Hi all,
When using chipsec ( https://github.com/chipsec/chipsec ) to analyse possible vulnerabilities inside coreboot systems, I noticed that on several intel-based systems running coreboot,(e.g. https://review.coreboot.org/cgit/board-status.git/tree/lenovo/x230/4.6-938-g... ) several registers on the pci-e root complex (host bridge) is not locked while locked on the same system running oem firmware.
Digging into the source code, I found a function defined inside ${COREBOOT_DIR}/src/northbridge/intel/{nehalem, sandybridge, haswell}/finalize.c to lock these registers, but this function will only be called if #SMI APM_CNT gets triggered with a certain parameter. ( The handler of #SMI APM_CNT is usually defined as function "southbridge_smi_apmc" inside ${COREBOOT_DIR}/src/${VENDOR}/${MAINBOARD}/smihandler.c or ${COREBOOT_DIR}/src/southbridge/intel/${CHIPSET}/smihandler.c, and the lockdown function will be called with parameter register APM_CNT == APM_CNT_FINALIZE.)
That these registers are left unlocked indicates that #SMI APM_CNT is never triggered with APM_CNT == APM_CNT_FINALIZE during boot. I would like to ask, that when does the #SMI APM_CNT is expected to be triggered with APM_CNT == APM_CNT_FINALIZE, and which component of the system (e.g. coreboot, payload, or os kernel) is responsible for the triggering?
Thanks.
Persmule