Hi,
I noticed, that both bootloader - and kernel code are able to make BIOS ROM section writable again. This allows hostile code to make modifications to ROM contents, and then run the modified code.
This may allow malicious code to gain privilege escalation from ring0 to ring -2 if I have not misunderstood this.
Care to verify wheter this is an issue or not?
- k4m1
On Sat, Mar 30, 2019 at 08:54:04AM +0000, k4m1 wrote:
Hi,
I noticed, that both bootloader - and kernel code are able to make BIOS ROM section writable again. This allows hostile code to make modifications to ROM contents, and then run the modified code.
This may allow malicious code to gain privilege escalation from ring0 to ring -2 if I have not misunderstood this.
Not a problem. Yes, you probably can hijack smm mode without too much trouble, but it doesn't give you any additional privileges.
Seabios doesn't try to protect something with smm mode. Which is different from uefi where typically the SMM LockBox is used to protect secure boot configuration and keys. Therefore seabios doesn't even try to lock down smm mode.
The reason seabios uses smm mode (if available and CONFIG_SMM=y) is that it is the only way to really save and restore the complete x86 processor state. That way switching into 32bit mode and back into whatever state the processor was when it called into the bios should work more reliable.
HTH, Gerd
-
Gerd Hoffmann -
k4m1