[coreboot] Question about finalization of SMM

Mon, 14 Aug 2017 22:11:30 -0700 

Hi all,

When using chipsec ( https://github.com/chipsec/chipsec ) to analyse
possible vulnerabilities inside coreboot systems, I noticed that on
several intel-based systems running coreboot,(e.g.
https://review.coreboot.org/cgit/board-status.git/tree/lenovo/x230/4.6-938-gb08d73b845/2017-08-01T23_05_52Z
) several registers on the pci-e root complex (host bridge) is not
locked while locked on the same system running oem firmware.

Digging into the source code, I found a function defined inside
${COREBOOT_DIR}/src/northbridge/intel/{nehalem, sandybridge,
haswell}/finalize.c to lock these registers and finalize smm, but this
function will only be called if #SMI APM_CNT gets triggered with a
certain parameter. ( The handler of #SMI APM_CNT is usually defined as
function "southbridge_smi_apmc" inside
${COREBOOT_DIR}/src/${VENDOR}/${MAINBOARD}/smihandler.c or
${COREBOOT_DIR}/src/southbridge/intel/${CHIPSET}/smihandler.c, and the
lockdown function will be called with parameter register APM_CNT == 
APM_CNT_FINALIZE.)

That these registers are left unlocked indicates that smm is left
unfinalized, and #SMI APM_CNT is never triggered with APM_CNT == 
APM_CNT_FINALIZE during boot. I would like to ask, that when does the
smm is expected to be finalized, and which component of the system (e.g.
coreboot, payload, or os kernel) is responsible for that?

Thanks.

Persmule


[*] running module: chipsec.modules.memconfig
[x][ =======================================================================
[x][ Module: Host Bridge Memory Map Locks
[x][ =======================================================================
[-] PCI0.0.0_BDSM        = 0x00000000C0A00000 - UNLOCKED - Base of Graphics Stolen Memory
[-] PCI0.0.0_BGSM        = 0x00000000C0800000 - UNLOCKED - Base of GTT Stolen Memory
[-] PCI0.0.0_DPR         = 0x00000000C0000000 - UNLOCKED - DMA Protected Range
[-] PCI0.0.0_GGC         = 0x0000000000000238 - UNLOCKED - Graphics Control
[+] PCI0.0.0_MESEG_MASK  = 0x0000007FFE000C00 - LOCKED   - Manageability Engine Limit Address Register
[-] PCI0.0.0_PAVPC       = 0x0000000000000000 - UNLOCKED - PAVP Configuration
[-] PCI0.0.0_REMAPBASE   = 0x00000003FE000000 - UNLOCKED - Memory Remap Base Address
[-] PCI0.0.0_REMAPLIMIT  = 0x000000042F500000 - UNLOCKED - Memory Remap Limit Address
[-] PCI0.0.0_TOLUD       = 0x00000000CEA00000 - UNLOCKED - Top of Low Usable DRAM
[-] PCI0.0.0_TOM         = 0x0000000400000000 - UNLOCKED - Top of Memory
[-] PCI0.0.0_TOUUD       = 0x000000042F600000 - UNLOCKED - Top of Upper Usable DRAM
[-] PCI0.0.0_TSEGMB      = 0x00000000C0000000 - UNLOCKED - TSEG Memory Base
[-] FAILED: Not all memory map registers are locked down
[*] running module: chipsec.modules.memconfig
[x][ =======================================================================
[x][ Module: Host Bridge Memory Map Locks
[x][ =======================================================================
[+] PCI0.0.0_BDSM        = 0x00000000DBA00001 - LOCKED   - Base of Graphics Stolen Memory
[+] PCI0.0.0_BGSM        = 0x00000000DB800001 - LOCKED   - Base of GTT Stolen Memory
[+] PCI0.0.0_DPR         = 0x00000000DB000001 - LOCKED   - DMA Protected Range
[+] PCI0.0.0_GGC         = 0x0000000000000211 - LOCKED   - Graphics Control
[+] PCI0.0.0_MESEG_MASK  = 0x0000007FFE000C00 - LOCKED   - Manageability Engine Limit Address Register
[+] PCI0.0.0_PAVPC       = 0x00000000DF900007 - LOCKED   - PAVP Configuration
[+] PCI0.0.0_REMAPBASE   = 0x0000000100000001 - LOCKED   - Memory Remap Base Address
[+] PCI0.0.0_REMAPLIMIT  = 0x000000011E500001 - LOCKED   - Memory Remap Limit Address
[+] PCI0.0.0_TOLUD       = 0x00000000DFA00001 - LOCKED   - Top of Low Usable DRAM
[+] PCI0.0.0_TOM         = 0x0000000100000001 - LOCKED   - Top of Memory
[+] PCI0.0.0_TOUUD       = 0x000000011E600001 - LOCKED   - Top of Upper Usable DRAM
[+] PCI0.0.0_TSEGMB      = 0x00000000DB000001 - LOCKED   - TSEG Memory Base
[+] PASSED: All memory map registers seem to be locked down
-- 
coreboot mailing list: [email protected]
https://mail.coreboot.org/mailman/listinfo/coreboot

Reply via email to