From: Boris Ostrovsky <boris.ostrovsky@oracle.com>
To: Igor Mammedov <imammedo@redhat.com>
Cc: qemu-devel@nongnu.org, "Chen, Yingwen" <yingwen.chen@intel.com>,
edk2-devel-groups-io <devel@edk2.groups.io>,
Phillip Goerl <phillip.goerl@oracle.com>,
"Yao, Jiewen" <jiewen.yao@intel.com>,
"Nakajima, Jun" <jun.nakajima@intel.com>,
edk2-rfc-groups-io <rfc@edk2.groups.io>,
Laszlo Ersek <lersek@redhat.com>,
Joao Marcal Lemos Martins <joao.m.martins@oracle.com>,
pbonzini@redhat.com
Subject: Re: [POC Seabios PATCH] seabios: use isolated SMM address space for relocation
Date: Mon, 26 Aug 2019 21:28:20 -0400 [thread overview]
Message-ID: <5ff48907-4434-ba54-5bef-d8e956edf7eb@oracle.com> (raw)
In-Reply-To: <20190826155709.3ff98671@redhat.com>
On 8/26/19 9:57 AM, Igor Mammedov wrote:
>
>> I most likely don't understand how this is supposed to work but aren't
>> we here successfully reading SMRAM from non-SMM context, something we
>> are not supposed to be able to do?
> We are aren't reading SMRAM at 0x30000 base directly,
> "RAM" marked log lines are non-SMM context reads using as base
> BUILD_SMM_INIT_ADDR 0x30000
> and as you see, it isn't showing anything from SMRAM
>
> For mgmt/demo purposes SMRAM (which is at 0x30000 in SMM address space)
> is also aliased at
> BUILD_SMM_ADDR 0xa0000
> into non-SMM address space to allow us to initialize SMM entry point
> (log entries are marked as "SMRAM").
OK, I then misunderstood the purpose of this demo. I thought you were
not supposed to be able to read it from either location in non-SMM mode.
Thanks for the explanation.
-boris
>
> Aliased SMRAM also allows us to check that relocation worked
> (i.e. smm_base was relocated from default "handle_smi cmd=0 smbase=0x00030000"
> to a new one "smm_relocate: SMRAM cpu.i64.smm_base a0000").
>
>
> It's similar to what we do with TSEG where QEMU steals RAM from
> normal address space and puts MMIO region 'tseg_blackhole' over it
> so non-SMM context reads 0xFF from TSEG window, while SMM context
> accesses RAM hidden below tseg_blackhole.
>
> These patches show that we can have normal usable RAM at 0x30000
> which doesn't overlap with SMRAM at the same address and each can
> be made accessible only from its own mode (no-SMM and SMM).
> Preventing non-SMM mode from injecting attack on SMRAM via CPU
> that hasn't been initialized yet once firmware locked down SMRAM.
>
>
>>
>> -boris
>>
prev parent reply other threads:[~2019-08-27 1:26 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-16 11:24 [POC QEMU PATCH 0/2] CPU hotplug: use dedicated SMRAM at 0x30000 in SMM address space Igor Mammedov
2019-08-16 11:24 ` [PATCH QEMU 1/1] q35: use dedicated SMRAM at default SMM_BASE Igor Mammedov
2019-08-16 11:24 ` [POC Seabios PATCH] seabios: use isolated SMM address space for relocation Igor Mammedov
2019-08-16 22:43 ` Boris Ostrovsky
2019-08-26 13:57 ` Igor Mammedov
2019-08-27 1:28 ` Boris Ostrovsky [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5ff48907-4434-ba54-5bef-d8e956edf7eb@oracle.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox