Hi all,
I have just finished a fix for it and pushed as
https://review.coreboot.org/#/c/21129/ .
The test result against an x230 with fixed coreboot is attached.
Best regards,
Persmule
在 2017年08月18日 16:52, Nico Huber 写道:
> On 18.08.2017 09:20, Shawn wrote:
>> On Tue, Aug 15, 2017 at 1:04 PM, Persmule <[email protected]> wrote:
>>> Hi all,
>>>
>>> When using chipsec ( https://github.com/chipsec/chipsec ) to analyse
>>> possible vulnerabilities inside coreboot systems, I noticed that on
>>> several intel-based systems running coreboot,(e.g.
>>> https://review.coreboot.org/cgit/board-status.git/tree/lenovo/x230/4.6-938-gb08d73b845/2017-08-01T23_05_52Z
>>> ) several registers on the pci-e root complex (host bridge) is not
>>> locked while locked on the same system running oem firmware.
>>>
>>> Digging into the source code, I found a function defined inside
>>> ${COREBOOT_DIR}/src/northbridge/intel/{nehalem, sandybridge,
>>> haswell}/finalize.c to lock these registers, but this function will only
>>> be called if #SMI APM_CNT gets triggered with a certain parameter. ( The
>>> handler of #SMI APM_CNT is usually defined as function
>>> "southbridge_smi_apmc" inside
>>> ${COREBOOT_DIR}/src/${VENDOR}/${MAINBOARD}/smihandler.c or
>>> ${COREBOOT_DIR}/src/southbridge/intel/${CHIPSET}/smihandler.c, and the
>>> lockdown function will be called with parameter register APM_CNT ==
>>> APM_CNT_FINALIZE.)
>>>
>>> That these registers are left unlocked indicates that #SMI APM_CNT is
>>> never triggered with APM_CNT == APM_CNT_FINALIZE during boot. I would
>>> like to ask, that when does the #SMI APM_CNT is expected to be triggered
>>> with APM_CNT == APM_CNT_FINALIZE, and which component of the system
>>> (e.g. coreboot, payload, or os kernel) is responsible for the triggering?
> It should be triggered by coreboot or the payload, IMO. The original
> idea was to do it from the payload, I guess, because it wouldn't make
> much sense to gather all of this in the SMM handler otherwise.
>
>> It seems will be triggered after S3, southbridge/intel/bd82x6x/lpc.c:
>>
>> static void lpc_final(struct device *dev)
>> {
>> if (CONFIG_HAVE_SMI_HANDLER && acpi_is_wakeup_s3()) {
>> /* Call SMM finalize() handlers before resume */
>> outb(0xcb, 0xb2);
>> }
>> }
>>
>> It's weird a bit. Those LOCKs bit should be set at the boot time.
> I guess it was originally called from the payload and thus had to be
> done by coreboot on the resume path (where no payload is called). AFAIK,
> coreboot also does it on the regular path for newer chipsets. A lot
> of people already stumbled upon this problem on Sandy Bridge but it
> seems nobody chose to do it in coreboot, yet.
>
>> Will
>> coreboot provide an option in the future?
> My oracle says yes. Though it's not specific about when or by whom it
> will be done. In other words: Patches are welcome.
>
> Nico
################################################################
## ##
## CHIPSEC: Platform Hardware Security Assessment Framework ##
## ##
################################################################
[CHIPSEC] Version 1.3.1h
[CHIPSEC] Arguments:
****** Chipsec Linux Kernel module is licensed under GPL 2.0
[CHIPSEC] API mode: using CHIPSEC kernel module API
[CHIPSEC] OS : Linux 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26) x86_64
[CHIPSEC] Platform: Mobile 3rd Generation Core Processor (Ivy Bridge CPU / Panther Point PCH)
[CHIPSEC] VID: 8086
[CHIPSEC] DID: 0154
[*] loading common modules from "/usr/lib/python2.7/dist-packages/chipsec/modules/common" ..
