Hello ron,
Friday, June 30, 2017, 6:25:06 AM, you wrote:
rm> there's something I am certain I don't understand about SMM on intel chipsets. rm> The question is pretty simple. Consider a system with a recent rm> intel chipset and flash. Is there some special secret sauce that rm> disables writing to flash unless in SMM and if so, what is it?
Originally there were two bits in BIOS_CNTL used to effectively enable this[1]:
When BIOS_CNTL.BLE is set to 1, attempts to write enable the BIOS by setting BIOS_CNTL.BIOSWE to 1 will immediately generate a System Management Interrupt (SMI). It is the job of this SMI to determine whether or not it is permissible to write enable to the BIOS, and if not, immediately set BIOS_CNTL.BIOSWE back to 0; the end result being that the BIOS is not writable.
As described in the link, this logic is vulnerable to race conditions, so Intel added yet another bit:
This issue is mitigated by setting the SMM_BWP bit in the BIOS Control Register along with setting BIOS Lock Enable (BLE) and clearing BIOS Write Enable (BIOSWE). The SMM_BWP bit requires the processor to be in SMM in order to honor writes to the BIOS region of SPI flash, thereby mitigating the issue.
So in theory all recent BIOSes should set SMM_BWP. Whether they actually do it can be checked with Chipsec[4].
For more background see [2] and [3]
[1] https://www.kb.cert.org/vuls/id/766164
[2] http://opensecuritytraining.info/IntroBIOS_files/Day2_03_Advanced%20x86%20-%...
[3] http://composter.com.ua/documents/Exploiting_Flash_Protection_Race_Condition...
[4] https://github.com/chipsec/chipsec/blob/master/chipsec/modules/common/bios_w...