[coreboot] x86 SMM handler Local APIC assumptions
andrew.cooper3 at citrix.com
Tue Jul 24 22:39:46 CEST 2018
While looking at some code, I noticed that twice (once in asm, and again
later in C), the SMM handler assumes that 0xfee00020 is the APIC_ID
reigster in the xAPIC MMIO window.
This isn't true if the OS has moved the MMIO window, or switched to
x2apic mode (on supporting hardware).
As a result, it looks like its rather easy to feed a kernel-controlled
value into Coreboot's idea of its Local APIC id, which can either be the
same on all cores (reuse of the same stack) or wildly out of range
(albeit, at least bounded to 255).
To fix, I'd expect Coreboot to read MSR_APIC_BASE, and either cope with
x2apic mode (which is surely easier than switching APIC mode, as you've
got to cycle through off to switch back to xAPIC mode), or
save/remap/restore the APIC MMIO window.
Without paging, you can't address an APIC MMIO window above the 4G boundary.
Is this something you care about?
More information about the coreboot