[coreboot] SPI controller and Lock bits

Lance Zhao lance.zhao at gmail.com
Thu Sep 27 18:24:20 CEST 2018

Okay, then I believe we should leave the decision on CONFIG instead of
force lockdown blindly. As of now, that's still optional I believe.

On Thu, Sep 27, 2018 at 3:49 AM Nico Huber <nico.huber at secunet.com> wrote:

> Am 26.09.18 um 22:26 schrieb Lance Zhao:
> > I am reading the "flash security recommendation"  from PCH BIOS writer
> > guide now, it did say strongly recommend to take those actions. The EISS
> > feature to ensure BIOS region can only get modfiyed from SMM.
> The EISS bit is a highly questionable feature. It's part of the lost
> cause of security by treating SMM more privileged than the OS. AFAIK,
> coreboot vendors have secured flash access properly in the past without
> SMM features and never failed [1]. OTOH, UEFI vendors often granted SMM
> full flash access in the past and failed to secure SMM [2].
> To my knowledge, EISS is incompatible to vboot btw. (not by design but
> to the current implementation).
> So I "strongly recommend" to ignore Intel's SMM recommendations wrt.
> flash access and recommend instead to never grant SMM more privileges
> than the OS.
> Nico
> [1] At least since the introduction of SPI flash chips. Earlier there
>     were possible race conditions regarding the BIOS Write Enable bit
>     where you needed SMM for protection, or had to use the flash chip's
>     own security features. But that was before/maybe why EISS became a
>     feature.
> [2] e.g.  https://github.com/Cr4sh/ThinkPwn  (the list of vulnerable
>     systems is long and incomplete)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot/attachments/20180927/0622b485/attachment.html>

More information about the coreboot mailing list