This invention relates generally to information handling systems and, more particularly, to system management mode (SMM) in information handling systems.
As the value and use of information continues to increase, individuals and businesses seek additional ways to process and store information. One option available to users is information handling systems. An information handling system generally processes, compiles, stores, and/or communicates information or data for business, personal, or other purposes thereby allowing users to take advantage of the value of the information. Because technology and information handling needs and requirements vary between different users or applications, information handling systems may also vary regarding what information is handled, how the information is handled, how much information is processed, stored, or communicated, and how quickly and efficiently the information may be processed, stored, or communicated. The variations in information handling systems allow for information handling systems to be general or configured for a specific user or specific use such as financial transaction processing, airline reservations, enterprise data storage, or global communications. In addition, information handling systems may include a variety of hardware and software components that may be configured to process, store, and communicate information and may include one or more computer systems, data storage systems, and networking systems.
All system management interrupt (SMI) functions executed by a central processing unit (CPU) of an information handling system have access to all memory pages, including needed pages and other memory pages that that should not be accessed. This includes access to other SMI function code without any restrictions even if there is no need to have this open access. Also, all functions have access to all the SMM data region of system management memory (SMRAM) of host memory. All the SMI functions and the data accessed by the SMI functions are in plain text (i.e., not encrypted)
Process authentication by the OS is known, together with execution and returning of SMI functions. Control flow integrity exists for software contexts that do not include SMM. It is known to use CPU firmware microcode to allow page-level control for SMM. CPU firmware microcode defines tables for general bounding of SMM within system memory, i.e., it is known to use CPU embedded firmware microcode to allow page-level control for SMM by allowing SMM access to be restricted to only those page ranges inside of SMM, but the CPU embedded firmware microcode does not have authority to control functionality within SMM. This CPU embedded firmware microcode logic executes every time a SMM instruction runs, checks CPU registers that contain memory bounds to determine if the instruction is trying to access outside of the allowed bounds for SMM operations, and raises an error if the instruction is trying access something outside the allowed bounds. Operating system table memory management and paging are utilized to limit access to page ranges outside of SMM, but does not have authority to control functionality within SMM.
Disclosed herein are systems and methods that may be implemented to control flow integrity during systems management mode (SMM), e.g., to protect functions from each other within SMM, and/or to protect functions and data outside SMM from rogue or unexpected behavior within SMM. In one embodiment, the disclosed systems and methods may be implemented during SMM mode to restrict access by a given SMI function to specific regions of dynamic system memory by blocking unauthorized access to data or code regions of the system memory that are not needed by the function so as to protect the rest of the system memory and system, e.g., from any malicious code attempting to use SMM for privilege escalation. In one exemplary embodiment, a function-defined memory page table or other data listing may be created to describe a permissions policy (e.g., such as a look-up table) that identifies those specific system memory page ranges for which different SMI functions and SMI libraries (i.e., code shared between multiple SMI functions) are to be permitted access. In a further embodiment, hardware memory page management may be utilized to provide control flow integrity for SMM according to the permissions policy. For example, CPU hardware (e.g., embedded CPU microcode or functional logic) may be utilized to block unauthorized access by a given SMI function or SMI library to specific data or code regions of system memory that are not identified as being permitted (e.g., in the case where they are not needed) for the given function or library.
In one embodiment, one or more look up tables may be created during basic input/output system (BIOS) build or compile time (e.g., by engineering or otherwise defined during BIOS build or compile time) and installed on an information handling system during system manufacturing. These created look up tables may define which specific memory regions that different individual functions are allowed (or disallowed) to access. At system boot time, these tables may be loaded in hardware (e.g., CPU hardware), and when SMI is executed at runtime, the lookup table/s may be referenced by SMM hardware to control permissions for each function or library.
In one respect, disclosed herein is an information handling system, including: a system memory; and a programmable integrated circuit coupled to the system memory, the programmable integrated circuit being programmed to operate in a system management mode (SMM) to retrieve and execute at least one SMI function/library from the system memory upon entry into the SMM. The programmable integrated circuit may be programmed to control access by the executing SMI function/library to data or code regions of the system memory according to a data permission listing that identifies one or more permitted system memory page ranges for which the executing SMI function/library is permitted access, the permitted system page ranges including only a portion of all SMI functions/libraries held in the system memory.
