[coreboot] SPI controller and Lock bits
lance.zhao at gmail.com
Thu Sep 27 18:24:20 CEST 2018
Okay, then I believe we should leave the decision on CONFIG instead of
force lockdown blindly. As of now, that's still optional I believe.
On Thu, Sep 27, 2018 at 3:49 AM Nico Huber <nico.huber at secunet.com> wrote:
> Am 26.09.18 um 22:26 schrieb Lance Zhao:
> > I am reading the "flash security recommendation" from PCH BIOS writer
> > guide now, it did say strongly recommend to take those actions. The EISS
> > feature to ensure BIOS region can only get modfiyed from SMM.
> The EISS bit is a highly questionable feature. It's part of the lost
> cause of security by treating SMM more privileged than the OS. AFAIK,
> coreboot vendors have secured flash access properly in the past without
> SMM features and never failed . OTOH, UEFI vendors often granted SMM
> full flash access in the past and failed to secure SMM .
> To my knowledge, EISS is incompatible to vboot btw. (not by design but
> to the current implementation).
> So I "strongly recommend" to ignore Intel's SMM recommendations wrt.
> flash access and recommend instead to never grant SMM more privileges
> than the OS.
>  At least since the introduction of SPI flash chips. Earlier there
> were possible race conditions regarding the BIOS Write Enable bit
> where you needed SMM for protection, or had to use the flash chip's
> own security features. But that was before/maybe why EISS became a
>  e.g. https://github.com/Cr4sh/ThinkPwn (the list of vulnerable
> systems is long and incomplete)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the coreboot