[+] loaded chipsec.modules.common.smrr
[+] loaded chipsec.modules.common.bios_smi
[+] loaded chipsec.modules.common.rtclock
[+] loaded chipsec.modules.common.spi_lock
[+] loaded chipsec.modules.common.ia32cfg
[+] loaded chipsec.modules.common.smm
[+] loaded chipsec.modules.common.spi_desc
[+] loaded chipsec.modules.common.bios_ts
[+] loaded chipsec.modules.common.spi_fdopss
[+] loaded chipsec.modules.common.bios_wp
[+] loaded chipsec.modules.common.bios_kbrd_buffer
[+] loaded chipsec.modules.common.secureboot.variables
[+] loaded chipsec.modules.common.uefi.s3bootscript
[+] loaded chipsec.modules.common.uefi.access_uefispec
[*] loading platform specific modules from "/usr/lib/python2.7/dist-packages/chipsec/modules/ivb" ..
[*] loading modules from "/usr/lib/python2.7/dist-packages/chipsec/modules" ..
[+] loaded chipsec.modules.remap
[+] loaded chipsec.modules.memconfig
[+] loaded chipsec.modules.smm_dma
[*] running loaded modules ..
[*] running module: chipsec.modules.common.smrr
�[94m[x][ =======================================================================
[x][ Module: CPU SMM Cache Poisoning / System Management Range Registers
[x][ =======================================================================�[0m
�[92m[+] OK. SMRR range protection is supported�[0m
[*] Checking SMRR range base programming..
[*] IA32_SMRR_PHYSBASE = 0xC0000006 << SMRR Base Address MSR (MSR 0x1F2)
[00] Type = 6 << SMRR memory type
[12] PhysBase = C0000 << SMRR physical base address
[*] SMRR range base: 0x00000000C0000000
[*] SMRR range memory type is Writeback (WB)
�[92m[+] OK so far. SMRR range base is programmed�[0m
[*] Checking SMRR range mask programming..
[*] IA32_SMRR_PHYSMASK = 0xFF800800 << SMRR Range Mask MSR (MSR 0x1F3)
[11] Valid = 1 << SMRR valid
[12] PhysMask = FF800 << SMRR address range mask
[*] SMRR range mask: 0x00000000FF800000
�[92m[+] OK so far. SMRR range is enabled�[0m
[*] Verifying that SMRR range base & mask are the same on all logical CPUs..
[CPU0] SMRR_PHYSBASE = 00000000C0000006, SMRR_PHYSMASK = 00000000FF800800
[CPU1] SMRR_PHYSBASE = 00000000C0000006, SMRR_PHYSMASK = 00000000FF800800
[CPU2] SMRR_PHYSBASE = 00000000C0000006, SMRR_PHYSMASK = 00000000FF800800
[CPU3] SMRR_PHYSBASE = 00000000C0000006, SMRR_PHYSMASK = 00000000FF800800
�[92m[+] OK so far. SMRR range base/mask match on all logical CPUs�[0m
[*] Trying to read memory at SMRR base 0xC0000000..
�[92m[+] PASSED: SMRR reads are blocked in non-SMM mode�[0m
�[92m[+] PASSED: SMRR protection against cache attack is properly configured�[0m
[*] running module: chipsec.modules.common.bios_smi
�[94m[x][ =======================================================================
[x][ Module: SMI Events Configuration
[x][ =======================================================================�[0m
�[91m[-] SMM BIOS region write protection has not been enabled (SMM_BWP is not used)
�[0m
[*] Checking SMI enables..
Global SMI enable: 1
TCO SMI enable : 1
�[92m[+] All required SMI events are enabled�[0m
[*] Checking SMI configuration locks..
�[92m[+] TCO SMI configuration is locked (TCO SMI Lock)�[0m
�[92m[+] SMI events global configuration is locked (SMI Lock)�[0m
�[92m[+] PASSED: All required SMI sources seem to be enabled and locked�[0m
[*] running module: chipsec.modules.common.rtclock
�[94m[x][ =======================================================================
[x][ Module: Protected RTC memory locations
[x][ =======================================================================�[0m
[*] RC = 0x00000004 << RTC Configuration (RCBA + 0x3400)
[02] UE = 1 << Upper 128 Byte Enable
[03] LL = 0 << Lower 128 Byte Lock
[04] UL = 0 << Upper 128 Byte Lock
�[91m[-] Protected bytes (0x38-0x3F) in low 128-byte bank of RTC memory are not locked�[0m
�[91m[-] Protected bytes (0x38-0x3F) in high 128-byte bank of RTC memory are not locked�[0m
�[93m[!] WARNING: Protected locations in RTC memory are accessible (BIOS may not be using them)�[0m
[*] running module: chipsec.modules.common.spi_lock
�[94m[x][ =======================================================================
[x][ Module: SPI Flash Controller Configuration Lock
[x][ =======================================================================�[0m
[*] HSFS = 0xE008 << Hardware Sequencing Flash Status Register (SPIBAR + 0x4)
[00] FDONE = 0 << Flash Cycle Done
[01] FCERR = 0 << Flash Cycle Error
[02] AEL = 0 << Access Error Log
[03] BERASE = 1 << Block/Sector Erase Size
[05] SCIP = 0 << SPI cycle in progress
[13] FDOPSS = 1 << Flash Descriptor Override Pin-Strap Status
[14] FDV = 1 << Flash Descriptor Valid
[15] FLOCKDN = 1 << Flash Configuration Lock-Down
�[92m[+] PASSED: SPI Flash Controller configuration is locked�[0m
[*] running module: chipsec.modules.common.ia32cfg
�[94m[x][ =======================================================================
[x][ Module: IA32 Feature Control Lock
[x][ =======================================================================�[0m
[*] Verifying IA32_Feature_Control MSR is locked on all logical CPUs..
