[coreboot] cached SMI handler

Carl-Daniel Hailfinger c-d.hailfinger.devel.2006 at gmx.net
Sat Feb 7 17:31:37 CET 2009


On 07.02.2009 17:11, Kevin O'Connor wrote:
> On Sat, Feb 07, 2009 at 01:35:40PM +0100, Stefan Reinauer wrote:
>   
>> Kevin O'Connor wrote:
>>     
>>> Random thought - I wonder if the OS could "break into" SMM mode by
>>> turning on caching for the SMM area and then manipulating the cache
>>> contents so that an SMI used icache/dcache contents set by the OS
>>>       
> [...]
>   
>> The simplest way to avoid this is by putting the main SMI handler at
>> 0xa0000
>>     
>
> We're probably getting off topic.  But here is what I was thinking:
>
> * OS uses mtrr to cache memory at 0xa0000
>
> * OS loads a "jmp 0x10000" insn into L2 cache at 0xa0000
>
> * OS invokes an SMI (acpi defines a way to do this)
>
> If the SMI handler is set to run code at 0xa0000 (ie, it has an SMBASE
> of 0x98000), then it would see the 'jmp' insn and start running OS
> code at 0x10000.
>   

This needs a unified cache, though.

>> so it has control over the cache before it accesses the high
>> SMM memory. Right now the SMI handler I wrote does not use the high SMM
>> memory at all, so there's no immediate risk.
>>     
>
> I don't think there is much risk anyway - if someone has full access
> to the machine to change cache settings, then they don't need SMM
> mode.
>   

Well, some chipsets allow you to reflash the ROM only in SMM if the
flash interface is locked.

Regards,
Carl-Daniel

-- 
http://www.hailfinger.org/





More information about the coreboot mailing list