[coreboot] question on SMM

Melvin Walker melvinwalk at yahoo.com
Sun Jul 2 03:21:17 CEST 2017


I'll correct my own statement.  I think my understanding was from a misinterpretation from some marketing material.  Only the authentication happens in the ACM, not the flash write.   

    On Saturday, July 1, 2017 7:56 PM, Melvin Walker via coreboot <coreboot at coreboot.org> wrote:
 

 I don't have a computer with BIOS Guard, but doesn't that move flash writes to BIOS_ACM instead of SMM
Melvin 

    On Friday, June 30, 2017 3:06 AM, Igor Skochinsky via coreboot <coreboot at coreboot.org> wrote:
 

 Hello ron,

Friday, June 30, 2017, 6:25:06 AM, you wrote:

rm> there's something I am certain I don't understand about SMM on intel chipsets.
rm> The question is pretty simple. Consider a system with a recent
rm> intel chipset and flash. Is there some special secret sauce that
rm> disables writing to flash unless in SMM and if so, what is it?

Originally there were two bits in BIOS_CNTL used to effectively enable this[1]:

> When BIOS_CNTL.BLE is set to 1, attempts to write enable the BIOS by
> setting BIOS_CNTL.BIOSWE to 1 will immediately generate a System
> Management Interrupt (SMI). It is the job of this SMI to determine
> whether or not it is permissible to write enable to the BIOS, and if
> not, immediately set BIOS_CNTL.BIOSWE back to 0; the end result being
> that the BIOS is not writable.

As described in the link, this logic is vulnerable to race conditions,
so Intel added yet another bit:

> This issue is mitigated by setting the SMM_BWP bit in the BIOS
> Control Register along with setting BIOS Lock Enable (BLE) and
> clearing BIOS Write Enable (BIOSWE). The SMM_BWP bit requires the
> processor to be in SMM in order to honor writes to the BIOS region
> of SPI flash, thereby mitigating the issue.

So in theory all recent BIOSes should set SMM_BWP. Whether they
actually do it can be checked with Chipsec[4].

For more background see [2] and [3]

[1] https://www.kb.cert.org/vuls/id/766164

[2] http://opensecuritytraining.info/IntroBIOS_files/Day2_03_Advanced%20x86%20-%20BIOS%20and%20SMM%20Internals%20-%20SPI%20Flash%20Protection%20Mechanisms.pdf

[3] http://composter.com.ua/documents/Exploiting_Flash_Protection_Race_Condition.pdf

[4] https://github.com/chipsec/chipsec/blob/master/chipsec/modules/common/bios_wp.py
-- 
WBR,
 Igor                            mailto:roxfan at skynet.be


-- 
coreboot mailing list: coreboot at coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot


   -- 
coreboot mailing list: coreboot at coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot/attachments/20170702/66bb3584/attachment.html>


More information about the coreboot mailing list