From bb1f81271b5c8f3c39b64f045857169b08760035 Mon Sep 17 00:00:00 2001
From: Benjamin Doron <benjamin.doron@9elements.com>
Date: Tue, 20 Feb 2024 22:46:50 -0500
Subject: [PATCH] cpu/x86/smm: Pass full SMRAM region info to SMM runtime
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This data is used by smm_region_overlaps_handler(). Callers use this
helper to determine if it's safe to read/write to memory buffers taken
from untrusted input.

coreboot SMI handlers must not be confused into writing over any SMRAM
subregion, which includes the TSEG_STAGE_CACHE and chipset-specific area
(sometimes, IED), not just the handlers.

If stage cache writes were permitted, this could compromise the
integrity of the S3 resume path.

The consequences to overwriting the chipset-specific area are undefined.

Change-Id: Ibd9ed34fcfd77a4236b5cf122747a6718ce9c91f
Signed-off-by: Benjamin Doron <benjamin.doron@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/80703
Reviewed-by: Shuo Liu <shuo.liu@intel.com>
Reviewed-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Reviewed-by: Jérémy Compostella <jeremy.compostella@intel.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Arthur Heymans <arthur@aheymans.xyz>
---
 src/cpu/x86/smm/smm_module_loader.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/src/cpu/x86/smm/smm_module_loader.c b/src/cpu/x86/smm/smm_module_loader.c
index e342557b13..17ef92ea7f 100644
--- a/src/cpu/x86/smm/smm_module_loader.c
+++ b/src/cpu/x86/smm/smm_module_loader.c
@@ -320,12 +320,15 @@ int smm_setup_relocation_handler(struct smm_loader_params *params)
 }
 
 static void setup_smihandler_params(struct smm_runtime *mod_params,
-				    uintptr_t smram_base,
-				    uintptr_t smram_size,
 				    struct smm_loader_params *loader_params)
 {
-	mod_params->smbase = smram_base;
-	mod_params->smm_size = smram_size;
+	uintptr_t tseg_base;
+	size_t tseg_size;
+
+	smm_region(&tseg_base, &tseg_size);
+
+	mod_params->smbase = tseg_base;
+	mod_params->smm_size = tseg_size;
 	mod_params->save_state_size = loader_params->cpu_save_state_size;
 	mod_params->num_cpus = loader_params->num_cpus;
 	mod_params->gnvs_ptr = (uint32_t)(uintptr_t)acpi_get_gnvs();
@@ -534,7 +537,7 @@ int smm_load_module(const uintptr_t smram_base, const size_t smram_size,
 
 	struct smm_runtime *smihandler_params = rmodule_parameters(&smi_handler);
 	params->handler = rmodule_entry(&smi_handler);
-	setup_smihandler_params(smihandler_params, smram_base, smram_size, params);
+	setup_smihandler_params(smihandler_params, params);
 
 	return smm_module_setup_stub(stub_segment_base, smram_size, params);
 }