smm_dma module

SMM TSEG Range Configuration Checks

This module examines the configuration and locking of SMRAM range configuration protecting from DMA attacks. If it fails, then DMA protection may not be securely configured to protect SMRAM.

Just like SMRAM needs to be protected from software executing on the CPU, it also needs to be protected from devices that have direct access to DRAM (DMA). Protection from DMA is configured through proper programming of SMRAM memory range. If BIOS does not correctly configure and lock the configuration, then malware could reprogram configuration and open SMRAM area to DMA access, allowing manipulation of memory that should have been protected.

References:

• System Management Mode Design and Security Issues

• Summary of Attack against BIOS and Secure Boot

Usage:

chipsec_main -m smm_dma

Examples:

>>> chipsec_main.py -m smm_dma

Registers used:

• TSEGBaseLock (control)

• TSEGLimitLock (control)

• MSR_BIOS_DONE.IA_UNTRUSTED

• PCI0.0.0_TSEGMB.TSEGMB

• PCI0.0.0_BGSM.BGSM

• IA32_SMRR_PHYSBASE.PhysBase

• IA32_SMRR_PHYSMASK.PhysMask

Supported Platforms:

• Core (client)