Thanks for the good explanations.
So I have a question for you all. We've been doing some testing of linux-as-ramstage. We've done a proof of concept that linux can set up the SMM handler at 0xa0000, the relocate stub at 0x38000, run the relocate stub, and have a working smm handler. The smm handler can trampoline to 64-bit mode and call the kernel, using existing mechanisms. So our SMM handler, in this scenario, is a set of functions provided by the kernel, not a binary blob. The result is a teeny tiny SMM handler and complete elimination of the vendor-supplied SMM code.
There are lots of benefits. The SMM is no longer at a fixed location -- it's kind of ASLR for SMM code; there is very little code that runs in SMM; and the SMM handlers we implement run in 64-bit mode with full memory protections. The big one for me is that persistent firmware blobs are reduced by one -- it's part of a goal to create an air gap between firmware and kernel. Another part of this work is that we're going to discard firmware-supplied ACPI tables and use ones supplied by the kernel.
I realize this is not a general approach. But for small, limited configurations, such as OCP servers which come in a small number of flavors, it's quite doable.
The only question that has been raised: are we losing an essential security guarantee since flash is writeable in this kernel-based "SMM"? The big question is whether we're opening up the possibility of firmware getting changed, once the kernel is our "smm mode". Is there a reasonable mitigation we could use in the SMM handler before we trampoline back up to the kernel?
Thoughts on this are welcome.