Glad this is being addressed in coreboot. According to https://kb.cert.org/vuls/id/796611 Insyde's UEFI implementation currently has 23 SMM vulnerabilities researched and disclosed by the company binarly.io and there is no telling if and when the vendors downstream apply the fixes and release BIOS updates to their customers.
On Tue, Apr 26, 2022 at 11:45 AM coreboot org coreboot.org@gmail.com wrote:
The branches for 4.14, .15, and 4.16 are created and ready for patches to be pushed.
After the patches are merged, I'll handle the releases.
Martin
On Mon, Apr 25, 2022 at 11:54 PM Shawn C shawn.chang@hardenedvault.net wrote:
Nice hunt, Arthur! The attack surface in coreboot is lesser than UEFI
but the misconfig during the setup will lead to serious issue. This one is neat and worth a CVE. Please use CVE-2022-29264 as record:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29264
regards Shawn
------- Original Message ------- On Thursday, April 7th, 2022 at 10:43 PM, Arthur Heymans <
arthur@aheymans.xyz> wrote:
Hi When refactoring the coreboot SMM setup I noticed that there is a
security vulnerability in our SMM setup code.
It boils down to this: except on the BSP the smihandler code will
execute code at a random location, but most likely at offset 0. With some carefully crafted code a bootloader or the OS could place some code at that offset, generate an SMI on an AP and get control over SMM. More recent silicon has hardware mechanisms to avoid executing code outside the designated SMM area (TSEG) so those would not be affected.
The commit introducing this problem is
https://review.coreboot.org/c/coreboot/+/43684.
Roughly it affects most x86 builds from end 2020/ beginning 2021 till
now.
https://review.coreboot.org/c/coreboot/+/63478 fixes the problem.
(Feel free to review the rest of that series as it makes the smm setup much more readable ;-))
Kind regards Arthur
coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-leave@coreboot.org
coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-leave@coreboot.org