[coreboot] Question about finalization of SMM

Shawn citypw at gmail.com
Fri Aug 18 09:20:15 CEST 2017 

On Tue, Aug 15, 2017 at 1:04 PM, Persmule <persmule at gmail.com> wrote:
> Hi all,
>
> When using chipsec ( https://github.com/chipsec/chipsec ) to analyse
> possible vulnerabilities inside coreboot systems, I noticed that on
> several intel-based systems running coreboot,(e.g.
> https://review.coreboot.org/cgit/board-status.git/tree/lenovo/x230/4.6-938-gb08d73b845/2017-08-01T23_05_52Z
> ) several registers on the pci-e root complex (host bridge) is not
> locked while locked on the same system running oem firmware.
>
> Digging into the source code, I found a function defined inside
> ${COREBOOT_DIR}/src/northbridge/intel/{nehalem, sandybridge,
> haswell}/finalize.c to lock these registers, but this function will only
> be called if #SMI APM_CNT gets triggered with a certain parameter. ( The
> handler of #SMI APM_CNT is usually defined as function
> "southbridge_smi_apmc" inside
> ${COREBOOT_DIR}/src/${VENDOR}/${MAINBOARD}/smihandler.c or
> ${COREBOOT_DIR}/src/southbridge/intel/${CHIPSET}/smihandler.c, and the
> lockdown function will be called with parameter register APM_CNT ==
> APM_CNT_FINALIZE.)
>
> That these registers are left unlocked indicates that #SMI APM_CNT is
> never triggered with APM_CNT ==  APM_CNT_FINALIZE during boot. I would
> like to ask, that when does the #SMI APM_CNT is expected to be triggered
> with APM_CNT ==  APM_CNT_FINALIZE, and which component of the system
> (e.g. coreboot, payload, or os kernel) is responsible for the triggering?
>
It seems will be triggered after S3, southbridge/intel/bd82x6x/lpc.c:

static void lpc_final(struct device *dev)
{
        if (CONFIG_HAVE_SMI_HANDLER && acpi_is_wakeup_s3()) {
                /* Call SMM finalize() handlers before resume */
                outb(0xcb, 0xb2);
        }
}

It's weird a bit. Those LOCKs bit should be set at the boot time. Will
coreboot provide an option in the future? The workaround solution can
be achieved by a CHIPSEC code-based script:

https://github.com/hardenedlinux/Debian-GNU-Linux-Profiles/blob/master/scripts/harbian_fw/fw_hardening_runtime.py




-- 
GNU powered it...
GPL protect it...
God blessing it...

regards
Shawn

More information about the coreboot mailing list