[coreboot] we've always known this was possible and hence never bothered to do it but ...

David Hendricks david.hendricks at gmail.com
Tue May 13 21:15:14 CEST 2008


The main point to bring home is that these whiz-bang features in modern
firmware such as SMM not only over-complicate the design but they also have
unintentional consequences such as creating gaping holes in security.

A lot of control is being handed off to obscure parts in firmware and
executed in privileged mode these days, and there be dragons along the way.

On Sun, May 11, 2008 at 11:49 PM, Brendan Trotter <btrotter at gmail.com>
wrote:

> Hi,
>
> On Mon, May 12, 2008 at 12:44 PM, ron minnich <rminnich at gmail.com> wrote:
> > somebody got around to it.
> >
> http://www.pcworld.com/businesscenter/article/145703/hackers_find_a_new_place_to_hide_rootkits.html
> >
> > The world, sooner or later, is going to get the message :-)
>
> This is old news - I remember an article from a year or so ago
> explaining a vulnerability that allows a video "driver" in user-space
> on Linux to install it's own SMM code.
>
> SMRAM is meant to be locked by the firmware so that software can't
> enable SMRAM accesses. Some firmware doesn't lock SMRAM which creates
> the problem. Under most sane OSs you need to be running at CPL=0 to
> access I/O ports (and enable access to SMM space if it's not locked)
> so it doesn't matter as much (because if you're running at CPL=0
> anyway you don't need SMM to bypass security), but some OSs aren't so
> good at protecting I/O ports.
>
> Of course if everyone was using coreboot things would be much easier
> (for hackers)...
>
> AFAIK coreboot doesn't lock SMM space on *any* chipset, and also
> leaves "SMRAM base" set to the default address 0x00030000 so that the
> SMRAM area isn't underneath the legacy video display memory area (from
> 0x000A0000 to 0x000BFFFF) and can be accessed/modified regardless of
> whether SMRAM is locked or not, or whether or not access to SMRAM is
> enabled or not.
>
> Of course there's always the added bonus that a hacker can download
> the source code for coreboot, add their own malicious code, compile,
> flash it and then sell the system on eBay to any unsuspecting sucker.
> Coreboot really is the "rootkit friendly" way to go... :-)
>
>
> Cheers,
>
> Brendan
>
> --
> coreboot mailing list
> coreboot at coreboot.org
> http://www.coreboot.org/mailman/listinfo/coreboot
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.coreboot.org/pipermail/coreboot/attachments/20080513/4fd52faf/attachment.html>


More information about the coreboot mailing list