Hi I did some testing on real hardware with an Intel Coffeelake system on whether vectoring out of TSEG is prohibited by the hardware, which I assumed would be the case. It's *not* the case! Vectoring out of TSEG does succeed so this issue really affects modern hardware. So I think this issue might affect a lot more systems than I initially thought.
Kind regards Arthur On Fri, Apr 8, 2022 at 12:43 AM Arthur Heymans <art...@aheymans.xyz> wrote: > Hi > > When refactoring the coreboot SMM setup I noticed that there is a security > vulnerability in our SMM setup code. > > It boils down to this: except on the BSP the smihandler code will execute > code at a random location, but most likely at offset 0. With some carefully > crafted code a bootloader or the OS could place some code at that offset, > generate an SMI on an AP and get control over SMM. More recent silicon has > hardware mechanisms to avoid executing code outside the designated SMM area > (TSEG) so those would not be affected. > > The commit introducing this problem is > https://review.coreboot.org/c/coreboot/+/43684. > Roughly it affects most x86 builds from end 2020/ beginning 2021 till now. > > https://review.coreboot.org/c/coreboot/+/63478 fixes the problem. (Feel > free to review the rest of that series as it makes the smm setup much more > readable ;-)) > > Kind regards > Arthur >
_______________________________________________ coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-le...@coreboot.org