#### **Digging Into The Core of Boot**

Yuriy Bulygin@c7zeroOleksandr Bazhaniuk@ABazhaniuk

#### Agenda

- 🕸 Intro
- ✤ Recap of MMIO BAR Issues in Coreboot & UEFI
- Coreboot ACPI GNVS Pointer Issue
- ✤ SMI Handler Issues in Coreboot
- ✤ Write Protections
- ✤ Conclusions

#### Intro to Coreboot

# Coreboot

- Coreboot is GPLv2 firmware implementation
- Started as LinuxBIOS in 1999 and renamed to Coreboot at 2008
- Supports x86, ARM, MIPS, POWER8, RISC-V
- Mostly in C, with some ASM. ASL for ACPI tables
- Support multiple payloads ("bootloaders") to boot Chrome OS, Linux...
  - Depthcharge, SeaBIOS, TianoCore, FILO
- Modular arch to support many CPUs, SoCs, chipsets, devices
- Supports verified boot rooted in hardware write protected firmware

# **Coreboot Stages**



# **Chrome OS Boot**



# **Verified Boot**

- Verified Boot established signature validation mechanism for Chrome OS
- Root of trust is in read-only initial part of Coreboot firmware protected by /WP pin on SPI devices
- Verstage starting Skylake to reduce amount of read-only ROM stage firmware (as vulnerabilities in RO firmware cannot be patched w/o voiding warranty)
- Read-only firmware verifies RW firmware (new ROM stage & RAM stage)
- Read-write firmware verifies Chrome OS kernel
- Root public key in read-only flash verifies signature of RW firmware keyblock
- Can be disabled in developer mode (requires physically present user)

#### **Recovery and Developer Modes**

#### **Recovery Mode**

- RO firmware boots signed image on a USB
- Security or hardware failures trigger entering into recovery mode

#### **Developer Mode**

- Prior to entering Dev mode, the system erases local state in TPM and on a hard drive
- Root shell is available in Dev mode
- *crossystem dev\_boot\_usb=1* (boot from USB device)
- crossystem dev\_boot\_signed\_only=0 (load unsigned binaries)
- crossystem dev\_boot\_legacy=1 (allow boot any payloads including MBR systems)

# **Read-Only Firmware**

Chromebook firmware uses Write Protect pin (/WP) on SPI device to protect RO FW

#### 8.4 Write Protect (/WP)

The Write Protect (/WP) pin can be used to prevent the Status Register from being written. Used in conjunction with the Status Register's Block Protect (SEC, TB, BP2, BP1 and BP0) bits and Status Register Protect (SRP) bits, a portion or the entire memory array can be hardware protected. The /WP pin is active low. When the QE bit of Status Register-2 is set for Quad I/O, the /WP pin (Hardware Write Protect) function is not available since this pin is used for IO2.

Winbond W25Q64BV spec

- # flashrom -wp-status
- WP: status: 0x0094
- WP: status.srp0: 1
- WP: status.srp1: 0
- WP: write protect is enabled.
- WP: write protect range: start=0x00600000, len=0x00200000

# **SPI Chip Layout in Acer C720 Chromebook**

# futility dump\_fmap -h /tmp/c720\_spi\_dump.bin

| SI_ALL<br>SI_ME<br>SI_DESC | 000000000000000000000000000000000000000 | 00200000<br>00200000<br>00001000 | 00200000<br>001ff000<br>00001000 |     |           |
|----------------------------|-----------------------------------------|----------------------------------|----------------------------------|-----|-----------|
| # name                     | start                                   | end                              | size                             |     |           |
| SI_BIOS                    | 00200000                                | 00800000                         | 00600000                         |     |           |
| WP_R0                      | 00600000                                | 00800000                         | 00200000                         |     | Read-Only |
| RO_SECTION                 | 006100                                  | 00 008000                        | 000 001f0000                     |     | Reau-Only |
| BOOT_STUB                  | 0070                                    | 0000 0080                        | 00000 001000                     | 000 |           |
| GBB                        | 0061                                    | 1000 0070                        | )0000 000ef(                     | 000 |           |
| RO_FRID_PAD                | 0061                                    | 0840 0061                        | 1000 00000                       | 7c0 |           |
| R0_FRID                    | 0061                                    | 0800 0061                        | .0840 000000                     | 940 |           |
| FMAP                       | 0061                                    | 0000 0061                        | .0800 000008                     | 300 |           |
| R0_UNUSED                  | 006040                                  | 00 006100                        | 0000c000                         | 9   |           |
| RO VPD                     | 006000                                  | 00 006040                        | 000 00004000                     |     |           |

