Hi
When refactoring the coreboot SMM setup I noticed that there is a security vulnerability in our SMM setup code.
It boils down to this: except on the BSP the smihandler code will execute code at a random location, but most likely at offset 0. With some carefully crafted code a bootloader or the OS could place some code at that offset, generate an SMI on an AP and get control over SMM. More recent silicon has hardware mechanisms to avoid executing code outside the designated SMM area (TSEG) so those would not be affected.
The commit introducing this problem is https://review.coreboot.org/c/coreboot/+/43684. Roughly it affects most x86 builds from end 2020/ beginning 2021 till now.
https://review.coreboot.org/c/coreboot/+/63478 fixes the problem. (Feel free to review the rest of that series as it makes the smm setup much more readable ;-))
Kind regards Arthur