In another respect, disclosed herein is a method, including operating a programmable integrated circuit of an information handling system in a system management mode (SMM) to: retrieve and execute at least one SMI function/library from a system memory of the information handling system upon entry into the SMM; and control access by the executing SMI function/library to data or code regions of the system memory according to a data permission listing that identifies one or more permitted system memory page ranges for which the executing SMI function/library is permitted access, the permitted system page ranges including only a portion of all SMI functions/libraries held in the system memory.
In the exemplary embodiment of
Bus/es 103 provides a mechanism for the various components of system 104 to communicate and couple with one another. As shown, host processing device 106 may be coupled in an embodiment to bus/es 103 via an embedded platform controller hub (PCH) 180 and may be coupled to facilitate input/output functions for the processing device/s 106 with various internal system components of information handling system 104 through bus/es 103 such as PCI, PCIe, SPI, USB, low pin count (LPC), etc. Examples of such system components include, but are not limited to, NVRAM, BIOS SPI Flash, NVDIMMS, DIMMS, PCIe Devices, etc. The PCH 180 is directly coupled to system memory 121 as shown. System memory 121 includes memory pages of a SMM code region 420 and a SMM data region 430 that are contained within a SMM region 199 (also known as SMRAM) as further illustrated in
In one embodiment, host processing device/s 106 may be an in-band processing device configured to run a host operating system (OS) 105. Besides memory 121 (e.g., random access memory “RAM”), processor 106 may include cache memory for storage of frequently accessed data. Information handling system 104 may also include a network access card (NIC) 131 that is communicatively coupled to network 133 (e.g., Internet or corporate intranet) as shown to allow various components of system 104 to communicate with external and/or remote device/s 135 across network 133. Other external devices, such as an external universal serial bus (USB) device 170 may be coupled to processing device/s 106 via bus/es 103. In this embodiment, information handling system 104 also includes power supply unit (PSU) 192 that is coupled to receive power from AC mains 190 and to perform appropriate power conversion and voltage regulation to produce regulated internal power 194 for use by other power-consuming components of system 104. System 104 may also include a baseboard management controller (BMC) (not shown). As shown, in the embodiment of
As shown in Table 1, different access permissions may be given to different functions, to allow the functions to be protected from each other. For example, a particular function may be provided for alerting on high CPU temperature and taking actions like turning on or controlling speed of processor cooling fans. Such a particular function may be given permission by a memory page permissions look up table 123 for access to the CPU temperature sensor data and to a separate processor fan management function.
Next, in step 390, BIOS 101 with the memory page permissions look up table/s 123 is installed during system manufacturing (e.g., at the factory or assembly plant). In one embodiment, BIOS 101 may be stored in system non-volatile and electronically programmable memory 140 or in any other suitable non-volatile memory of system 100 such as system storage 118. The system firmware (e.g., BIOS 101) installed at this time may also include SMI handlers that are invoked in response to an SMI.
Still referring to
Steps 330 also include step 332 where function/libraries permission table/s 123 is mapped into embedded hardware microcode 107 of host processor 106 together with information such as desired configuration of memory page permissions table/s 123 and logic of how to read these table/s 123 upon SMM initialization. In one embodiment, memory page permissions table/s 123 may be loaded into data structures of SMM volatile memory 199 for access by embedded hardware microcode 107 and use in SMM at runtime. Alternatively, embedded hardware microcode 107 may access memory page permissions table/s 123 directly from non-volatile memory 140. In yet another embodiment, memory page permissions table/s 123 may be loaded directly into hardware in any suitable manner (e.g., registers, internal random access memory “RAM”, microcode, etc.) of host processing device 106, e.g., in a case where there is hardware logic available to perform page table management.
Steps 340 are performed after boot and during operating system (OS) runtime, and include non-SMM normal host processor operations 342 (e.g., user application execution) that occur until a systems management interrupt (SMI) is triggered in the OS 105 and a call occurs to the BIOS SMM handler in step 343. An SMI may be generated via a hardware interrupt event independent of code execution, e.g., by assertion of an interrupt pin (e.g., the SMI #) into the host processor 106. In one embodiment, an SMI may also be invoked by software via execution of an instruction, e.g., an instruction that writes an I/O port or address range (e.g., which a special value) that is recognized by the system as making a request to trigger an SMI.