# **SPI Chip Layout in Acer C720 Chromebook**

RW LEGACY RW UNUSED RW VPD RW SHARED VBLOCK DEV SHARED DATA RW ELOG RW MRC CACHE RW SECTION B RW FWID B EC MAIN B FW MAIN B VBLOCK B RW SECTION A RW FWID A EC MAIN A FW MAIN A VBLOCK A

| 00400000 | 00600000 | 00200000 |  |
|----------|----------|----------|--|
| 003fa000 | 00400000 | 00006000 |  |
| 003f8000 | 003fa000 | 00002000 |  |
| 003f4000 | 003f8000 | 00004000 |  |
| 003f6000 | 003f8000 | 00002000 |  |
| 003f4000 | 003f6000 | 00002000 |  |
| 003f0000 | 003f4000 | 00004000 |  |
| 003e0000 | 003f0000 | 00010000 |  |
| 002f0000 | 003e0000 | 000f0000 |  |
| 003dffc0 | 003e0000 | 00000040 |  |
| 003c0000 | 003dffc0 | 0001ffc0 |  |
| 00300000 | 003c0000 | 000c0000 |  |
| 002f0000 | 00300000 | 00010000 |  |
| 00200000 | 002f0000 | 000f0000 |  |
| 002effc0 | 002f0000 | 00000040 |  |
| 002d0000 | 002effc0 | 0001ffc0 |  |
| 00210000 | 002d0000 | 000c0000 |  |
| 00200000 | 00210000 | 00010000 |  |
|          |          |          |  |

Read-Write

# Recap of MMIO BAR Issues in Coreboot & UEFI

# **Recap: "MMIO BAR" Issues**



# **Recap: "MMIO BAR" Issues**

Exploit with PCI access can modify BAR register and relocate MMIO range

On SMI interrupt, SMI handler firmware attempts to communicate with device(s)

It may read or write "registers" within relocated MMIO



#### **Recap: "MMIO BAR" Issues in Coreboot**



# Coreboot ACPI GNVS Pointer Issue

#### **Coreboot x86 SMI Handlers**



# ACPI Global NVS (GNVS) Area

Stores data used to communicate with ACPI and SMM including across S3 sleep:

- SMM interface buffer
- EC Lock function
- Thermal thresholds
- Fan speed

. . .

- USB power controls
- ChromeOS Vboot data

```
typedef struct {
    /* Miscellaneous */
    u16 osys; /* 0x00 - Operating System */
    u8 smif; /* 0x02 - SMI function call ("TRAP") */
    u8 prm0; /* 0x03 - SMI function call parameter */
...
    u32 cmem; /* 0x18 - 0x1b - CBMEM TOC */
...
    /* ChromeOS specific (0x100 - 0xfff) */
    chromeos_acpi_t chromeos;
...
} attribute ((packed)) global nvs t;
```

