2017-06-30 19:46 GMT+02:00 ron minnich rminnich@gmail.com:

The only question that has been raised: are we losing an essential security guarantee since flash is writeable in this kernel-based "SMM"? The big question is whether we're opening up the possibility of firmware getting changed, once the kernel is our "smm mode". Is there a reasonable mitigation we could use in the SMM handler before we trampoline back up to the kernel?

To expand on Trammell's comment, FILO has code to work around a similar issue on some older AMD chipsets: There, you can lock down the chipset's flash write capability, only to see it circumvented by manual SPI commands to write to flash. The solution is to tell the SPI flash itself to go read-only: https://review.coreboot.org/cgit/filo.git/tree/drivers/sb600.c#n1204

If you're certain that you don't need any more flash writes (for a _long_ time - I believe that one even survived cold resets), that could be another defensive layer.

Patrick