TLDR: We present a new tool for evaluating the security of AMD-based platforms and rediscover a long-forgotten vulnerability class that allowed us to fully compromise SMM in the Acer Swift 3 laptop (see Acer's advisory).
In the last decade, a lot of interesting research has been published around UEFI and System Management Mode (SMM) security. To provide a bit of background, SMM is the most privileged CPU mode on x86-based systems; it is sometimes referred to as ring -2 as it is more privileged than the kernel and even the hypervisor. Therefore, keeping SMM secure must be one of the main goals of the UEFI firmware.
One thing that caught our attention is that most, if not all, of the publicly available material is focused on Intel-based platforms. Since the release of CHIPSEC , the world has had a tool to quickly determine if the firmware does a good job protecting the system after the DXE phase and, as a result, it is hard to find misconfigured firmware in laptops from any of the major OEMs in 2022.
Make no mistake, it is not that AMD-based platforms are free from bugs . Nevertheless, judging by their description, these seem to be associated with SMI handlers rather than platform security configurations. In contrast, the only presentation we found mentioning AMD platform security was done by Pete Markowsky in 2015 .
This blog walks through the discovery and exploitation of a security issue that was automatically identified by an in-house developed tool.
Platbox is a firmware assessment tool that allows you to retrieve chipset configuration values and interact with PCIe devices, physical memory, MSRs, and so on. The project was born back in 2018 as part of a security evaluation for an OEM's Intel-based platform; however, we recently extended it to support AMD systems.
Source code, compiled binaries, and examples can be found here: https://github.com/IOActive/PlatboxNext, we evaluate the security of one of our targets AMD systems and demonstrate how it can be used to find chipset configuration issues.
- Flash protected ranges
- Flash lock configuration
- TSEG memory range
- SMM base address
- SMM lock configuration
- 06 August 2022: Reported vulnerability
- 22 September 2022: Confirmed vulnerability and working on fix
- 14 October 2022: Discussing timelines
- 18 October 2022: Confirmed patch release date
- 20 October 2022: Patch released
- 24 October 2022: Acer published bulletin