Nice hunt, Arthur! The attack surface in coreboot is lesser than UEFI but the misconfig during the setup will lead to serious issue. This one is neat and worth a CVE. Please use CVE-2022-29264 as record:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29264 regards Shawn ------- Original Message ------- On Thursday, April 7th, 2022 at 10:43 PM, Arthur Heymans <[email protected]> wrote: > Hi > When refactoring the coreboot SMM setup I noticed that there is a security > vulnerability in our SMM setup code. > It boils down to this: except on the BSP the smihandler code will execute > code at a random location, but most likely at offset 0. With some carefully > crafted code a bootloader or the OS could place some code at that offset, > generate an SMI on an AP and get control over SMM. More recent silicon has > hardware mechanisms to avoid executing code outside the designated SMM area > (TSEG) so those would not be affected. > The commit introducing this problem is > https://review.coreboot.org/c/coreboot/+/43684. > Roughly it affects most x86 builds from end 2020/ beginning 2021 till now. > > https://review.coreboot.org/c/coreboot/+/63478 fixes the problem. (Feel free > to review the rest of that series as it makes the smm setup much more > readable ;-)) > Kind regards > Arthur _______________________________________________ coreboot mailing list -- [email protected] To unsubscribe send an email to [email protected]