# **ACPI DSDT**

- GNVS area is also defined in DSDT ACPI table
- GNVS layout is platform (SoC/southbridge) specific
- BDW/SKL: CBMEM TOC address at offset 0x18

```
1
     External (NVSA)
     OperationRegion (GNVS, SystemMemory, NVSA, 0x2000)
 2
 3
     Field (GNVS, ByteAcc, NoLock, Preserve)
 4
    ₽{
 5
         /* Miscellaneous */
 6
         Offset (0x00),
         OSYS, 16, // 0x00 - Operating System
                 8, // 0x02 - SMI function
 8
         SMIF,
 9
         PRM0,
                 8, // 0x03 - SMI function parameter
         PRM1, 8, // 0x04 - SMI function parameter
10
11
         SCIF, 8, // 0x05 - SCI function
12
         PRM2, 8, // 0x06 - SCI function parameter
         PRM3, 8, // 0x07 - SCI function parameter
13
14
         LCKF,
                8, // 0x08 - Global Lock function for EC
                 8, // 0x09 - Lock function parameter
15
         PRM4,
16
         PRM5,
                 8, // 0x0a - Lock function parameter
17
     . . .
18
         CMEM,
                32, // 0x18 - 0x1b - CBMEM TOC
19
         CBMC,
                 32, // 0x1c - 0x1f - Coreboot Memory Console
                64, // 0x20 - 0x27 - PM1 wake status bit
20
         PM1I,
21
                64, // 0x28 - 0x2f - GPE wake status bit
         GPEI,
22
23
         /* ChromeOS specific */
24
         Offset (0x100),
25
         #include <vendorcode/google/chromeos/acpi/gnvs.asl>
26
27
         /* Device specific */
         Offset (0x1000),
28
29
         #include "device nvs.asl"
30
     }
31
```

#### How do we find CBMEM and ACPI tables?

|               |                                             | coreinfo 0.1                                                                                                      |
|---------------|---------------------------------------------|-------------------------------------------------------------------------------------------------------------------|
| oles          |                                             |                                                                                                                   |
| IVO           |                                             |                                                                                                                   |
| ad X230       |                                             |                                                                                                                   |
| -420-g6bf1301 |                                             |                                                                                                                   |
|               | C                                           | 2017 (0.)                                                                                                         |
|               |                                             |                                                                                                                   |
|               |                                             | 1110000000000000000                                                                                               |
|               |                                             | 11100000000000000000000000000000000000                                                                            |
|               |                                             | 111100000000000000000000000000000000000                                                                           |
|               |                                             | 00000000bff19fff                                                                                                  |
|               | -                                           | 00000000000000000000000000000000000000                                                                            |
|               | p<br>00000000000000000<br>00000000000000000 | VO         ad X230         -420-g6bf1301         Jun 13 20:45:57 UTC         000000000000000000000000000000000000 |

# **Coreboot is allocating GNVS area...**

```
void southcluster inject dsdt(device t device)
]{
    global nvs t *gnvs;
                                                                   Allocate GNVS area in
                                                                         CBMEM
    gnvs = cbmem find (CBMEM ID ACPI GNVS);
    if (!qnvs) {
        gnvs = cbmem add(CBMEM ID ACPI GNVS, sizeof(*gnvs));
        if (qnvs)
            memset(qnvs, 0, sizeof(*qnvs));
                                                                   Create GNVS structure
    if (qnvs) {
        acpi create gnvs(gnvs);
        acpi mainboard gnvs(gnvs);
        acpi save gnvs((unsigned long)gnvs);
                                                                  Save pointer to GNVS in
        /* And tell SMI about it */
                                                                  GNVS PTR CBMEM area
        smm setup structures (gnvs, NULL, NULL);
        /* Add it to DSDT. */
        acpigen write scope("\\");
                                                                  Add GNVS area to DSDT
        acpigen write name dword ("NVSA", (u32) gnvs);
        acpigen pop len();
                                                                        ACPI table
```

# Searching for GNVS in ACPI tables...

- GNVS area is allocated in CBMEM backed by in-memory database (IMD) with CBMEM\_ID\_ACPI\_GNVS
- Pointer to GNVS area is stored in DSDT ACPI table in NVSA field
  - The table can be found with chipsec\_util acpi list or manually in "Tables" area of Coreboot memory map
- After decompiling DSDT, NVSA field contains GNVS address (0xBFF2D000)

```
Scope (\)
{
    Name (NVSA, 0xBFF2D000)
}
```

