[coreboot] x86 smm: memory sinkhole attack
Timothy Pearson
tpearson at raptorengineeringinc.com
Wed Aug 12 15:55:21 CET 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/12/2015 10:54 AM, Timothy Pearson wrote:
> On 08/12/2015 10:44 AM, Patrick Georgi wrote:
>> 2015-08-12 16:28 GMT+02:00 Francis Rowe <info at gluglug.org.uk
>> <mailto:info at gluglug.org.uk>>:
>
>> My basic question is: are coreboot systems affected by this
>> vulnerability, and if so, what work is being done to patch it?
>
>> I reviewed our SMM handler, drafted out how to mitigate any potential
>> issue and started work on a PoC. Then got distracted by something else.
>
>> My test system is the getac/p470 (i945, core2duo CPU)
>
>> Specifically, in my case, I am interested in the following coreboot
>> systems:
>> * i945 platforms (Lenovo X60/T60, Macbook2,1)
>> * GM45 platforms (Lenovo X200/T400/T500/R400/R500)
>
>
>
>> * fam10h AMD platforms (ASUS KFSN4-DRE, ASUS KGPE-D16)
>
>> Totally different architecture, I'm not sure if the APIC decoding
>> behavior even translates to that.
>
>
> I will be checking this out sometime soon. I'm not expecting to find
> anything given that SMM is (mostly*) deactivated on all of the non-AGESA
> platforms I have looked at.
>
> * SMM is given a base address, memory window, and then locked. If I
> understand the exploit correctly it requires SMM to both be triggerable
> and for SMM to attempt to execute code after being triggered.
>
Sorry, that should read "non-AGESA Family 10h platforms" above.
- --
Timothy Pearson
Raptor Engineering
+1 (415) 727-8645
http://www.raptorengineeringinc.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJVy2xpAAoJEK+E3vEXDOFbcLsIAKR1loPVBBiPBv0AYFcVkLcS
B+FoxRoWhBeKE8bbfOUwBSiK5ebrgZmkQi7oaL6g3MM+vgNMmzcRlt4c+fVesJQp
N9kh/1LexCixqdUEz4YMPPxF2hB+SECyWvbZWefXm/6LnBiBNo6JvMvaEIt6+PjU
0UKC/Ng3JRfYGWhZYiOcJGVuOhzjs/NavHkOxL7kaGMEbsF870LuAOpzH/OWAUmL
0AybCnbCtagOfiavKn3jpBGOPfhctI+DE6CXyEf/YAsqBS+6NS1+survCDCBL42n
ARUrOgsfMUbRJyMmBqTwB5J0572Iwv8k5DDxyPhwOyN2tInbDULPCB0cesFgzhQ=
=5hZW
-----END PGP SIGNATURE-----
More information about the coreboot
mailing list