Again, I don't want to pretend this idea is general. Moving SMM to a linux-as-ramfs payload might work on a small number of servers where we have lots of control and not much variety. But thanks for the note Melvin.
On Sat, Jul 1, 2017 at 6:39 PM Melvin Walker via coreboot < coreboot@coreboot.org> wrote:
I'll correct my own statement. I think my understanding was from a misinterpretation from some marketing material. Only the authentication happens in the ACM, not the flash write.
On Saturday, July 1, 2017 7:56 PM, Melvin Walker via coreboot < coreboot@coreboot.org> wrote:
I don't have a computer with BIOS Guard, but doesn't that move flash writes to BIOS_ACM instead of SMM
Melvin
On Friday, June 30, 2017 3:06 AM, Igor Skochinsky via coreboot < coreboot@coreboot.org> wrote:
Hello ron,
Friday, June 30, 2017, 6:25:06 AM, you wrote:
rm> there's something I am certain I don't understand about SMM on intel chipsets. rm> The question is pretty simple. Consider a system with a recent rm> intel chipset and flash. Is there some special secret sauce that rm> disables writing to flash unless in SMM and if so, what is it?
Originally there were two bits in BIOS_CNTL used to effectively enable this[1]:
When BIOS_CNTL.BLE is set to 1, attempts to write enable the BIOS by setting BIOS_CNTL.BIOSWE to 1 will immediately generate a System Management Interrupt (SMI). It is the job of this SMI to determine whether or not it is permissible to write enable to the BIOS, and if not, immediately set BIOS_CNTL.BIOSWE back to 0; the end result being that the BIOS is not writable.
As described in the link, this logic is vulnerable to race conditions, so Intel added yet another bit:
This issue is mitigated by setting the SMM_BWP bit in the BIOS Control Register along with setting BIOS Lock Enable (BLE) and clearing BIOS Write Enable (BIOSWE). The SMM_BWP bit requires the processor to be in SMM in order to honor writes to the BIOS region of SPI flash, thereby mitigating the issue.
So in theory all recent BIOSes should set SMM_BWP. Whether they actually do it can be checked with Chipsec[4].
For more background see [2] and [3]
[1] https://www.kb.cert.org/vuls/id/766164
[2] http://opensecuritytraining.info/IntroBIOS_files/Day2_03_Advanced%20x86%20-%...
[3] http://composter.com.ua/documents/Exploiting_Flash_Protection_Race_Condition...
[4] https://github.com/chipsec/chipsec/blob/master/chipsec/modules/common/bios_w... -- WBR, Igor mailto:roxfan@skynet.be
-- coreboot mailing list: coreboot@coreboot.org https://mail.coreboot.org/mailman/listinfo/coreboot
-- coreboot mailing list: coreboot@coreboot.org https://mail.coreboot.org/mailman/listinfo/coreboot
-- coreboot mailing list: coreboot@coreboot.org https://mail.coreboot.org/mailman/listinfo/coreboot