BIOS SMM steps 344 occur upon the triggering of the SMI of step 343, at which time the BIOS SMM handler loads a function/s (e.g., SMI function A) onto host processor 106 that corresponds to the particular SMI triggered in step 343 from SMM volatile memory region 199. Next, in step 348, SMM memory page access control hardware manages permissions for memory access by Function A as further described in relation to
Accordingly, as shown by the arrows of paths 1, 2 and 6 in
As shown, Function A calls Library E in step 490 and Library E is then fetched and loaded and running on host processor 106, at which time control is passed from Function A to the other Library E (via Path 6). At this time, SMM memory page access control hardware 450 blocks Path 7 according to memory page permissions table/s 123 (which only permits Library E access to Library E), meaning that Library E cannot access Library F as is the case in the conventional methodology of
It will be understood that the embodiments of
It will be understood that the steps of
It will be understood that one or more of the tasks, functions, or methodologies described herein (e.g., including those described herein for components 106, etc.) may be implemented by circuitry and/or by a computer program of instructions (e.g., computer readable code such as firmware code or software code) embodied in a non-transitory tangible computer readable medium (e.g., optical disk, magnetic disk, non-volatile memory device, etc.), in which the computer program comprising instructions is configured when executed on a processing device in the form of a programmable integrated circuit (e.g., processor such as CPU, controller, microcontroller, microprocessor, ASIC, etc. or programmable logic device “PLD” such as FPGA, complex programmable logic device “CPLD”, etc.) to perform one or more steps of the methodologies disclosed herein. In one embodiment, a group of such processing devices may be selected from the group consisting of CPU, controller, microcontroller, microprocessor, FPGA, CPLD and ASIC. The computer program of instructions may include an ordered listing of executable instructions for implementing logical functions in an information handling system or component thereof. The executable instructions may include a plurality of code segments operable to instruct components of an information handling system to perform the methodologies disclosed herein.
It will also be understood that one or more steps of the present methodologies may be employed in one or more code segments of the computer program. For example, a code segment executed by the information handling system may include one or more steps of the disclosed methodologies. It will be understood that a processing device may be configured to execute or otherwise be programmed with software, firmware, logic, and/or other program instructions stored in one or more non-transitory tangible computer-readable mediums (e.g., data storage devices, flash memories, random update memories, read only memories, programmable memory devices, reprogrammable storage devices, hard drives, floppy disks, DVDs, CD-ROMs, and/or any other tangible data storage mediums) to perform the operations, tasks, functions, or actions described herein for the disclosed embodiments.
For purposes of this disclosure, an information handling system may include any instrumentality or aggregate of instrumentalities operable to compute, calculate, determine, classify, process, transmit, receive, retrieve, originate, switch, store, display, communicate, manifest, detect, record, reproduce, handle, or utilize any form of information, intelligence, or data for business, scientific, control, or other purposes. For example, an information handling system may be a personal computer (e.g., desktop or laptop), tablet computer, mobile device (e.g., personal digital assistant (PDA) or smart phone), server (e.g., blade server or rack server), a network storage device, or any other suitable device and may vary in size, shape, performance, functionality, and price. The information handling system may include random access memory (RAM), one or more processing resources such as a central processing unit (CPU) or hardware or software control logic, ROM, and/or other types of nonvolatile memory. Additional components of the information handling system may include one or more disk drives, one or more network ports for communicating with external devices as well as various input and output (I/O) devices, such as a keyboard, a mouse, touch screen and/or a video display. The information handling system may also include one or more buses operable to transmit communications between the various hardware components.
While the invention may be adaptable to various modifications and alternative forms, specific embodiments have been shown by way of example and described herein. However, it should be understood that the invention is not intended to be limited to the particular forms disclosed. Rather, the invention is to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the invention as defined by the appended claims. Moreover, the different aspects of the disclosed methods and systems may be utilized in various combinations and/or independently. Thus, the invention is not limited to only those combinations shown herein, but rather may include other combinations.