[coreboot] Question about finalization of SMM

[Persmule]

Hi all,

When using chipsec ( https://github.com/chipsec/chipsec ) to analyse
possible vulnerabilities inside coreboot systems, I noticed that on
several intel-based systems running coreboot,(e.g.
https://review.coreboot.org/cgit/board-status.git/tree/lenovo/x230/4.6-938-gb08d73b845/2017-08-01T23_05_52Z
) several registers on the pci-e root complex (host bridge) is not
locked while locked on the same system running oem firmware.

Digging into the source code, I found a function defined inside
${COREBOOT_DIR}/src/northbridge/intel/{nehalem, sandybridge,
haswell}/finalize.c to lock these registers, but this function will only
be called if #SMI APM_CNT gets triggered with a certain parameter. ( The
handler of #SMI APM_CNT is usually defined as function
"southbridge_smi_apmc" inside
${COREBOOT_DIR}/src/${VENDOR}/${MAINBOARD}/smihandler.c or
${COREBOOT_DIR}/src/southbridge/intel/${CHIPSET}/smihandler.c, and the
lockdown function will be called with parameter register APM_CNT == 
APM_CNT_FINALIZE.)

That these registers are left unlocked indicates that #SMI APM_CNT is
never triggered with APM_CNT ==  APM_CNT_FINALIZE during boot. I would
like to ask, that when does the #SMI APM_CNT is expected to be triggered
with APM_CNT ==  APM_CNT_FINALIZE, and which component of the system
(e.g. coreboot, payload, or os kernel) is responsible for the triggering?

Thanks.

Persmule

-------------- next part --------------
A non-text attachment was scrubbed...
Name: chipsecmain-cbx230-memcfg.log
Type: text/x-log
Size: 1421 bytes
Desc: not available
URL: <http://mail.coreboot.org/pipermail/coreboot/attachments/20170815/3c73d897/attachment.log>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: chipsecmain-x230-oem-memcfg.log
Type: text/x-log
Size: 1424 bytes
Desc: not available
URL: <http://mail.coreboot.org/pipermail/coreboot/attachments/20170815/3c73d897/attachment-0001.log>