[LinuxBIOS] SMM is evil?

Ronald G Minnich rminnich at lanl.gov
Fri May 12 17:35:05 CEST 2006


Stefan Reinauer wrote:
> 
> * Carl-Daniel Hailfinger <c-d.hailfinger.devel.2006 at gmx.net> [060511 22:06]:
> 
>>Stefan Reinauer wrote:
>>
>>>If something seems as simple as setting the D_LCK bit of SMM, we should
>>>definitely do it.. It will at least be a marketable feature against
>>>other upcoming firmware implementations.
>>
>>I believe that setting D_LCK will mitigate a few attacks but I strongly
>>doubt that it cannot be cleared during system operation. Yes, the manual
>>specifies it, but manuals have been underspecified before. Since we don't
>>use SMM for anything, we might as well
> 
> 
> While the mechanism might indeed provide some protection its maybe
> possible to assert a reset signal to the chipset while not dropping out
> of the code path, as a possible workaround. No idea whether this is
> possible without "bios support" though.
> 
> 
>>So, by all means, do it now. Until somebody figures out a way to disable
>>D_LCK again we offer a much higher degree of security than everybody
>>else.
> 
> 
> Ok, D_LCK/D_OPEN/D_CLOSE is intel vocabulary. There is no such thing on
> AMD. They call it SMMLOCK in their BKDG:
> 
> 6.11.6 Locking SMM
> 
> The SMM registers can be locked by setting the SMMLOCK (HWCR, bit 0).
> Once set, the SMM_BASE, the SMM_ADDR, all but the two close bits of
> SMM_MASK and the RSMSPCYCDIS, SMISPCYCDIS, and SMMLOCK bits of HWCR are
> locked and cannot be changed. The only way to unlock the SMM registers
> is to assert reset.  This provides security to the SMM mechanism. The
> BIOS can lock the SMM environment after setting it up so that it can not
> be tampered with.
> 
> So I propose the following patch for LinuxBIOS to fix the SMM problem
> for all supported AMD K8 mainboards:
> 
> Index: src/cpu/amd/model_fxx/model_fxx_init.c
> ===================================================================
> --- src/cpu/amd/model_fxx/model_fxx_init.c      (revision 2302)
> +++ src/cpu/amd/model_fxx/model_fxx_init.c      (working copy)
> @@ -454,6 +454,12 @@
> 
>         k8_errata();
> 
> +       /* Set SMMLOCK to avoid exploits messing with SMM */
> +       msr = rdmsr(HWCR_MSR);
> +       msr.lo |= (1 << 0);
> +       wrmsr(HWCR_MSR, msr);
> +
> +
>         enable_cache();
> 
>         /* Enable the local cpu apics */
> 
> 
> 
> 
> 
> Anyone opposing?

cool. another advantage for us. Esp. since intel really counts on SMM 
being there for EFI ...

ron




More information about the coreboot mailing list