# Searching for GNVS in CBMEM...

CBMEM\_ID\_ACPI\_GNVS entry in in-memory database (IMD)

| E4FF0: | 1D 0 | 7 EB        | 01    | 12   | DA    | B2        | AA   | 81 | 94         | 38 | C0        | 08    | FC         | FF    | FF     | ⇔∙ë©\$Ú²ª[ | 2 <b>"8À</b> | üÿÿ  |
|--------|------|-------------|-------|------|-------|-----------|------|----|------------|----|-----------|-------|------------|-------|--------|------------|--------------|------|
| E5000: | FE Ø | 0 00        | 00    | 0C   | 00    | 00        | 00   | 00 | 00         | 00 | 00        | 00    | IMD        | Ro    | ot Sig | gnature    |              | •    |
| E5010: | 00 0 | 0 00        | 00    | 7E   | 6B    | <b>C7</b> | 3F   | 00 | 00         | 00 | 00        | 00    | ТQ         | 00    | 00     | ~kÇ?       |              |      |
| E5020: | FF 1 | 7 40        | FF    | 7E   | 6B    | <b>C7</b> | 3F   | 00 | FØ         | FF | FF        | 00    | 10         | 00    | 00     | ÿ⊈@ÿ~kÇ?   | ðÿÿ          |      |
| E5030: | 39 1 | 4 A1        | 53    | 7E   | 6B    | <b>C7</b> | 3F   | 00 | FØ         | FD | FF        | 00    | 00         | 02    | 00     | 9¶;S~kÇ?   | ðýÿ          | e    |
| E5040: | 53 4 | E 4F        | 43    | 7E   | 6B    | C7        | 3F   | 00 | A0         | FD | FF        | 00    | 50         | 00    | 00     | SNOC~kÇ?   | ýÿ           | Ρ    |
| E5050: | C4 7 |             | Intry | Siar | ootuu |           | 3F   | 00 | A0         | F٩ |           | 00    | 00         | 01    | 00     | Äz5⊵~kÇ?   | ùÿ           | •    |
| E5060: | 9E 7 | imd e       | _nu y | Sigi | latui | e         | 3F   | 00 | <b>B</b> Ø | F  | Da        | ta st | art o      | ffset | t 🛛    | žz5š~kÇ?   | °õÿp         | oè♥  |
| E5070: | 00 E | 1 A9        | 57    | 7E   |       | <b>C7</b> | 3F   | 00 | 30         | Fъ |           | -00   | 80         | 00    | 00     | á©W~kÇ?    | 0õÿ          | €    |
| E5080: | 42 5 | 4 42        | 43    | 7F   | 66    | <u>C7</u> | 3F   | 00 | F0         | F  | FF        | 00    | 40         | 02    | 00     | BTBC~kÇ?   | ðòÿ          | @•   |
| E5090: | 49 5 | <u>0 43</u> | 41    | 7E   | 6B    | <b>C7</b> | 3F   | 00 | ΕØ         | F2 | FF        | 00    | 10         | 00    | 00     | IPCA~kÇ?   | àòÿ          |      |
| E50A0: | 53 5 | 6 4E        | 47    | 7E   | 6B    | C7        | 3F   | 00 | E0         | F1 | FF        | 00    | 00         | 01    | 00     | SVNG~kÇ?   | àñÿ          | Θ    |
| E50B0: |      |             |       |      |       |           |      | 00 | C0         | F1 | FF        | 00    | 20         | 00    | 00     | APCT~kÇ?   | Àñÿ          |      |
| E50C0: | 49 4 | 7 44        | IMD   | Entr | v ID  | "GN       | IVS" | 00 | <b>B</b> Ø | F1 | FF        | 00    | <b>0</b> 8 | 00    | 00     | IGDO~kÇ?   | °ñÿ          | •    |
| E50D0: | 54 4 | 2 4[        |       |      | ,     |           |      | 5D | EB         | C4 | <b>B8</b> | D3    | 5C         | FB    | A3     | TBMS←5ª\   | ]ëÄ,Ć        | Ó\û£ |

