[coreboot] question on SMM
Melvin Walker
melvinwalk at yahoo.com
Sun Jul 2 03:21:17 CEST 2017
I'll correct my own statement. I think my understanding was from a misinterpretation from some marketing material. Only the authentication happens in the ACM, not the flash write.
On Saturday, July 1, 2017 7:56 PM, Melvin Walker via coreboot <coreboot at coreboot.org> wrote:
I don't have a computer with BIOS Guard, but doesn't that move flash writes to BIOS_ACM instead of SMM
Melvin
On Friday, June 30, 2017 3:06 AM, Igor Skochinsky via coreboot <coreboot at coreboot.org> wrote:
Hello ron,
Friday, June 30, 2017, 6:25:06 AM, you wrote:
rm> there's something I am certain I don't understand about SMM on intel chipsets.
rm> The question is pretty simple. Consider a system with a recent
rm> intel chipset and flash. Is there some special secret sauce that
rm> disables writing to flash unless in SMM and if so, what is it?
Originally there were two bits in BIOS_CNTL used to effectively enable this[1]:
> When BIOS_CNTL.BLE is set to 1, attempts to write enable the BIOS by
> setting BIOS_CNTL.BIOSWE to 1 will immediately generate a System
> Management Interrupt (SMI). It is the job of this SMI to determine
> whether or not it is permissible to write enable to the BIOS, and if
> not, immediately set BIOS_CNTL.BIOSWE back to 0; the end result being
> that the BIOS is not writable.
As described in the link, this logic is vulnerable to race conditions,
so Intel added yet another bit:
> This issue is mitigated by setting the SMM_BWP bit in the BIOS
> Control Register along with setting BIOS Lock Enable (BLE) and
> clearing BIOS Write Enable (BIOSWE). The SMM_BWP bit requires the
> processor to be in SMM in order to honor writes to the BIOS region
> of SPI flash, thereby mitigating the issue.
So in theory all recent BIOSes should set SMM_BWP. Whether they
actually do it can be checked with Chipsec[4].
For more background see [2] and [3]
[1] https://www.kb.cert.org/vuls/id/766164
[2] http://opensecuritytraining.info/IntroBIOS_files/Day2_03_Advanced%20x86%20-%20BIOS%20and%20SMM%20Internals%20-%20SPI%20Flash%20Protection%20Mechanisms.pdf
[3] http://composter.com.ua/documents/Exploiting_Flash_Protection_Race_Condition.pdf
[4] https://github.com/chipsec/chipsec/blob/master/chipsec/modules/common/bios_wp.py
--
WBR,
Igor mailto:roxfan at skynet.be
--
coreboot mailing list: coreboot at coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot
--
coreboot mailing list: coreboot at coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot/attachments/20170702/66bb3584/attachment.html>
More information about the coreboot
mailing list