SMI Platform locking on newer platforms

Question

SMI Platform locking on newer platforms

tlaurion opened this issue 9 months ago · 1 comments

There is some traction revisiting SMI platform locking on post-skylake.
Here is anchor of past work, feel free to document your findings

@tlaurion it's simply not going to work on newer platforms where FSP locks those registers regardless of any coreboot settings. They simply can't be set by the payload, even in SMM.

CONFIG_INTEL_CHIPSET_LOCKDOWN has no effect on Skylake and newer.
CONFIG_BOOTMEDIA_LOCK_CONTROLLER, I don't understand how it's not locking things prior to the payload execution on older platforms. I'd want to see a cbmem log from an x230 (eg) with SMM logging enabled to try and make sense of it

Originally posted by @MrChromebox in #326 (comment)

TODO:
Skylake and newer have been tweaked to be able to do the same but it seems that upstreaming the changes to coreboot has not happened yet but had for older platforms. More info for coreboot devels to jump in from vaultbook fork for their x11 platform patch on unknown coreboot git commit

Originally posted by @tlaurion in #1373 (comment)

Answer 1 · 2024-05-06T21:16:05.000Z

https://eclypsium.com/blog/firmware-security-realizations-part-3-spi-write-protections/

There is some traction revisiting SMI platform locking on post-skylake. Here is anchor of past work, feel free to document your findings

There is some traction revisiting SMI platform locking on post-skylake.
Here is anchor of past work, feel free to document your findings