[coreboot] x86 SMM handler Local APIC assumptions

Andrew Cooper andrew.cooper3 at citrix.com
Tue Aug 28 20:49:00 CEST 2018 

For a security boundary, the question is "what can an OS potentially
do", not "what do we expect it to do".

Modification of the APIC_ID register is model specific, but prohibited
by the x2APIC spec.  I presume that the SMM entry straps disambiguate by
the initial APIC ID, which is fixed, but I don't know for sure.

Since sending this email, I've come to the conclusion that deriving the
stack from the entry strap is probably a safer option than trying to
use/parse/modify the APIC.

As for x2APIC, any system with >254 cpus needs x2APIC (and Interrupt
Remapping) for the OS to be able to perform symmetric interrupt
handling, but OSes will turn it on if available, because it has a better
programming model (no waiting on status bits), and is easier to virtualise.

~Andrew

On 28/08/18 19:37, Lance Zhao wrote:
> Without x2apic mode, APIC_ID register will not be moved by OS. Those
> address normally had been tagged as reserved and will not be touched.
> I believe that x2apic will apply for processors number more than 255,
> so majority cases in coreboot didn't touch that area yet.
>
>
> On Tue, Aug 28, 2018 at 7:50 AM Andrew Cooper
> <andrew.cooper3 at citrix.com <mailto:andrew.cooper3 at citrix.com>> wrote:
>
>     Hello,
>
>     While looking at some code, I noticed that twice (once in asm, and
>     again
>     later in C), the SMM handler assumes that 0xfee00020 is the APIC_ID
>     reigster in the xAPIC MMIO window.
>
>     This isn't true if the OS has moved the MMIO window, or switched to
>     x2apic mode (on supporting hardware).
>
>     As a result, it looks like its rather easy to feed a kernel-controlled
>     value into Coreboot's idea of its Local APIC id, which can either
>     be the
>     same on all cores (reuse of the same stack) or wildly out of range
>     (albeit, at least bounded to 255).
>
>     To fix, I'd expect Coreboot to read MSR_APIC_BASE, and either cope
>     with
>     x2apic mode (which is surely easier than switching APIC mode, as
>     you've
>     got to cycle through off to switch back to xAPIC mode), or
>     save/remap/restore the APIC MMIO window.
>
>     Without paging, you can't address an APIC MMIO window above the 4G
>     boundary.
>
>     Is this something you care about?
>
>     Thanks,
>
>     ~Andrew
>
>     -- 
>     coreboot mailing list: coreboot at coreboot.org
>     <mailto:coreboot at coreboot.org>
>     https://mail.coreboot.org/mailman/listinfo/coreboot
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot/attachments/20180828/841e7708/attachment.html>

More information about the coreboot mailing list