[coreboot] SPI controller and Lock bits

Nico Huber nico.huber at secunet.com
Thu Sep 27 12:49:10 CEST 2018


Am 26.09.18 um 22:26 schrieb Lance Zhao:
> I am reading the "flash security recommendation"  from PCH BIOS writer
> guide now, it did say strongly recommend to take those actions. The EISS
> feature to ensure BIOS region can only get modfiyed from SMM.

The EISS bit is a highly questionable feature. It's part of the lost
cause of security by treating SMM more privileged than the OS. AFAIK,
coreboot vendors have secured flash access properly in the past without
SMM features and never failed [1]. OTOH, UEFI vendors often granted SMM
full flash access in the past and failed to secure SMM [2].

To my knowledge, EISS is incompatible to vboot btw. (not by design but
to the current implementation).

So I "strongly recommend" to ignore Intel's SMM recommendations wrt.
flash access and recommend instead to never grant SMM more privileges
than the OS.

Nico

[1] At least since the introduction of SPI flash chips. Earlier there
    were possible race conditions regarding the BIOS Write Enable bit
    where you needed SMM for protection, or had to use the flash chip's
    own security features. But that was before/maybe why EISS became a
    feature.
[2] e.g.  https://github.com/Cr4sh/ThinkPwn  (the list of vulnerable
    systems is long and incomplete)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xBD56B4A4138B3CE3.asc
Type: application/pgp-keys
Size: 5227 bytes
Desc: not available
URL: <http://mail.coreboot.org/pipermail/coreboot/attachments/20180927/aa28c400/attachment.skr>


More information about the coreboot mailing list