On 07.02.2009 17:11, Kevin O'Connor wrote:
On Sat, Feb 07, 2009 at 01:35:40PM +0100, Stefan Reinauer wrote:
Kevin O'Connor wrote:
Random thought - I wonder if the OS could "break into" SMM mode by turning on caching for the SMM area and then manipulating the cache contents so that an SMI used icache/dcache contents set by the OS
[...]
The simplest way to avoid this is by putting the main SMI handler at 0xa0000
We're probably getting off topic. But here is what I was thinking:
OS uses mtrr to cache memory at 0xa0000
OS loads a "jmp 0x10000" insn into L2 cache at 0xa0000
OS invokes an SMI (acpi defines a way to do this)
If the SMI handler is set to run code at 0xa0000 (ie, it has an SMBASE of 0x98000), then it would see the 'jmp' insn and start running OS code at 0x10000.
This needs a unified cache, though.
so it has control over the cache before it accesses the high SMM memory. Right now the SMI handler I wrote does not use the high SMM memory at all, so there's no immediate risk.
I don't think there is much risk anyway - if someone has full access to the machine to change cache settings, then they don't need SMM mode.
Well, some chipsets allow you to reflash the ROM only in SMM if the flash interface is locked.
Regards, Carl-Daniel