# So why are we interested in GNVS area?

- GNVS area is allocated during "Write ACPI Tables" boot stage (bs\_write\_tables)
- A pointer to GNVS area (GNVP) is also stored in CBMEM\_ID\_ACPI\_GNVS\_PTR area allocated in CBMEM (on Broadwell based systems and above?)

```
src\arch\x86\acpi.c
```

```
void acpi_save_gnvs(u32 gnvs_address)
{
    u32 *gnvs = cbmem_add(CBMEM_ID_ACPI_GNVS_PTR, sizeof(*gnvs));
    if (gnvs)
        *gnvs = gnvs_address;
    }
```

# When resuming from S3 Sleep...

```
Find GNVS_PTR in CBMEM
                                                                     & read GNVP pointer
void acpi resume(void *wake vec)
#if CONFIG HAVE SMI HANDLER
    u32 *gnvs address = cbmem find (CBMEM ID ACPI GNVS PTR);
    /* Restore GNVS pointer in SMM if found */
                                                                    Update GNVP pointer
    if (gnvs address && *gnvs address) {
                                                                   restored from CBMEM in
        printk(BIOS_DEBUG, "Restore GNVS pointer to 0x%08x\n"
                                                                  SMM (if SMI handler exists)
               *qnvs address);
        smm setup structures((void *)*gnvs address, NULL, NULL);
#endif
    /* Call mainboard resume handler first, if defined. */
   mainboard suspend resume();
                                                                 Jump to OS Waking Vector in
   post code (POST OS RESUME);
                                                                         FACS table
    acpi jump to wakeup (wake vec);
```

# Updating SMM copy of GNVP pointer...

void smm\_setup\_structures (void \*gnvs, void \*tcg,

{

```
/*
 * Issue SMI to set the gnvs pointer
 * tcg and smi1 are unused.
 *
 * EAX = APM_CNT_GNVS_UPDATE
 * EBX = gnvs pointer
 * EDX = APM_CNT
 */
asm volatile (
    "outb %%al, %%dx\n\t"
    : /* ignore result */
    [: "a" (APM_CNT_GNVS_UPDATE),
        "b" ((u32)gnvs),
        "d" (APM_CNT)
);
```

APM\_CNT\_GNVS\_UPDATE SMI updates SMM copy of GNVP from EBX restored from CBMEM

```
static void southbridge smi apmc(void)
    u8 reg8;
    em64t101 smm state save area t *state;
    /* Emulate B2 register as the FADT / Linux expects it */
    reg8 = inb(APM CNT);
    switch (reg8) {
. . .
    case APM CNT GNVS UPDATE:
        if (smm initialized) {
            printk(BIOS DEBUG,
                   "SMI#: SMM structures already initialized!\n");
            return;
        state = smi apmc find state save(reg8);
        if (state) {
            /* EBX in the state save contains the GNVS pointer */
            gnvs = (global nvs t *) ((u32) state->rbx);
            smm initialized = 1;
            printk(BIOS DEBUG, "SMI#: Setting GNVS to %p\n", gnvs);
```

#### **SMI handlers never check GNVS pointer**

- GNVS pointer is stored in CBMEM area of DRAM which is preserved across S3
- During S3 resume, the pointer is restored from CBMEM in SMM
- SMI handlers use GNVS as a communication buffer with OS (read settings, write results)
- E.g. IOTRAP SMI handler writes byte 0x0 to gnvs→smif (if SMIF value is already 0x32)
- → Limited write primitive in SMM (with controlled address but not the value)

```
int southbridge_io_trap_handler(int smif)
{
    switch (smif) {
    case 0x32:
        printk(BIOS_DEBUG, "OS Init\n");
        /* gnvs->smif:
        * On success, the IO Trap Handler returns 0
        * On failure, the IO Trap Handler returns a value != 0
        */
        gnvs->smif = 0;
        return 1; /* IO trap handled */
}
```

# That leads to potential vulnerability on S3 resume

- Attacker could modify GNVS pointer in ACPI\_GNVS\_PTR area in memory (to e.g. overlap with SMRAM) & cause system to enter S3
- Firmware would restore modified GNVS pointer in SMM upon resuming from S3 state
- Attacker then could trigger SMI (e.g. IOTRAP) forcing SMI handler to write/modify memory at controlled GNVS address
- So far only  $0 \times 32 \rightarrow 0$  and  $0 \times 99 \rightarrow 0$  write primitives found
- Only some systems have this issue:
  - Not all systems with Coreboot store GNVS\_PTR (some just store GNVS pointer in SMM once at normal boot like our IVB based Lenovo x230)
  - Not all systems support S3 state

