[coreboot] question on SMM

ron minnich rminnich at gmail.com
Sun Jul 2 07:27:01 CEST 2017


Again, I don't want to pretend this idea is general. Moving SMM to a
linux-as-ramfs payload might work on a small number of servers where we
have lots of control and not much variety. But thanks for the note Melvin.

On Sat, Jul 1, 2017 at 6:39 PM Melvin Walker via coreboot <
coreboot at coreboot.org> wrote:

> I'll correct my own statement.  I think my understanding was from a
> misinterpretation from some marketing material.  Only the authentication
> happens in the ACM, not the flash write.
>
>
> On Saturday, July 1, 2017 7:56 PM, Melvin Walker via coreboot <
> coreboot at coreboot.org> wrote:
>
>
> I don't have a computer with BIOS Guard, but doesn't that move flash
> writes to BIOS_ACM instead of SMM
>
> Melvin
>
>
> On Friday, June 30, 2017 3:06 AM, Igor Skochinsky via coreboot <
> coreboot at coreboot.org> wrote:
>
>
> Hello ron,
>
> Friday, June 30, 2017, 6:25:06 AM, you wrote:
>
> rm> there's something I am certain I don't understand about SMM on intel
> chipsets.
> rm> The question is pretty simple. Consider a system with a recent
> rm> intel chipset and flash. Is there some special secret sauce that
> rm> disables writing to flash unless in SMM and if so, what is it?
>
> Originally there were two bits in BIOS_CNTL used to effectively enable
> this[1]:
>
> > When BIOS_CNTL.BLE is set to 1, attempts to write enable the BIOS by
> > setting BIOS_CNTL.BIOSWE to 1 will immediately generate a System
> > Management Interrupt (SMI). It is the job of this SMI to determine
> > whether or not it is permissible to write enable to the BIOS, and if
> > not, immediately set BIOS_CNTL.BIOSWE back to 0; the end result being
> > that the BIOS is not writable.
>
> As described in the link, this logic is vulnerable to race conditions,
> so Intel added yet another bit:
>
> > This issue is mitigated by setting the SMM_BWP bit in the BIOS
> > Control Register along with setting BIOS Lock Enable (BLE) and
> > clearing BIOS Write Enable (BIOSWE). The SMM_BWP bit requires the
> > processor to be in SMM in order to honor writes to the BIOS region
> > of SPI flash, thereby mitigating the issue.
>
> So in theory all recent BIOSes should set SMM_BWP. Whether they
> actually do it can be checked with Chipsec[4].
>
> For more background see [2] and [3]
>
> [1] https://www.kb.cert.org/vuls/id/766164
>
> [2]
> http://opensecuritytraining.info/IntroBIOS_files/Day2_03_Advanced%20x86%20-%20BIOS%20and%20SMM%20Internals%20-%20SPI%20Flash%20Protection%20Mechanisms.pdf
>
> [3]
> http://composter.com.ua/documents/Exploiting_Flash_Protection_Race_Condition.pdf
>
> [4]
> https://github.com/chipsec/chipsec/blob/master/chipsec/modules/common/bios_wp.py
> --
> WBR,
> Igor                            mailto:roxfan at skynet.be
>
>
>
> --
> coreboot mailing list: coreboot at coreboot.org
> https://mail.coreboot.org/mailman/listinfo/coreboot
>
>
> --
> coreboot mailing list: coreboot at coreboot.org
> https://mail.coreboot.org/mailman/listinfo/coreboot
>
>
> --
> coreboot mailing list: coreboot at coreboot.org
> https://mail.coreboot.org/mailman/listinfo/coreboot
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot/attachments/20170702/c2e5f092/attachment.html>


More information about the coreboot mailing list