Hi all,
When using chipsec ( https://github.com/chipsec/chipsec ) to analyse possible vulnerabilities inside coreboot systems, I noticed that on several intel-based systems running coreboot,(e.g. https://review.coreboot.org/cgit/board-status.git/tree/lenovo/x230/4.6-938-g... ) several registers on the pci-e root complex (host bridge) is not locked while locked on the same system running oem firmware.
Digging into the source code, I found a function defined inside ${COREBOOT_DIR}/src/northbridge/intel/{nehalem, sandybridge, haswell}/finalize.c to lock these registers and finalize smm, but this function will only be called if #SMI APM_CNT gets triggered with a certain parameter. ( The handler of #SMI APM_CNT is usually defined as function "southbridge_smi_apmc" inside ${COREBOOT_DIR}/src/${VENDOR}/${MAINBOARD}/smihandler.c or ${COREBOOT_DIR}/src/southbridge/intel/${CHIPSET}/smihandler.c, and the lockdown function will be called with parameter register APM_CNT == APM_CNT_FINALIZE.)
That these registers are left unlocked indicates that smm is left unfinalized, and #SMI APM_CNT is never triggered with APM_CNT == APM_CNT_FINALIZE during boot. I would like to ask, that when does the smm is expected to be finalized, and which component of the system (e.g. coreboot, payload, or os kernel) is responsible for that?
Thanks.
Persmule
-
Persmule