[coreboot] Question about finalization of SMM

Mon, 14 Aug 2017 22:11:36 -0700 

Hi all,

When using chipsec ( https://github.com/chipsec/chipsec ) to analyse
possible vulnerabilities inside coreboot systems, I noticed that on
several intel-based systems running coreboot,(e.g.
https://review.coreboot.org/cgit/board-status.git/tree/lenovo/x230/4.6-938-gb08d73b845/2017-08-01T23_05_52Z
) several registers on the pci-e root complex (host bridge) is not
locked while locked on the same system running oem firmware.

Digging into the source code, I found a function defined inside
${COREBOOT_DIR}/src/northbridge/intel/{nehalem, sandybridge,
haswell}/finalize.c to lock these registers, but this function will only
be called if #SMI APM_CNT gets triggered with a certain parameter. ( The
handler of #SMI APM_CNT is usually defined as function
"southbridge_smi_apmc" inside
${COREBOOT_DIR}/src/${VENDOR}/${MAINBOARD}/smihandler.c or
${COREBOOT_DIR}/src/southbridge/intel/${CHIPSET}/smihandler.c, and the
lockdown function will be called with parameter register APM_CNT == 
APM_CNT_FINALIZE.)

That these registers are left unlocked indicates that #SMI APM_CNT is
never triggered with APM_CNT ==  APM_CNT_FINALIZE during boot. I would
like to ask, that when does the #SMI APM_CNT is expected to be triggered
with APM_CNT ==  APM_CNT_FINALIZE, and which component of the system
(e.g. coreboot, payload, or os kernel) is responsible for the triggering?

Thanks.

Persmule


[*] running module: chipsec.modules.memconfig
[x][ =======================================================================
[x][ Module: Host Bridge Memory Map Locks
[x][ =======================================================================
[-] PCI0.0.0_BDSM        = 0x00000000C0A00000 - UNLOCKED - Base of Graphics Stolen Memory
[-] PCI0.0.0_BGSM        = 0x00000000C0800000 - UNLOCKED - Base of GTT Stolen Memory
[-] PCI0.0.0_DPR         = 0x00000000C0000000 - UNLOCKED - DMA Protected Range
[-] PCI0.0.0_GGC         = 0x0000000000000238 - UNLOCKED - Graphics Control
[+] PCI0.0.0_MESEG_MASK  = 0x0000007FFE000C00 - LOCKED   - Manageability Engine Limit Address Register
[-] PCI0.0.0_PAVPC       = 0x0000000000000000 - UNLOCKED - PAVP Configuration
[-] PCI0.0.0_REMAPBASE   = 0x00000003FE000000 - UNLOCKED - Memory Remap Base Address
[-] PCI0.0.0_REMAPLIMIT  = 0x000000042F500000 - UNLOCKED - Memory Remap Limit Address
[-] PCI0.0.0_TOLUD       = 0x00000000CEA00000 - UNLOCKED - Top of Low Usable DRAM
[-] PCI0.0.0_TOM         = 0x0000000400000000 - UNLOCKED - Top of Memory
[-] PCI0.0.0_TOUUD       = 0x000000042F600000 - UNLOCKED - Top of Upper Usable DRAM
[-] PCI0.0.0_TSEGMB      = 0x00000000C0000000 - UNLOCKED - TSEG Memory Base
[-] FAILED: Not all memory map registers are locked down
[*] running module: chipsec.modules.memconfig
[x][ =======================================================================
[x][ Module: Host Bridge Memory Map Locks
[x][ =======================================================================
[+] PCI0.0.0_BDSM        = 0x00000000DBA00001 - LOCKED   - Base of Graphics Stolen Memory
[+] PCI0.0.0_BGSM        = 0x00000000DB800001 - LOCKED   - Base of GTT Stolen Memory
[+] PCI0.0.0_DPR         = 0x00000000DB000001 - LOCKED   - DMA Protected Range
[+] PCI0.0.0_GGC         = 0x0000000000000211 - LOCKED   - Graphics Control
[+] PCI0.0.0_MESEG_MASK  = 0x0000007FFE000C00 - LOCKED   - Manageability Engine Limit Address Register
[+] PCI0.0.0_PAVPC       = 0x00000000DF900007 - LOCKED   - PAVP Configuration
[+] PCI0.0.0_REMAPBASE   = 0x0000000100000001 - LOCKED   - Memory Remap Base Address
[+] PCI0.0.0_REMAPLIMIT  = 0x000000011E500001 - LOCKED   - Memory Remap Limit Address
[+] PCI0.0.0_TOLUD       = 0x00000000DFA00001 - LOCKED   - Top of Low Usable DRAM
[+] PCI0.0.0_TOM         = 0x0000000100000001 - LOCKED   - Top of Memory
[+] PCI0.0.0_TOUUD       = 0x000000011E600001 - LOCKED   - Top of Upper Usable DRAM
[+] PCI0.0.0_TSEGMB      = 0x00000000DB000001 - LOCKED   - TSEG Memory Base
[+] PASSED: All memory map registers seem to be locked down
-- 
coreboot mailing list: [email protected]
https://mail.coreboot.org/mailman/listinfo/coreboot

Reply via email to