# **Mitigation Options**

- One option is to always store GNVS pointer (GNVP) in SMRAM and not restore from CBMEM as SMRAM is also preserved in S3
- In general, SMI handlers have to check all pointers/addresses for overlap with SMRAM just like EDKII does

# **SMI Handler Issues in Coreboot**

#### SMM/GPU MBI Interface in i82830 SMI Handler

```
static void smi interface call(void)
 u8 *mmio = (u8 *)pci read config32(PCI DEV(0, 0x02, 0), 0x14);
   // mmio &= 0xfff80000;
   // printk(BIOS DEBUG, "mmio=%x\n", mmio);
                                                                             Read SWSMI code
   ul6 swsmi = pci_read_config16(PCI_DEV(0, 0x02, 0), 0xe0); -
                                                                              from CPU MMIO
                                                                               register 0xE0
   if (!(swsmi & 1))
        return;
    swsmi &= ~(1 << 0); // clear SMI toggle</pre>
    switch ((swsmi>>1) & 0xf) {
    case 0:
        printk(BIOS DEBUG, "Interface Function Presence Test.\n");
. . .
       // write magic
        write32(mmio + 0x71428, 0x494e5443);
        return;
. . .
    case 5:
        printk(BIOS DEBUG, "Call MBI Functions.\n");
        mbi_call(swsmi >> 8, (banner_id_t *)((read32(mmio + 0x71428) & 0x000fffff) + OBJ OFFSET));
. . .
```

#### **GPU-SMM MBI Interface in i82830 SMI Handler**

static void smi\_interface\_call(void)

. . .

```
Read base address
 u8 *mmio = (u8 *)pci read config32(PCI DEV(0, 0x02, 0), 0x14);
    // mmio \epsilon = 0 \times fff 80000
                                                                                  of GPU MMIO range
   // printk(BIOS DEBUG, "mmio=%x\n", mmio);
   ul6 swsmi = pci read config16(PCI DEV(0, 0x02, 0), 0xe0);
   if (!(swsmi & 1))
       return;
   swsmi &= ~(1 << 0); // clear SMI toggle</pre>
   switch ((swsmi>>1) & 0xf) {
   case 0:
       printk(BIOS DEBUG, "Interface Function Presence Test.\n");
. . .
       // write magic
       write32(mmio + 0x71428, 0x494e5443);
       return;
. . .
   case 5:
       printk(BIOS DEBUG, "Call MBI Functions.\n");
       mbi_call(swsmi >> 8, (banner_id_t *)((read32(mmio + 0x71428) & 0x000fffff) + OBJ OFFSET));
```

#### **GPU-SMM MBI Interface in i82830 SMI Handler**

static void smi\_interface\_call(void)

```
u8 *mmio = (u8 *)pci_read_config32(PCI_DEV(0, 0x02, 0), 0x14);
                                                                            Read base address
  of GPU MMIO range
 // printk(BIOS DEBUG, "mmio=%x\n", mmio);
 ul6 swsmi = pci read config16(PCI DEV(0, 0x02, 0), 0xe0);
 if (!(swsmi & 1))
     return;
  swsmi &= ~(1 << 0); // clear SMI toggle</pre>
  switch ((swsmi>>1) & 0xf) {
  case 0:
     printk(BIOS DEBUG, "Interface Function Presence Test.\n");
                                                                     Write "CTNI" magic to offset
      // write magic
                                                                       0x71428 in GFx MMIO
      write32 (mmio + 0x71428, 0x494e5443);
                                                                    (address controlled by exploit)
      return;
  case 5:
     printk(BIOS DEBUG, "Call MBI Functions.\n");
     mbi call(swsmi >> 8, (banner id t *)((read32(mmio + 0x71428) & 0x000fffff) + OBJ OFFSET));
```

. . .