[*] cpu0: IA32_Feature_Control Lock = 1
[*] cpu1: IA32_Feature_Control Lock = 1
[*] cpu2: IA32_Feature_Control Lock = 1
[*] cpu3: IA32_Feature_Control Lock = 1
�[92m[+] PASSED: IA32_FEATURE_CONTROL MSR is locked on all logical CPUs�[0m
[*] running module: chipsec.modules.common.smm
�[94m[x][ =======================================================================
[x][ Module: Compatible SMM memory (SMRAM) Protection
[x][ =======================================================================�[0m
[*] PCI0.0.0_SMRAMC = 0x1A << System Management RAM Control (b:d.f 00:00.0 + 0x88)
[00] C_BASE_SEG = 2 << SMRAM Base Segment = 010b
[03] G_SMRAME = 1 << SMRAM Enabled
[04] D_LCK = 1 << SMRAM Locked
[05] D_CLS = 0 << SMRAM Closed
[06] D_OPEN = 0 << SMRAM Open
[*] Compatible SMRAM is enabled
�[92m[+] PASSED: Compatible SMRAM is locked down�[0m
[*] running module: chipsec.modules.common.spi_desc
�[94m[x][ =======================================================================
[x][ Module: SPI Flash Region Access Control
[x][ =======================================================================�[0m
[*] FRAP = 0x0000FFFF << SPI Flash Regions Access Permissions Register (SPIBAR + 0x50)
[00] BRRA = FF << BIOS Region Read Access
[08] BRWA = FF << BIOS Region Write Access
[16] BMRAG = 0 << BIOS Master Read Access Grant
[24] BMWAG = 0 << BIOS Master Write Access Grant
[*] Software access to SPI flash regions: read = 0xFF, write = 0xFF
�[91m[-] Software has write access to SPI flash descriptor�[0m
�[91m[-] FAILED: SPI flash permissions allow SW to write flash descriptor�[0m
[*] running module: chipsec.modules.common.bios_ts
�[94m[x][ =======================================================================
[x][ Module: BIOS Interface Lock (including Top Swap Mode)
[x][ =======================================================================�[0m
[*] BiosInterfaceLockDown (BILD) control = 1
[*] BIOS Top Swap mode is disabled (TSS = 0)
[*] RTC TopSwap control (TS) = 0
�[92m[+] PASSED: BIOS Interface is locked (including Top Swap Mode)�[0m
[*] running module: chipsec.modules.common.spi_fdopss
�[94m[x][ =======================================================================
[x][ Module: SPI Flash Descriptor Security Override Pin-Strap
[x][ =======================================================================�[0m
[*] HSFS = 0xE008 << Hardware Sequencing Flash Status Register (SPIBAR + 0x4)
[00] FDONE = 0 << Flash Cycle Done
[01] FCERR = 0 << Flash Cycle Error
[02] AEL = 0 << Access Error Log
[03] BERASE = 1 << Block/Sector Erase Size
[05] SCIP = 0 << SPI cycle in progress
[13] FDOPSS = 1 << Flash Descriptor Override Pin-Strap Status
[14] FDV = 1 << Flash Descriptor Valid
[15] FLOCKDN = 1 << Flash Configuration Lock-Down
�[92m[+] PASSED: SPI Flash Descriptor Security Override is disabled�[0m
[*] running module: chipsec.modules.common.bios_wp
�[94m[x][ =======================================================================
[x][ Module: BIOS Region Write Protection
[x][ =======================================================================�[0m
[*] BC = 0x09 << BIOS Control (b:d.f 00:31.0 + 0xDC)
[00] BIOSWE = 1 << BIOS Write Enable
[01] BLE = 0 << BIOS Lock Enable
[02] SRC = 2 << SPI Read Configuration
[04] TSS = 0 << Top Swap Status
[05] SMM_BWP = 0 << SMM BIOS Write Protection
�[91m[-] BIOS region write protection is disabled!�[0m
[*] BIOS Region: Base = 0x00020000, Limit = 0x00BFFFFF
SPI Protected Ranges
------------------------------------------------------------
PRx (offset) | Value | Base | Limit | WP? | RP?
------------------------------------------------------------
PR0 (74) | 00000000 | 00000000 | 00000000 | 0 | 0
PR1 (78) | 00000000 | 00000000 | 00000000 | 0 | 0
PR2 (7C) | 00000000 | 00000000 | 00000000 | 0 | 0
PR3 (80) | 00000000 | 00000000 | 00000000 | 0 | 0
PR4 (84) | 00000000 | 00000000 | 00000000 | 0 | 0
�[91m[!] None of the SPI protected ranges write-protect BIOS region�[0m
�[91m[!] BIOS should enable all available SMM based write protection mechanisms or configure SPI protected ranges to protect the entire BIOS region�[0m
�[91m[-] FAILED: BIOS is NOT protected completely�[0m
[*] running module: chipsec.modules.common.bios_kbrd_buffer
�[94m[x][ =======================================================================
[x][ Module: Pre-boot Passwords in the BIOS Keyboard Buffer
[x][ =======================================================================�[0m
[*] Keyboard buffer head pointer = 0x1E (at 0x41A), tail pointer = 0x1E (at 0x41C)
[*] Keyboard buffer contents (at 0x41E):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
[*] Checking contents of the keyboard buffer..
�[92m[+] PASSED: Keyboard buffer looks empty. Pre-boot passwords don't seem to be exposed�[0m
[*] running module: chipsec.modules.common.secureboot.variables
�[93m[*] SKIPPED: OS does not support UEFI Runtime API�[0m
Skipping module chipsec.modules.common.secureboot.variables since it is not supported in this platform
[*] running module: chipsec.modules.common.uefi.s3bootscript
�[93m[*] SKIPPED: OS does not support UEFI Runtime API�[0m
Skipping module chipsec.modules.common.uefi.s3bootscript since it is not supported in this platform
[*] running module: chipsec.modules.common.uefi.access_uefispec
�[93m[*] SKIPPED: OS does not support UEFI Runtime API�[0m
Skipping module chipsec.modules.common.uefi.access_uefispec since it is not supported in this platform
[*] running module: chipsec.modules.remap
�[94m[x][ =======================================================================
[x][ Module: Memory Remapping Configuration
[x][ =======================================================================�[0m
[*] Registers:
[*] TOUUD : 0x000000013B600001
[*] REMAPLIMIT: 0x000000013B500001
[*] REMAPBASE : 0x0000000100000001
[*] TOLUD : 0xC2A00001
[*] TSEGMB : 0xC0000001
[*] Memory Map:
[*] Top Of Upper Memory: 0x000000013B600000
[*] Remap Limit Address: 0x000000013B5FFFFF
[*] Remap Base Address : 0x0000000100000000
[*] 4GB : 0x0000000100000000
[*] Top Of Low Memory : 0x00000000C2A00000
[*] TSEG (SMRAM) Base : 0x00000000C0000000
[*] checking memory remap configuration..
[*] Memory Remap is enabled
�[92m[+] Remap window configuration is correct: REMAPBASE <= REMAPLIMIT < TOUUD�[0m
�[92m[+] All addresses are 1MB aligned�[0m
[*] checking if memory remap configuration is locked..
