Documentation: Add technote/design doc for mitigating ReBAR issue
Change-Id: Icba9d7910dfd46f32a2c46b6fd064a9cc8e3beac Signed-off-by: Patrick Georgi <pgeorgi@chromium.org> Reviewed-on: https://review.coreboot.org/19242 Tested-by: build bot (Jenkins) Reviewed-by: Stefan Reinauer <stefan.reinauer@coreboot.org>
This commit is contained in:
parent
af295495c2
commit
852debe648
|
@ -0,0 +1,136 @@
|
|||
Dealing with Untrusted Input in SMM
|
||||
===================================
|
||||
|
||||
Objective
|
||||
---------
|
||||
Intel Security recently held a talk and published
|
||||
[slides](http://www.intelsecurity.com/advanced-threat-research/content/data/REConBrussels2017_BARing_the_system.pdf)
|
||||
on a vulnerability in SMM handlers on x86 systems. They provide examples
|
||||
on how both UEFI and coreboot are affected.
|
||||
|
||||
Background
|
||||
----------
|
||||
SMM, the System Management Mode, is a CPU mode that is configured by
|
||||
firmware and survives the system’s initialization phase. On certain
|
||||
events that mode can be triggered and executes code, suspending the
|
||||
current processing that is going on the CPU, no matter whether it’s
|
||||
in kernel or user space.
|
||||
|
||||
In SMM, the CPU has access to memory dedicated to that mode (SMRAM) that
|
||||
is normally inaccessible, and typically some restrictions are lifted as
|
||||
well (eg. in some configurations, certain flash write protection registers
|
||||
are writable in SMM only). This makes SMM a target for attacks which
|
||||
seek to elevate a ring0 (kernel) exploit to something permanent.
|
||||
|
||||
Overview
|
||||
--------
|
||||
Intel Security showed several places in coreboot’s SMM handler (Slides
|
||||
32+) that could be manipulated into writing data at user-chosen addresses
|
||||
(SMRAM or otherwise), by modifying the BAR (Base Address Register) on
|
||||
certain devices. By picking the right addresses and the right events
|
||||
(and with them, mutators on the data at these addresses), it might
|
||||
be possible to change the SMM handler itself to call into regular RAM
|
||||
(where other code resides that then can work with elevated privileges).
|
||||
|
||||
Their proposed mitigations (Slide 37) revolve around making sure
|
||||
that the BAR entries are reasonable, and point to a device instead of
|
||||
regular memory or SMRAM. They’re not very detailed on how this could
|
||||
be implemented, which is what this document discusses.
|
||||
|
||||
Detailed Design
|
||||
---------------
|
||||
The attack works because the SMM handler trusts the results of the
|
||||
`pci_read_config32(dev, reg)` function, even though the value read by that
|
||||
function can be modified in kernel mode.
|
||||
|
||||
In the general case it’s not possible to keep the cached value from
|
||||
system initialization because there are legitimate modifications the
|
||||
kernel can do to these values, so the only remedy is to make sure that
|
||||
the value isn’t totally off.
|
||||
|
||||
For applications where hardware changes are limited by design (eg. no
|
||||
user-modifiable PCIe slots) and where the running kernel is known,
|
||||
such as Chromebooks, further efforts include caching the BAR settings
|
||||
at initialization time and comparing later accesses to that.
|
||||
|
||||
What "totally off" means is chipset specific because it requires
|
||||
knowledge of the memory map as seen by the memory controller: which
|
||||
addresses are routed to devices, which are handled by the memory
|
||||
controller itself?
|
||||
The proposal is that in SMM, the `pci_read_config` functions (which
|
||||
aren’t timing critical) _always_ validate the value read from a given
|
||||
set of registers (the BARs) and fail hard (ie. cold reset, potentially
|
||||
after logging the event) if they’re invalid (because that points to
|
||||
a severe kernel bug or an attack).
|
||||
The actual validation is done by a function implemented by the chipset code.
|
||||
|
||||
Another validation that can be done is to make sure that the BAR has the
|
||||
appropriate bits set so it is enabled and points to memory (instead of
|
||||
IO space).
|
||||
|
||||
In terms of implementation, this might look somewhat as follows. There
|
||||
are a bunch of blanks to fill in, in particular how to handle the actual
|
||||
config space access and there will be more registers that need to be
|
||||
checked for correctness, both official BARs (0-4) and per-chipset
|
||||
registers that need to be blacklisted in another chipset specific
|
||||
function:
|
||||
|
||||
```c
|
||||
static inline __attribute__((always_inline))
|
||||
uint32_t pci_read_config32[d](pci_devfn_t dev, unsigned int where)
|
||||
{
|
||||
uint32_t val = real_pci_read_config32(dev, where);
|
||||
if (IS_ENABLED(__SMM__) && (where == PCI_BASE_ADDRESS_0) &&
|
||||
is_mmio_ptr(dev, where) && !is_address_in_mmio(val)) {
|
||||
cold_reset();
|
||||
}
|
||||
return val;
|
||||
}
|
||||
```
|
||||
|
||||
`is_address_in_mmio(addr)` would be a newly introduced function to be
|
||||
implemented by chipset drivers that returns true if the passed address
|
||||
points into whatever is considered valid MMIO space.
|
||||
`is_mmio_ptr(dev, where)` returns true for PCI config space registers that
|
||||
point to BARs (allowing custom overrides because sometimes additional
|
||||
registers are used to point to addresses).
|
||||
|
||||
For this function what is considered a legal address needs to be
|
||||
documented, in accordance with the chipset design. (For example: AMD
|
||||
K8 has a bunch of registers that define strictly which addresses are
|
||||
"MMIO")
|
||||
|
||||
### Fully insured (aka “paranoid”) mode
|
||||
For systems with more control over the hardware and kernel (such as
|
||||
Chromebooks), it may be possible to set up the BARs in a way that the
|
||||
kernel isn’t compelled to rewrite them, and store these values for
|
||||
later comparison.
|
||||
|
||||
This avoids attacks such as setting the BAR to point to another device’s
|
||||
MMIO region which the above method can’t catch. Such a configuration
|
||||
would be “illegal”, but depending on the evaluation order of BARs
|
||||
in the chipset, this might effectively only disable the device used for
|
||||
the attack, while still fooling the SMM handler.
|
||||
|
||||
Since this method isn’t generalizable, it has to be an optional
|
||||
compile-time feature.
|
||||
|
||||
Caveats
|
||||
-------
|
||||
This capability might need to be hidden behind a Kconfig flag
|
||||
because we won’t be able to provide functional implementations of
|
||||
`is_address_in_mmio()` for every chipset supported by coreboot from the
|
||||
start.
|
||||
|
||||
Security Considerations
|
||||
-----------------------
|
||||
The actual exploitability of the issue is unknown, but fixing it serves
|
||||
as defense in depth, similar to the
|
||||
[Memory Sinkhole mitigation](https://review.coreboot.org/#/c/11519/) for
|
||||
older Intel chipsets.
|
||||
|
||||
Testing Plan
|
||||
------------
|
||||
Manual testing can be conducted easily by creating a small payload that
|
||||
provokes the reaction. It should test all conditions that enable the
|
||||
address test (ie. the different BAR offsets if used by SMM handlers).
|
Loading…
Reference in New Issue