## Advanced x86: BIOS and System Management Mode Internals SMM & Caching

## Xeno Kovah && Corey Kallenberg LegbaCore, LLC



### All materials are licensed under a Creative Commons "Share Alike" license. http://creativecommons.org/licenses/by-sa/3.0/

You are free:



to Share — to copy, distribute and transmit the work

to Remix - to adapt the work

#### Under the following conditions:

Attribution — You must attribute the work in the manner specified by the author or licensor (but not in any way that suggests that they endorse you or your use of the work).



Share Alike — If you alter, transform, or build upon this work, you may distribute the resulting work only under the same, similar or a compatible license.

Attribution condition: You must indicate that derivative work

"Is derived from John Butterworth & Xeno Kovah's 'Advanced Intel x86: BIOS and SMM' class posted at http://opensecuritytraining.info/IntroBIOS.html" 2

### **SMRAM** and Caching

## **Cache Basics**

- Temporary storage located on the CPU
- Accesses to data/instructions in cache are much faster than those to physical memory
- Caching is available in all operating modes, including SMM
- Caching type for a physical memory range is defined in Memory-Type Range Registers (MTRRs)
- MTRRs are a type of MSR (Model-Specific Register) that can be set to specify the type of CPU caching for ranges of physical memory
- Typically configured by BIOS but can also be configured by the operating system as needed



### Memory Caching Types

- Physical memory ranges can be defined as having one of these types of caching properties
- The only one we'll discuss is the one that was the subject of the dual discovery by Duflot et al. and then later Wojtczuck et al.
  - Getting into SMRAM: SMM Reloaded, <u>https://cansecwest.com/csw09/csw09-duflot.pdf</u>
  - Attacking Memory via Intel CPU Cache Poisoning, <u>http://invisiblethingslab.com/resources/misc09/smm\_cache\_fun.pdf</u>
- The attack is brilliant in its simplicity

| Memory Type and Mnemonic | Encoding in MTRR |  |
|--------------------------|------------------|--|
| Uncacheable (UC)         | 00H              |  |
| Write Combining (WC)     | 01H              |  |
| Reserved*                | 02H              |  |
| Reserved*                | 03H              |  |
| Write-through (WT)       | 04H              |  |
| Write-protected (WP)     | 05H              |  |
| Writeback (WB)           | 06H              |  |
| Reserved*                | 7H through FFH   |  |

#### Table 11-8. Memory Types That Can Be Encoded in MTRRs

\* Use of these encodings results in a general-protection exception (#GP).

NOTE:

## Write-back (WB)

- The point of Write-back caching is to reduce the amount of bus traffic between the processor and memory
- Reads come from <u>cache lines</u> on <u>cache hits</u>
- Writes are performed in the cache and not immediately written/flushed to memory
- Both read and write misses cause cache fills
- Modified CPU cache lines are written back (write-back) to memory at a later time\*
- Simply put, reading/writing from/to a memory region that uses write-back caching will initially fill a line in the CPU cache
- Subsequent reads/writes from/to that address will be from/to cache instead of memory
- Until the processor writes-back that cache to memory\*

### https://cansecwest.com/csw09/csw09-duflot.pdf





(D\_LCK bit)

- The access control point is in the chipset and the chipset does not "see" what happens inside the cache.
- Code running on the CPU can decide the caching strategy.
- Plus, the chipset does not even know where the SMRAM really is (SMBASE only known to the CPU).
- Isn't there a coherency problem here?

19

### https://cansecwest.com/csw09/csw09-duflot.pdf



### **Basic idea: SMI handler stays in** <u>cache</u>



21

https://cansecwest.com/csw09/csw09-duflot.pdf



### **Basic idea: attacker writes to the SMRAM**

• When the CPU is not in SMM, the CPU cannot write in SMRAM. But if the SMRAM is cached in Write Back mode, the CPU only writes to the cached version and not in memory.



Loïc Duflot - SGDN/ DCSSI - SMM Reloaded - CanSecWest 2009 http://www.ssi.gouv.fr 22

# The fix: SMRR

- The preceding is a great example of how security researchers can influence industry for the better. Damn fine job.
- System-Management Range Register (SMRR) was introduced in Intel's x64 architecture\*
- Provides a PHYSBASE/PHYSMASK pair just like MTRRs
- Prevents the kind of attack that we just saw in the preceding example
- SMRR restricts access to the address range defined in the SMRR registers
- Defines the memory type (caching) for the SMRAM range
- SMRRs can be written to only when the processor is in SMM
- SMRR takes priority over MTRR in case of overlapping ranges

\* This is one of the only architecture-dependent security mechanisms. So far up to this point all has been x32/x64 agnostic 10

## SMRR



- When the processor is in SMM:
  - Memory accesses to this range will use the memory type defined in SMRR\_PHYSBASE
- When the processor is not in SMM:
  - Memory reads return a fixed value (0xFF in my experience)
  - Memory writes are ignored
  - Memory type is Uncacheable

# Verify SMRR Support: IA32\_MTRRCAP

| 🔢 Comr                                                                                   | nand |                        |                                                                     |        |  |  |
|------------------------------------------------------------------------------------------|------|------------------------|---------------------------------------------------------------------|--------|--|--|
|                                                                                          |      |                        |                                                                     |        |  |  |
|                                                                                          |      |                        |                                                                     | •      |  |  |
| >rdmsr                                                                                   |      |                        |                                                                     | *      |  |  |
| Read MSR 0xFE : High 32bit(EDX) = 0x00000000, Low 32bit(EAX) = 0x00000D07                |      |                        |                                                                     |        |  |  |
| 63 56 55 48 47 40 39 32 31 24 23 16 15 8 7 0<br>00000000-00000000-00000000-00000000-0000 |      |                        |                                                                     |        |  |  |
|                                                                                          |      |                        |                                                                     |        |  |  |
| FEH                                                                                      | 254  | IA32_MTRRCAP (MTRRcap) | MTRR Capability (RO) Section 1.11.2.1,<br>"IA32_MTRR_DEF_TYPE M&R." | 06_01H |  |  |
|                                                                                          |      | 7:0                    | VCNT: The number of variable memory type ranges in the processor.   |        |  |  |
|                                                                                          |      | 8                      | Fixed ange MTRRs are supported when set.                            |        |  |  |
|                                                                                          |      | 9                      | Reserved.                                                           |        |  |  |
|                                                                                          |      | 10                     | WC Supported when set.                                              |        |  |  |
|                                                                                          |      | 11                     | SMRR Supported when set.                                            |        |  |  |
|                                                                                          |      | 63:12                  | Reserved.                                                           |        |  |  |
| 1                                                                                        | 1    |                        | 1                                                                   | T      |  |  |
|                                                                                          |      |                        |                                                                     |        |  |  |

- SMRR is supported on a system if bit 11 in the IA32\_MTRRCAP MSR is set
- Verify next that it is being used

## SMRR MSR Number



- If you try to read the SMRR of your system, be sure to verify its location using the developers guide (MSR chapter)
- The MSR register addresses are non "architectural" and will therefore differ between architectures
  - That's why they are called Model-Specific Registers
- RW-E does not appear to handle exceptions well since reading the wrong MSR will crash your system
  - As of latest version

# Homework heads up

• Find the value of SMRR\_PHYSBASE for your particular hardware