RE: RFC: WMI Enhancements

[Mario.Limonciello]

> -----Original Message-----
> From: Andy Lutomirski [mailto:l...@kernel.org]
> Sent: Thursday, April 13, 2017 12:44 PM
> To: Limonciello, Mario <mario_limoncie...@dell.com>
> Cc: Darren Hart <dvh...@infradead.org>; Andrew Lutomirski <l...@kernel.org>;
> Michał Kępień <ker...@kempniu.pl>; Rafael J. Wysocki <r...@rjwysocki.net>; Len
> Brown <len.br...@intel.com>; Pali Rohár <pali.ro...@gmail.com>; Corentin
> Chary <corentin.ch...@gmail.com>; Andy Shevchenko
> <andriy.shevche...@linux.intel.com>; linux-kernel@vger.kernel.org; platform-
> driver-...@vger.kernel.org; linux...@vger.kernel.org
> Subject: Re: RFC: WMI Enhancements
> 
> On Thu, Apr 13, 2017 at 10:39 AM,  <mario.limoncie...@dell.com> wrote:
> >> -----Original Message-----
> >> From: Darren Hart [mailto:dvh...@infradead.org]
> >> Sent: Thursday, April 13, 2017 12:06 PM
> >> To: Limonciello, Mario <mario_limoncie...@dell.com>
> >> Cc: l...@kernel.org; ker...@kempniu.pl; r...@rjwysocki.net;
> >> len.br...@intel.com; pali.ro...@gmail.com; corentin.ch...@gmail.com;
> >> andriy.shevche...@linux.intel.com; linux-kernel@vger.kernel.org; platform-
> >> driver-...@vger.kernel.org; linux...@vger.kernel.org
> >> Subject: Re: RFC: WMI Enhancements
> >>
> 
> > Well the "most" interesting to me is the SMBIOS calling interface on the
> > regular Dell GUID (WMBA IIRC).  That's what is used to manipulate keyboard
> > LED timeouts in dell-laptop (although through direct SMI today).
> >
> > It's also what is used for other SMBIOS calls like changing random BIOS 
> > settings
> > that shouldn't be generically exposed in sysfs but should be controlled by
> > manageability tools.
> >
> > Example: turning on/off legacy option ROM or changing legacy boot order.
> >
> 
> IIUC we basically can't expose the SMI--based interface to this entry
> point to userspace because of its use of physical addressing.  It is
> reasonably safe to expose the WMI version?  (IOW should be expect that
> it doesn't enable kernel-mode or SMM code execution?)

The SMI based entry is already exposed using dcdbas.

The WMI version when executing a call that would be run as a SMI 
will copy the buffer to an area of memory that the BIOS has already 
been marked reserved to execute the SMI and copy the result out.

> 
> TBH, I've occasionally considered writing a driver to expose SMM code
> execution on systems with a known reliable exploit :)

On Dell HW?  I'm sure our security folks would be very interested in this.