# Calling MBI functions...

```
static void smi interface call(void)
  u8 *mmio = (u8 *)pci read config32(PCI DEV(0, 0x02, 0), 0x14);
    // mmio &= 0xfff80000;
    // printk(BIOS DEBUG, "mmio=%x\n", mmio);
    ul6 swsmi = pci read config16(PCI DEV(0, 0x02, 0), 0xe0);
    if (!(swsmi & 1))
        return;
                                                                            Read the value from offset
    swsmi &= ~(1 << 0); // clear SMI toggle</pre>
                                                                           0 \times 71428 in GFx MMIO and
                                                                          pass it as an argument to MBI
    switch ((swsmi>>1) & 0xf) {
                                                                                  function call
    case 0:
        printk(BIOS DEBUG, "Interface Function Presence Test.\n");
. . .
        // write magic
        write32(mmio + 0x71428, 0x494e5443);
        return;
    case 5:
        printk(BIOS DEBUG, "Call MBI Functions.\n");
        mbi_call(swsmi >> 8, (banner_id_t *)((read32(mmio + 0x71428) & 0x000fffff) + OBJ OFFSET));
```

# Calling MBI functions...

- SMI handler reads argument for MBI from SWF16 (SW Flags) register at offset 0x71428 in Graphics MMIO (VGA Display)
- That GPU register is not locked so attacker can control its contents
- The value of the register is an address to banner id t structure

```
typedef struct {
    u32 mhid;
    u32 function;
    u32 retsts;
    u32 rfu;
} __attribute__((packed)) banner_id_t;
```

#### Unchecked banner\_id pointer... 1/3

• Writes at the controlled address pointed to by version

```
static void mbi call(u8 subf, banner id t *banner id)
. . .
    switch(banner id->function) {
    case 0x0001: {
        version t *version;
        printk(BIOS DEBUG, "|- MBI QueryInterface\n");
        version = (version t *)banner id;
        version->banner.retsts = MSH OK;
        version->versionmajor = 1;
        version->versionminor = 3;
        version->smicombuffersize = 0x1000;
```

#### Unchecked banner\_id pointer... 2/3

₽

E

```
case 0x0201: {
       obj header t *obj header = (obj header t *)banner id;
       mbi header t *mbi header = NULL;
       printk(BIOS DEBUG, "|- MBI GetObjectHeader\n");
       printk(BIOS DEBUG, "| |- objnum = %d\n", obj header->objnum);
       int i, count = 0;
       obj header->banner.retsts = MSH_IF_NOT_FOUND;
       for (i = 0; i < mbi len;) {</pre>
. . .
          mbi header = (mbi header t *)&mbi[i];
          len = ALIGN((mbi header->size * 16) + sizeof(mbi header) + ALIGN(mbi header->name len,
           if (obj header->objnum == count) {
. . .
              int headerlen = ALIGN (sizeof (mbi header) + ALIGN (mbi header->name len, 16), 16);
. . .
              memcpy(&obj header->header, mbi header, headerlen);
              obj header->banner.retsts = MSH OK;
. . .
       if (obj header->banner.retsts == MSH IF NOT FOUND)
          break;
```

