[LinuxBIOS] SMM is evil?

Carl-Daniel Hailfinger c-d.hailfinger.devel.2006 at gmx.net
Thu May 11 22:06:24 CEST 2006


Stefan Reinauer wrote:
> If something seems as simple as setting the D_LCK bit of SMM, we should
> definitely do it.. It will at least be a marketable feature against
> other upcoming firmware implementations.

I believe that setting D_LCK will mitigate a few attacks but I strongly
doubt that it cannot be cleared during system operation. Yes, the manual
specifies it, but manuals have been underspecified before. Since we don't
use SMM for anything, we might as well
* clear D_OPEN
* set D_CLOSE
* clear "Enable"
* set D_LCK.

So, by all means, do it now. Until somebody figures out a way to disable
D_LCK again we offer a much higher degree of security than everybody


More information about the coreboot mailing list