Arthur Heymans has submitted this change. ( https://review.coreboot.org/c/coreboot/+/80703?usp=email )

Change subject: cpu/x86/smm: Pass full SMRAM region info to SMM runtime ......................................................................

cpu/x86/smm: Pass full SMRAM region info to SMM runtime

This data is used by smm_region_overlaps_handler(). Callers use this helper to determine if it's safe to read/write to memory buffers taken from untrusted input.

coreboot SMI handlers must not be confused into writing over any SMRAM subregion, which includes the TSEG_STAGE_CACHE and chipset-specific area (sometimes, IED), not just the handlers.

If stage cache writes were permitted, this could compromise the integrity of the S3 resume path.

The consequences to overwriting the chipset-specific area are undefined.

Change-Id: Ibd9ed34fcfd77a4236b5cf122747a6718ce9c91f Signed-off-by: Benjamin Doron benjamin.doron@9elements.com Reviewed-on: https://review.coreboot.org/c/coreboot/+/80703 Reviewed-by: Shuo Liu shuo.liu@intel.com Reviewed-by: Patrick Rudolph patrick.rudolph@9elements.com Reviewed-by: Jérémy Compostella jeremy.compostella@intel.com Tested-by: build bot (Jenkins) no-reply@coreboot.org Reviewed-by: Arthur Heymans arthur@aheymans.xyz --- M src/cpu/x86/smm/smm_module_loader.c 1 file changed, 8 insertions(+), 5 deletions(-)

Approvals: build bot (Jenkins): Verified Patrick Rudolph: Looks good to me, approved Arthur Heymans: Looks good to me, approved Shuo Liu: Looks good to me, approved Jérémy Compostella: Looks good to me, but someone else must approve

diff --git a/src/cpu/x86/smm/smm_module_loader.c b/src/cpu/x86/smm/smm_module_loader.c index e342557..17ef92e 100644 --- a/src/cpu/x86/smm/smm_module_loader.c +++ b/src/cpu/x86/smm/smm_module_loader.c @@ -320,12 +320,15 @@ }

static void setup_smihandler_params(struct smm_runtime *mod_params, - uintptr_t smram_base, - uintptr_t smram_size, struct smm_loader_params *loader_params) { - mod_params->smbase = smram_base; - mod_params->smm_size = smram_size; + uintptr_t tseg_base; + size_t tseg_size; + + smm_region(&tseg_base, &tseg_size); + + mod_params->smbase = tseg_base; + mod_params->smm_size = tseg_size; mod_params->save_state_size = loader_params->cpu_save_state_size; mod_params->num_cpus = loader_params->num_cpus; mod_params->gnvs_ptr = (uint32_t)(uintptr_t)acpi_get_gnvs(); @@ -534,7 +537,7 @@

struct smm_runtime *smihandler_params = rmodule_parameters(&smi_handler); params->handler = rmodule_entry(&smi_handler); - setup_smihandler_params(smihandler_params, smram_base, smram_size, params); + setup_smihandler_params(smihandler_params, params);

return smm_module_setup_stub(stub_segment_base, smram_size, params); }