For a security boundary, the question
is "what can an OS potentially do", not "what do we expect it to
do".
Modification of the APIC_ID register is model specific, but
prohibited by the x2APIC spec. I presume that the SMM entry
straps disambiguate by the initial APIC ID, which is fixed, but I
don't know for sure.
Since sending this email, I've come to the conclusion that
deriving the stack from the entry strap is probably a safer option
than trying to use/parse/modify the APIC.
As for x2APIC, any system with >254 cpus needs x2APIC (and
Interrupt Remapping) for the OS to be able to perform symmetric
interrupt handling, but OSes will turn it on if available, because
it has a better programming model (no waiting on status bits), and
is easier to virtualise.
~Andrew
On 28/08/18 19:37, Lance Zhao wrote:
Without x2apic mode, APIC_ID register will not be
moved by OS. Those address normally had been tagged as reserved
and will not be touched. I believe that x2apic will apply for
processors number more than 255, so majority cases in coreboot
didn't touch that area yet.
Hello,
While looking at some code, I noticed that twice (once in asm,
and again
later in C), the SMM handler assumes that 0xfee00020 is the
APIC_ID
reigster in the xAPIC MMIO window.
This isn't true if the OS has moved the MMIO window, or
switched to
x2apic mode (on supporting hardware).
As a result, it looks like its rather easy to feed a
kernel-controlled
value into Coreboot's idea of its Local APIC id, which can
either be the
same on all cores (reuse of the same stack) or wildly out of
range
(albeit, at least bounded to 255).
To fix, I'd expect Coreboot to read MSR_APIC_BASE, and either
cope with
x2apic mode (which is surely easier than switching APIC mode,
as you've
got to cycle through off to switch back to xAPIC mode), or
save/remap/restore the APIC MMIO window.
Without paging, you can't address an APIC MMIO window above
the 4G boundary.
Is this something you care about?
Thanks,
~Andrew
--
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot