diff options
| -rw-r--r-- | Documentation/drivers/smmstore.md | 13 | ||||
| -rw-r--r-- | src/drivers/smmstore/smi.c | 12 |
2 files changed, 22 insertions, 3 deletions
diff --git a/Documentation/drivers/smmstore.md b/Documentation/drivers/smmstore.md index 53bac4dc9e..70827477df 100644 --- a/Documentation/drivers/smmstore.md +++ b/Documentation/drivers/smmstore.md @@ -5,7 +5,7 @@ storage driver. ## SMMSTORE -SMMSTORE is a SMM mediated driver to read from, write to and erase a +SMMSTORE is a [SMM] mediated driver to read from, write to and erase a predefined region in flash. It can be enabled by setting `CONFIG_SMMSTORE=y` in menuconfig. @@ -117,7 +117,18 @@ INPUT: - `val`: pointer to the value data - `valsize`: size of the value data +#### Security + +Pointers provided by the payload or OS are checked to not overlap with the SMM. +That protects the SMM handler from being manipulated. + +*However there's no validation done on the source or destination pointing to +DRAM. A malicious application that is able to issue SMIs could extract arbitrary +data or modify the currently running kernel.* + ## External links * [A Tour Beyond BIOS Implementing UEFI Authenticated Variables in SMM with EDKI](https://software.intel.com/sites/default/files/managed/cf/ea/a_tour_beyond_bios_implementing_uefi_authenticated_variables_in_smm_with_edkii.pdf) Note, this differs significantly from coreboot's implementation. + +[SMM]: ../security/smm.md diff --git a/src/drivers/smmstore/smi.c b/src/drivers/smmstore/smi.c index 083535c877..b21423e90e 100644 --- a/src/drivers/smmstore/smi.c +++ b/src/drivers/smmstore/smi.c @@ -1,6 +1,8 @@ /* SPDX-License-Identifier: GPL-2.0-only */ #include <console/console.h> +#include <commonlib/region.h> +#include <cpu/x86/smm.h> #include <smmstore.h> #include <stddef.h> #include <stdint.h> @@ -10,13 +12,14 @@ * * Legal means: * - not pointing into SMRAM - * - ...? * * returns 0 on success, -1 on failure */ static int range_check(void *start, size_t size) { - // TODO: fill in + if (smm_points_to_smram(start, size)) + return -1; + return 0; } @@ -30,6 +33,9 @@ uint32_t smmstore_exec(uint8_t command, void *param) printk(BIOS_DEBUG, "Reading from SMM store\n"); struct smmstore_params_read *params = param; + if (range_check(params, sizeof(*params)) != 0) + break; + if (range_check(params->buf, params->bufsize) != 0) break; @@ -42,6 +48,8 @@ uint32_t smmstore_exec(uint8_t command, void *param) printk(BIOS_DEBUG, "Appending into SMM store\n"); struct smmstore_params_append *params = param; + if (range_check(params, sizeof(*params)) != 0) + break; if (range_check(params->key, params->keysize) != 0) break; if (range_check(params->val, params->valsize) != 0) |