As I read it, it tests for %al being 0x64 and, if so, it assumes the offset is at 7f00. As I read the intel x86 docs, this is wrong, or qemu is wrong. As I read the docs and Xeno's writeups, the offset is at 0x7ef8 on 64-bit processors. But the ich9 version at least in qemu is 0x20064, and that would mean coreboot thinks the register is at 7f00, which it does not appear to be.

So: am I missing something? does this work on amd64 today? where is the offset on modern em64t CPUs? And why does it work on coreboot with q35, qemu, and multiple cores if this offset is wrong?

Also, a different question. The offset at 7ef8 is a 32-bit number on 64-bit systems. It seems to me this implies that the the save state can be located anywhere in the low 4G memory on a per-core basis. I'm a bit lost on the need for the large contiguous SMM save state area.

So, for example, it seems to me we could leave a very small SMM stub at 0xa0000, and as long as it had a simple way to set its offset at 7ef8 it could put its save state at any convenient location. Why do we need the giant contiguous memory area for save state if this is the case?

The main motivation for the TSEG seems to be the requirement of the large contiguous save state area for SMM, but I don't see anything that says it has to be physically contiguous, given the existence of the 32-bit offset.

Current status btw is that linux is able to set up the relocation area and I'm able to run SMIs from the command line and the code Linux sets up gets run. 

It seems to me we ought to be able to break a lot of these fixed address issues and as a result reduce attack surface, but we'll see. I'm got lots of ignorance, little knowledge, and this can be good or bad :-)

ron