From: Igor Mammedov <imammedo@redhat.com>
To: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: qemu-devel@nongnu.org, "Chen, Yingwen" <yingwen.chen@intel.com>,
edk2-devel-groups-io <devel@edk2.groups.io>,
Phillip Goerl <phillip.goerl@oracle.com>,
"Yao, Jiewen" <jiewen.yao@intel.com>,
"Nakajima, Jun" <jun.nakajima@intel.com>,
edk2-rfc-groups-io <rfc@edk2.groups.io>,
Laszlo Ersek <lersek@redhat.com>,
Joao Marcal Lemos Martins <joao.m.martins@oracle.com>,
pbonzini@redhat.com
Subject: Re: [POC Seabios PATCH] seabios: use isolated SMM address space for relocation
Date: Mon, 26 Aug 2019 15:57:09 +0200 [thread overview]
Message-ID: <20190826155709.3ff98671@redhat.com> (raw)
In-Reply-To: <19ebf1f4-eb22-d6f7-aecb-9d4f6c941923@oracle.com>
On Fri, 16 Aug 2019 18:43:11 -0400
Boris Ostrovsky <boris.ostrovsky@oracle.com> wrote:
> On 8/16/19 7:24 AM, Igor Mammedov wrote:
> > for purpose of demo SMRAM (at 0x30000) is aliased at a0000 in system address space
> > for easy initialization of SMI entry point.
> > Here is resulting debug output showing that RAM at 0x30000 is not affected
> > by SMM and only RAM in SMM adderss space is modified:
> >
> > init smm
> > smm_relocate: before relocaten
> > smm_relocate: RAM codeentry 0
> > smm_relocate: RAM cpu.i64.smm_base 0
^^^ reads using 0x30000 base in non-SMM mode
> > smm_relocate: SMRAM codeentry f000c831eac88c
> > smm_relocate: SMRAM cpu.i64.smm_base 0
^^^ reads from SMRAM temporarily aliased at 0xa0000 in non-SMM mode
> > handle_smi cmd=0 smbase=0x00030000
^^^ reads using 0x30000 base in SMM mode
> > smm_relocate: after relocaten
> > smm_relocate: RAM codeentry 0
> > smm_relocate: RAM cpu.i64.smm_base 0
^^^ normal RAM at 0x30000 base hasn't been modified after SMM relocation
without us taking care of saving/restoring it (2nd patch removes it altogether)
> > smm_relocate: SMRAM codeentry f000c831eac88c
> > smm_relocate: SMRAM cpu.i64.smm_base a0000
^^^ but SMRAM has changed base to what out handler told it to
(note we are reading it form non-SMM context only because we
have an alias at a0000 which it there only for demo purposes)
>
>
> I most likely don't understand how this is supposed to work but aren't
> we here successfully reading SMRAM from non-SMM context, something we
> are not supposed to be able to do?
We are aren't reading SMRAM at 0x30000 base directly,
"RAM" marked log lines are non-SMM context reads using as base
BUILD_SMM_INIT_ADDR 0x30000
and as you see, it isn't showing anything from SMRAM
For mgmt/demo purposes SMRAM (which is at 0x30000 in SMM address space)
is also aliased at
BUILD_SMM_ADDR 0xa0000
into non-SMM address space to allow us to initialize SMM entry point
(log entries are marked as "SMRAM").
Aliased SMRAM also allows us to check that relocation worked
(i.e. smm_base was relocated from default "handle_smi cmd=0 smbase=0x00030000"
to a new one "smm_relocate: SMRAM cpu.i64.smm_base a0000").
It's similar to what we do with TSEG where QEMU steals RAM from
normal address space and puts MMIO region 'tseg_blackhole' over it
so non-SMM context reads 0xFF from TSEG window, while SMM context
accesses RAM hidden below tseg_blackhole.
These patches show that we can have normal usable RAM at 0x30000
which doesn't overlap with SMRAM at the same address and each can
be made accessible only from its own mode (no-SMM and SMM).
Preventing non-SMM mode from injecting attack on SMRAM via CPU
that hasn't been initialized yet once firmware locked down SMRAM.
>
>
> -boris
>
next prev parent reply other threads:[~2019-08-26 13:57 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-16 11:24 [POC QEMU PATCH 0/2] CPU hotplug: use dedicated SMRAM at 0x30000 in SMM address space Igor Mammedov
2019-08-16 11:24 ` [PATCH QEMU 1/1] q35: use dedicated SMRAM at default SMM_BASE Igor Mammedov
2019-08-16 11:24 ` [POC Seabios PATCH] seabios: use isolated SMM address space for relocation Igor Mammedov
2019-08-16 22:43 ` Boris Ostrovsky
2019-08-26 13:57 ` Igor Mammedov [this message]
2019-08-27 1:28 ` Boris Ostrovsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190826155709.3ff98671@redhat.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox