there's something I am certain I don't understand about SMM on intel
chipsets.
The question is pretty simple. Consider a system with a recent intel
chipset and flash. Is there some special secret sauce that disables writing
to flash unless in SMM and if so, what is it?
Thanks to anyone who can po
Hi Ron,
On 30.06.2017 06:25, ron minnich wrote:
> there's something I am certain I don't understand about SMM on intel
> chipsets.
>
> The question is pretty simple. Consider a system with a recent intel
> chipset and flash. Is there some special secret sauce that disables writing
> to flash unle
Hello ron,
Friday, June 30, 2017, 6:25:06 AM, you wrote:
rm> there's something I am certain I don't understand about SMM on intel
chipsets.
rm> The question is pretty simple. Consider a system with a recent
rm> intel chipset and flash. Is there some special secret sauce that
rm> disables writing
On Fri, 30 Jun 2017 04:25:06 +
ron minnich wrote:
> there's something I am certain I don't understand about SMM on intel
> chipsets.
>
> The question is pretty simple. Consider a system with a recent intel
> chipset and flash. Is there some special secret sauce that disables
> writing to fla
Thanks for the good explanations.
So I have a question for you all. We've been doing some testing of
linux-as-ramstage. We've done a proof of concept that linux can set up the
SMM handler at 0xa, the relocate stub at 0x38000, run the relocate
stub, and have a working smm handler. The smm handl
You can reduce the window of time that the flash is writable by setting
the PRR registers and FLOCKDN bits before moving out of the bootblock --
this prevents even SMM from being able to write to the protected regions of
the flash. If someone can get code execution in the bootblock or
during S3 re
2017-06-30 19:46 GMT+02:00 ron minnich :
> The only question that has been raised: are we losing an essential
> security guarantee since flash is writeable in this kernel-based "SMM"? The
> big question is whether we're opening up the possibility of firmware
> getting changed, once the kernel is o
On Fri, Jun 30, 2017 at 11:47 AM ron minnich wrote:
> Thanks for the good explanations.
>
> So I have a question for you all. We've been doing some testing of
> linux-as-ramstage. We've done a proof of concept that linux can set up the
> SMM handler at 0xa, the relocate stub at 0x38000, run t
On 30.06.2017 19:46, ron minnich wrote:
> Thanks for the good explanations.
>
> So I have a question for you all. We've been doing some testing of
> linux-as-ramstage. We've done a proof of concept that linux can set up the
> SMM handler at 0xa, the relocate stub at 0x38000, run the relocate
>
On Fri, Jun 30, 2017 at 4:28 PM Nico Huber wrote:
>
>
> Sounds really doable, but I'm a bit confused here, maybe because I
> didn't look at SMM handlers for some time. Did you evaluate if you
> need SMM at all? I just thought if you add board specific code to
> the kernel, why would you have to d
On 01.07.2017 02:08, ron minnich wrote:
> On Fri, Jun 30, 2017 at 4:28 PM Nico Huber wrote:
>
>>
>>
>> Sounds really doable, but I'm a bit confused here, maybe because I
>> didn't look at SMM handlers for some time. Did you evaluate if you
>> need SMM at all? I just thought if you add board speci
I don't have a computer with BIOS Guard, but doesn't that move flash writes to
BIOS_ACM instead of SMM
Melvin
On Friday, June 30, 2017 3:06 AM, Igor Skochinsky via coreboot
wrote:
Hello ron,
Friday, June 30, 2017, 6:25:06 AM, you wrote:
rm> there's something I am certain I don't unde
I'll correct my own statement. I think my understanding was from a
misinterpretation from some marketing material. Only the authentication
happens in the ACM, not the flash write.
On Saturday, July 1, 2017 7:56 PM, Melvin Walker via coreboot
wrote:
I don't have a computer with BIO
Again, I don't want to pretend this idea is general. Moving SMM to a
linux-as-ramfs payload might work on a small number of servers where we
have lots of control and not much variety. But thanks for the note Melvin.
On Sat, Jul 1, 2017 at 6:39 PM Melvin Walker via coreboot <
coreboot@coreboot.org>
On 30-Jun-17 10:46, ron minnich wrote:
Thanks for the good explanations.
So I have a question for you all. We've been doing some testing of
linux-as-ramstage. We've done a proof of concept that linux can set up
the SMM handler at 0xa, the relocate stub at 0x38000, run the
relocate stub,
15 matches
Mail list logo
