[coreboot] SPI controller and Lock bits
nico.huber at secunet.com
Thu Sep 27 12:49:10 CEST 2018
Am 26.09.18 um 22:26 schrieb Lance Zhao:
> I am reading the "flash security recommendation" from PCH BIOS writer
> guide now, it did say strongly recommend to take those actions. The EISS
> feature to ensure BIOS region can only get modfiyed from SMM.
The EISS bit is a highly questionable feature. It's part of the lost
cause of security by treating SMM more privileged than the OS. AFAIK,
coreboot vendors have secured flash access properly in the past without
SMM features and never failed . OTOH, UEFI vendors often granted SMM
full flash access in the past and failed to secure SMM .
To my knowledge, EISS is incompatible to vboot btw. (not by design but
to the current implementation).
So I "strongly recommend" to ignore Intel's SMM recommendations wrt.
flash access and recommend instead to never grant SMM more privileges
than the OS.
 At least since the introduction of SPI flash chips. Earlier there
were possible race conditions regarding the BIOS Write Enable bit
where you needed SMM for protection, or had to use the flash chip's
own security features. But that was before/maybe why EISS became a
 e.g. https://github.com/Cr4sh/ThinkPwn (the list of vulnerable
systems is long and incomplete)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5227 bytes
Desc: not available
More information about the coreboot