: cpu/x86/smm: Add PCI BAR store functionality
......................................................................
Patch Set 5:
(1 comment)
Commit Message:
https://review.coreboot.org/c/coreboot/+/67931/comment/74e6febd_98d341f3
PS2, Line 9: n certain cases data within protected memmory areas like SMRAM could
: be leaked or modified if an attacker remaps PCI BARs to point within
: that area.
I thought the hardware makes sure that you cannot put BARs where memory resides.
You can, but the device will most likely not work.
One attack vector is not so much about what the hardware does with a
wrong BAR setting, but what the software (SMI handler) does. Imagine
the BAR (register) as a scratch pad, it doesn't matter if the device
can work with the value in there. Then, if the SMI handler would read
that register (as an address) to access the device, it might acciden-
tally access protected memory instead.
Another way to see it: the register can be used to pass a pointer into
the SMI handler. It shouldn't trust that pointer.
--
To view, visit
https://review.coreboot.org/c/coreboot/+/67931
To unsubscribe, or for help writing mail filters, visit
https://review.coreboot.org/settings
Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: I23fb1e935dd1b89f1cc5c834cc2025f0fe5fda37
Gerrit-Change-Number: 67931
Gerrit-PatchSet: 5
Gerrit-Owner: Robert Zieba
robertzieba@google.com
Gerrit-Reviewer: Arthur Heymans
arthur.heymans@9elements.com
Gerrit-Reviewer: Felix Held
felix-coreboot@felixheld.de
Gerrit-Reviewer: Karthik Ramasubramanian
kramasub@google.com
Gerrit-Reviewer: Martin Roth
martin.roth@amd.corp-partner.google.com
Gerrit-Reviewer: build bot (Jenkins)
no-reply@coreboot.org
Gerrit-CC: Angel Pons
th3fanbus@gmail.com
Gerrit-CC: Arthur Heymans
arthur@aheymans.xyz
Gerrit-CC: Nico Huber
nico.h@gmx.de
Gerrit-CC: Raul Rangel
rrangel@chromium.org
Gerrit-Attention: Arthur Heymans
arthur.heymans@9elements.com
Gerrit-Attention: Robert Zieba
robertzieba@google.com
Gerrit-Attention: Arthur Heymans
arthur@aheymans.xyz
Gerrit-Attention: Martin Roth
martin.roth@amd.corp-partner.google.com
Gerrit-Attention: Karthik Ramasubramanian
kramasub@google.com
Gerrit-Attention: Felix Held
felix-coreboot@felixheld.de
Gerrit-Comment-Date: Tue, 25 Oct 2022 16:56:31 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: Arthur Heymans
arthur@aheymans.xyz
Comment-In-Reply-To: Martin Roth
martin.roth@amd.corp-partner.google.com
Gerrit-MessageType: comment