[LinuxBIOS] #42: Disable SMM on K8 platforms

LinuxBIOS svn at openbios.org
Fri Nov 10 18:18:23 CET 2006

#42: Disable SMM on K8 platforms
     Reporter:  stepan      |          Owner:  stepan           
         Type:  defect      |         Status:  new              
     Priority:  major       |      Milestone:  Going mainstream 
    Component:  code        |        Version:  v2               
     Keywords:  SMM         |      Due_close:  MM/DD/YYYY       
Include_gantt:  0           |   Dependencies:                   
   Due_assign:  MM/DD/YYYY  |    Patchstatus:  there is no patch
 This was a while ago, but it got forgotten.

 Loïc Duflot, security engineer and researcher for the scientific
 division of the french Central Directorate for Information Systems
 Security ("french version of the NSA"), gives some insight on fun that
 can be had with the system management mode (SMM) of x86 CPUs.

 See http://www.securityfocus.com/print/columnists/402 for more

 While, as Loïc writes later in his article, the whole issue of
 exploiting SMM is pretty pointless in Linux as the super user can
 conquer ring 0 without further effort, the idea of fixing what we
 can fix on the bios level seems worthwhile.

 If something seems as simple as setting the D_LCK bit of SMM, we should
 definitely do it.. It will at least be a marketable feature against
 other upcoming firmware implementations.

 Carl-Daniel Hailfinger  said:
 I believe that setting D_LCK will mitigate a few attacks but I strongly
 doubt that it cannot be cleared during system operation. Yes, the manual
 specifies it, but manuals have been underspecified before. Since we don't
 use SMM for anything, we might as well
 * clear D_OPEN
 * set D_CLOSE
 * clear "Enable"
 * set D_LCK.

 So, by all means, do it now. Until somebody figures out a way to disable
 D_LCK again we offer a much higher degree of security than everybody

 Ok, D_LCK/D_OPEN/D_CLOSE is intel vocabulary. There is no such thing on
 AMD. They call it SMMLOCK in their BKDG:

 6.11.6 Locking SMM

 The SMM registers can be locked by setting the SMMLOCK (HWCR, bit 0).
 Once set, the SMM_BASE, the SMM_ADDR, all but the two close bits of
 locked and cannot be changed. The only way to unlock the SMM registers
 is to assert reset.  This provides security to the SMM mechanism. The
 BIOS can lock the SMM environment after setting it up so that it can not
 be tampered with.

 So I propose the following patch for LinuxBIOS to fix the SMM problem
 for all supported AMD K8 mainboards:

 Set SMMLOCK on K8 to avoid exploits messing with SMM

 Signed-off-by: Stefan Reinauer <stepan at coresystems.de>

 Index: src/cpu/amd/model_fxx/model_fxx_init.c
 --- src/cpu/amd/model_fxx/model_fxx_init.c      (revision 2302)
 +++ src/cpu/amd/model_fxx/model_fxx_init.c      (working copy)
 @@ -454,6 +454,12 @@


 +       /* Set SMMLOCK to avoid exploits messing with SMM */
 +       msr = rdmsr(HWCR_MSR);
 +       msr.lo |= (1 << 0);
 +       wrmsr(HWCR_MSR, msr);

         /* Enable the local cpu apics */

Ticket URL: <http://tracker.linuxbios.org/trac/LinuxBIOS/ticket/42>
LinuxBIOS <http://www.linuxbios.org/>

More information about the coreboot mailing list