smm_dma moduleΒΆ

SMM TSEG Range Configuration Checks

This module examines the configuration and locking of SMRAM range configuration protecting from DMA attacks. If it fails, then DMA protection may not be securely configured to protect SMRAM.

Reference:

Just like SMRAM needs to be protected from software executing on the CPU, it also needs to be protected from devices that have direct access to DRAM (DMA). Protection from DMA is configured through proper programming of SMRAM memory range. If BIOS does not correctly configure and lock the configuration, then malware could reprogram configuration and open SMRAM area to DMA access, allowing manipulation of memory that should have been protected.

DMA attacks were discussed in Programmed I/O accesses: a threat to Virtual Machine Monitors? and System Management Mode Design and Security Issues and Summary of Attack against BIOS and Secure Boot https://www.defcon.org/images/defcon-22/dc-22-presentations/Bulygin-Bazhaniul-Furtak-Loucaides/DEFCON-22-Bulygin-Bazhaniul-Furtak-Loucaides-Summary-of-attacks-against-BIOS-UPDATED.pdf

Usage:

chipsec_main -m smm_dma

Examples:
>>> chipsec_main.py -m smm_dma
Registers used:
  • TSEGBaseLock (control)

  • TSEGLimitLock (control)

  • MSR_BIOS_DONE.IA_UNTRUSTED

  • PCI0.0.0_TSEGMB.TSEGMB

  • PCI0.0.0_BGSM.BGSM

  • IA32_SMRR_PHYSBASE.PhysBase

  • IA32_SMRR_PHYSMASK.PhysMask

Supported Platforms:
  • Core (client)