I did some testing on real hardware with an Intel Coffeelake system on whether
vectoring out of TSEG is prohibited by the hardware, which I assumed would be the case.

It's *not* the case! Vectoring out of TSEG does succeed so this issue really affects modern hardware.

So I think this issue might affect a lot more systems than I initially thought.

Kind regards

Arthur

On Fri, Apr 8, 2022 at 12:43 AM Arthur Heymans <arthur@aheymans.xyz> wrote:

Hi

When refactoring the coreboot SMM setup I noticed that there is a security vulnerability in our SMM setup code.

It boils down to this: except on the BSP the smihandler code will execute code at a random location, but most likely at offset 0. With some carefully crafted code a bootloader or the OS could place some code at that offset, generate an SMI on an AP and get control over SMM. More recent silicon has hardware mechanisms to avoid executing code outside the designated SMM area (TSEG) so those would not be affected.

The commit introducing this problem is https://review.coreboot.org/c/coreboot/+/43684.
Roughly it affects most x86 builds from end 2020/ beginning 2021 till now.

https://review.coreboot.org/c/coreboot/+/63478 fixes the problem. (Feel free to review the rest of that series as it makes the smm setup much more readable ;-))

Kind regards
Arthur