#### Unchecked banner\_id pointer... 3/3

```
case 0x0203: {
1
    2
              get object t *getobj = (get object t *)banner id;
 3
      . . .
 4
             printk(BIOS DEBUG, "| |- objnum = %d\n", getobj->objnum);
 5
              printk(BIOS DEBUG, "| |- start = %x\n", getobj->start);
 6
              printk(BIOS DEBUG, "| |- numbytes = %x\n", getobj->numbytes);
 7
              printk(BIOS DEBUG, "| |- buflen = %x\n", getobj->buflen);
 8
              printk(BIOS DEBUG, "| |- buffer = %x\n", getobj->buffer);
 9
10
              int i, count = 0;
11
              getobj->banner.retsts = MSH IF NOT FOUND;
12
13
    E
              for (i = 0; i< mbi len;) {</pre>
14
     . . .
15
                 mbi header = (mbi header t *) & mbi[i];
16
                 headerlen = ALIGN(sizeof(mbi header) + ALIGN(mbi header->name len, 16), 16);
17
                  objectlen = ALIGN((mbi header->size * 16), 16);
18
19
    -
                  if (getobj->objnum == count) {
20
                      printk(BIOS DEBUG, "| |- len = %x\n", headerlen + objectlen);
21
22
                      memcpy((void *)(getobj->buffer + OBJ OFFSET),
                              ((char *)mbi header) + headerlen, (objectlen > getobj->buflen) ? getobj->buflen : objectlen);
23
24
25
                      getobj->banner.retsts = MSH OK;
26
      . . .
27
28
                  i += (headerlen + objectlen);
29
                  count++;
30
31
              if (getobj->banner.retsts == MSH IF NOT FOUND)
                  printk(BIOS DEBUG, "MBI module %d not found.\n", getobj->objnum);
32
33
      . . .
34
         default:
35
              printk(BIOS DEBUG, "|- function %x\n", banner id->function);
```

# Write Protections

#### What about write protections?

- Read-Only part of Coreboot firmware in SPI flash devices is hardware write protected in Chromebooks Yes, with a screw asserting /WP in SPI!
- What if you manually flash Coreboot on a random system?

#### After flashing Coreboot on Lenovo x230...



# To summarize

- SMM based firmware write protection is off
- SPI protected range registers are disabled
- TCO and Global SMI are not locked down
- SPI config is not locked
- SMRAM can be DMA'd into

- And the system doesn't use /WP pin on SPI device like in Chromebooks
- → Super Crazy Developer Mode

#### That's the protection...

```
static void southbridge smi tco(void)
 2
    3
         u32 tco sts = clear tco status();
 4
 5
         /* Any TCO event? */
 6
          if (!tco sts)
              return;
 8
 9
          // BIOSWR
10
          if (tco sts & (1 << 8)) {
11
              u8 bios cntl = pci read config16 (PCH DEV LPC, BIOS CNTL);
12
13
              if (bios cntl & 1) {
    —
14
                  /*
15
                   * BWE is RW, so the SMI was caused by a
                   * write to BWE, not by a write to the BIOS
16
17
                   *
                   * This is the place where we notice someone
18
19
                   * is trying to tinker with the BIOS. We are
                   * trying to be nice and just ignore it. A more
20
                   * resolute answer would be to power down the
21
22
                   * box.
23
                   */
24
                  printk(BIOS DEBUG, "Switching back to RO\n");
25
                  pci write config32 (PCH DEV LPC, BIOS CNTL,
26
                              (bios cntl \& \sim 1);
                /* No else for now? */
27
```

#### What about Libreboot?

From <a href="https://libreboot.org/faq.html#how-do-i-program-an-spi-flash-chip">https://libreboot.org/faq.html#how-do-i-program-an-spi-flash-chip</a>

#### How do I write-protect the flash chip?

By default, there is no write-protection on a libreboot system. This is for usability reasons, because most people do not have easy access to an external programmer for re-flashing their firmware, or they find it inconvenient to use an external programmer.

On some systems, it is possible to write-protect the firmware, such that it is rendered read-only at the OS level (external flashing is still possible, using dedicated hardware). For example, on current GM45 laptops (e.g. ThinkPad X200, T400), you can write-protect (see ICH9 gen utility).

It's possible to write-protect on all libreboot systems, but the instructions need to be written. The documentation is in the main git repository, so you are welcome to submit patches adding these instructions.

# Conclusion

- Coreboot contains significant amount of platform dependent code
- Platform dependent SMI handlers don't check pointers
- ACPI NVS is an attack vector as it stored data across S3 sleep state
- Not a lot of public research into Coreboot vulnerabilities
- In Chromebooks, Coreboot uses SPI device's /WP mechanism and Verified Boot. In other systems, Coreboot is not write protected
- If you want to build and flash Coreboot on x86 non-Chromebooks, enable write protection manually (set BC.SMM\_BWP)

# **Thank You!**