�[92m[+] TOUUD is locked�[0m
�[92m[+] TOLUD is locked�[0m
�[92m[+] REMAPBASE and REMAPLIMIT are locked�[0m
�[92m[+] PASSED: Memory Remap is configured correctly and locked�[0m
[*] running module: chipsec.modules.memconfig
�[94m[x][ =======================================================================
[x][ Module: Host Bridge Memory Map Locks
[x][ =======================================================================�[0m
�[92m[+] PCI0.0.0_BDSM = 0x00000000C0A00001 - LOCKED - Base of Graphics Stolen Memory�[0m
�[92m[+] PCI0.0.0_BGSM = 0x00000000C0800001 - LOCKED - Base of GTT Stolen Memory�[0m
�[92m[+] PCI0.0.0_DPR = 0x00000000C0000001 - LOCKED - DMA Protected Range�[0m
�[92m[+] PCI0.0.0_GGC = 0x0000000000000209 - LOCKED - Graphics Control�[0m
�[92m[+] PCI0.0.0_MESEG_MASK = 0x0000007FFE000C00 - LOCKED - Manageability Engine Limit Address Register�[0m
�[92m[+] PCI0.0.0_PAVPC = 0x0000000000000004 - LOCKED - PAVP Configuration�[0m
�[92m[+] PCI0.0.0_REMAPBASE = 0x0000000100000001 - LOCKED - Memory Remap Base Address�[0m
�[92m[+] PCI0.0.0_REMAPLIMIT = 0x000000013B500001 - LOCKED - Memory Remap Limit Address�[0m
�[92m[+] PCI0.0.0_TOLUD = 0x00000000C2A00001 - LOCKED - Top of Low Usable DRAM�[0m
�[92m[+] PCI0.0.0_TOM = 0x0000000100000001 - LOCKED - Top of Memory�[0m
�[92m[+] PCI0.0.0_TOUUD = 0x000000013B600001 - LOCKED - Top of Upper Usable DRAM�[0m
�[92m[+] PCI0.0.0_TSEGMB = 0x00000000C0000001 - LOCKED - TSEG Memory Base�[0m
�[92m[+] PASSED: All memory map registers seem to be locked down�[0m
[*] running module: chipsec.modules.smm_dma
�[94m[x][ =======================================================================
[x][ Module: SMM TSEG Range Configuration Check
[x][ =======================================================================�[0m
[*] TSEG : 0x00000000C0000000 - 0x00000000C07FFFFF (size = 0x00800000)
[*] SMRR range: 0x00000000C0000000 - 0x00000000C07FFFFF (size = 0x00800000)
[*] checking TSEG range configuration..
�[92m[+] TSEG range covers entire SMRAM�[0m
�[92m[+] TSEG range is locked�[0m
�[92m[+] PASSED: TSEG is properly configured. SMRAM is protected from DMA attacks�[0m
[CHIPSEC] *************************** SUMMARY ***************************
[CHIPSEC] Time elapsed 0.039
[CHIPSEC] Modules total 17
[CHIPSEC] Modules failed to run 0:
[CHIPSEC] Modules passed 11:
�[92m[+] PASSED: chipsec.modules.common.smrr�[0m
�[92m[+] PASSED: chipsec.modules.common.bios_smi�[0m
�[92m[+] PASSED: chipsec.modules.common.spi_lock�[0m
�[92m[+] PASSED: chipsec.modules.common.ia32cfg�[0m
�[92m[+] PASSED: chipsec.modules.common.smm�[0m
�[92m[+] PASSED: chipsec.modules.common.bios_ts�[0m
�[92m[+] PASSED: chipsec.modules.common.spi_fdopss�[0m
�[92m[+] PASSED: chipsec.modules.common.bios_kbrd_buffer�[0m
�[92m[+] PASSED: chipsec.modules.remap�[0m
�[92m[+] PASSED: chipsec.modules.memconfig�[0m
�[92m[+] PASSED: chipsec.modules.smm_dma�[0m
[CHIPSEC] Modules failed 2:
�[91m[-] FAILED: chipsec.modules.common.spi_desc�[0m
�[91m[-] FAILED: chipsec.modules.common.bios_wp�[0m
[CHIPSEC] Modules with warnings 1:
�[93m[!] WARNING: chipsec.modules.common.rtclock�[0m
[CHIPSEC] Modules skipped 3:
�[93m[*] SKIPPED: chipsec.modules.common.secureboot.variables�[0m
�[93m[*] SKIPPED: chipsec.modules.common.uefi.s3bootscript�[0m
�[93m[*] SKIPPED: chipsec.modules.common.uefi.access_uefispec�[0m
[CHIPSEC] *****************************************************************
--
coreboot mailing list: [email protected]
https://mail.coreboot.org/mailman/listinfo/coreboot
