[coreboot] Question about finalization of SMM

[Persmule]

Hi all,

When using chipsec ( https://github.com/chipsec/chipsec ) to analyse
possible vulnerabilities inside coreboot systems, I noticed that on
several intel-based systems running coreboot,(e.g.
https://review.coreboot.org/cgit/board-status.git/tree/lenovo/x230/4.6-938-gb08d73b845/2017-08-01T23_05_52Z
) several registers on the pci-e root complex (host bridge) is not
locked while locked on the same system running oem firmware.

Digging into the source code, I found a function defined inside
${COREBOOT_DIR}/src/northbridge/intel/{nehalem, sandybridge,
haswell}/finalize.c to lock these registers and finalize smm, but this
function will only be called if #SMI APM_CNT gets triggered with a
certain parameter. ( The handler of #SMI APM_CNT is usually defined as
function "southbridge_smi_apmc" inside
${COREBOOT_DIR}/src/${VENDOR}/${MAINBOARD}/smihandler.c or
${COREBOOT_DIR}/src/southbridge/intel/${CHIPSET}/smihandler.c, and the
lockdown function will be called with parameter register APM_CNT == 
APM_CNT_FINALIZE.)

That these registers are left unlocked indicates that smm is left
unfinalized, and #SMI APM_CNT is never triggered with APM_CNT == 
APM_CNT_FINALIZE during boot. I would like to ask, that when does the
smm is expected to be finalized, and which component of the system (e.g.
coreboot, payload, or os kernel) is responsible for that?

Thanks.

Persmule

-------------- next part --------------
A non-text attachment was scrubbed...
Name: chipsecmain-cbx230-memcfg.log
Type: text/x-log
Size: 1421 bytes
Desc: not available
URL: <http://mail.coreboot.org/pipermail/coreboot/attachments/20170815/14e67c8b/attachment.log>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: chipsecmain-x230-oem-memcfg.log
Type: text/x-log
Size: 1424 bytes
Desc: not available
URL: <http://mail.coreboot.org/pipermail/coreboot/attachments/20170815/14e67c8b/attachment-0001.log>