arthur, what might we do with either the build process or startup to
avoid this problem in future? Do you think we could find a way to
catch this programmatically soon, rather than humanly too late?
On Mon, Apr 11, 2022 at 2:48 AM Arthur Heymans <arthur@aheymans.xyz> wrote:
>
> Hi
>
> After last week's SMM loader problem on all but the BSP, I noticed another problem in the SMM setup.
> The permanent smihandler is currently built as a relocatable module such that coreboot
> can place it wherever it thinks it's a good idea. (TSEG is not known at buildtime).
> These relocatable modules have an alignment requirement.
>
> It looks however that the code to deal with the alignment requirement is also wrong
> and aligns the handler upwards instead of downwards which makes it encroach either an SSE2
> FX_SAVE area or an SMM register save state. It's hard to know whether this is easily exploitable.
> I would think that a carefully crafted SMM save state on the right AP arbitrary code executing might be possible. On the other hand I noticed last week that launching SMM on APs is broken too so this is likely a lesser problem.
>
> Anyway the fix is in https://review.coreboot.org/c/coreboot/+/63475
> (It has a comment indicating what code was causing this problem)
> Please review and update your coreboot code!
>
> Kind regards
> Arthur
> _______________________________________________
> coreboot mailing list -- coreboot@coreboot.org
> To unsubscribe send an email to coreboot-leave@coreboot.org