Again, I don't want to pretend this idea is general. Moving SMM to a linux-as-ramfs payload might work on a small number of servers where we have lots of control and not much variety. But thanks for the note Melvin.
On Sat, Jul 1, 2017 at 6:39 PM Melvin Walker via coreboot < [email protected]> wrote: > I'll correct my own statement. I think my understanding was from a > misinterpretation from some marketing material. Only the authentication > happens in the ACM, not the flash write. > > > On Saturday, July 1, 2017 7:56 PM, Melvin Walker via coreboot < > [email protected]> wrote: > > > I don't have a computer with BIOS Guard, but doesn't that move flash > writes to BIOS_ACM instead of SMM > > Melvin > > > On Friday, June 30, 2017 3:06 AM, Igor Skochinsky via coreboot < > [email protected]> wrote: > > > Hello ron, > > Friday, June 30, 2017, 6:25:06 AM, you wrote: > > rm> there's something I am certain I don't understand about SMM on intel > chipsets. > rm> The question is pretty simple. Consider a system with a recent > rm> intel chipset and flash. Is there some special secret sauce that > rm> disables writing to flash unless in SMM and if so, what is it? > > Originally there were two bits in BIOS_CNTL used to effectively enable > this[1]: > > > When BIOS_CNTL.BLE is set to 1, attempts to write enable the BIOS by > > setting BIOS_CNTL.BIOSWE to 1 will immediately generate a System > > Management Interrupt (SMI). It is the job of this SMI to determine > > whether or not it is permissible to write enable to the BIOS, and if > > not, immediately set BIOS_CNTL.BIOSWE back to 0; the end result being > > that the BIOS is not writable. > > As described in the link, this logic is vulnerable to race conditions, > so Intel added yet another bit: > > > This issue is mitigated by setting the SMM_BWP bit in the BIOS > > Control Register along with setting BIOS Lock Enable (BLE) and > > clearing BIOS Write Enable (BIOSWE). The SMM_BWP bit requires the > > processor to be in SMM in order to honor writes to the BIOS region > > of SPI flash, thereby mitigating the issue. > > So in theory all recent BIOSes should set SMM_BWP. Whether they > actually do it can be checked with Chipsec[4]. > > For more background see [2] and [3] > > [1] https://www.kb.cert.org/vuls/id/766164 > > [2] > http://opensecuritytraining.info/IntroBIOS_files/Day2_03_Advanced%20x86%20-%20BIOS%20and%20SMM%20Internals%20-%20SPI%20Flash%20Protection%20Mechanisms.pdf > > [3] > http://composter.com.ua/documents/Exploiting_Flash_Protection_Race_Condition.pdf > > [4] > https://github.com/chipsec/chipsec/blob/master/chipsec/modules/common/bios_wp.py > -- > WBR, > Igor mailto:[email protected] > > > > -- > coreboot mailing list: [email protected] > https://mail.coreboot.org/mailman/listinfo/coreboot > > > -- > coreboot mailing list: [email protected] > https://mail.coreboot.org/mailman/listinfo/coreboot > > > -- > coreboot mailing list: [email protected] > https://mail.coreboot.org/mailman/listinfo/coreboot
-- coreboot mailing list: [email protected] https://mail.coreboot.org/mailman/listinfo/coreboot
