Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SMI enumeration mode to the smm_ptr module #2141

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add SMI enumeration mode to the smm_ptr module #2141

wants to merge 2 commits into from

Conversation

cpey
Copy link

@cpey cpey commented Apr 20, 2024

The following pull request extends the smm_ptr module by adding an additional
mode called scan.

The goal of the scan mode is to identify SMIs that trigger time-consuming
code paths by measuring their execution time. This new mode operates similarly
to the fuzz mode and uses a new syscall that returns the SMI execution time.
With the intention to minimize system crashes, its operation bails out from the
currently scanned SMI code when an SMI taking considerably longer is
encountered or memory changes have been detected.

A time-consuming SMI is referred to as 'outlier' in the implementation, and
determined by the configuration option OUTLIER_THRESHOLD.

When an 'outlier' is identified, a message similar to the one shown below is
added to the output log.

[!] SCANNED: SMI# 57 average 785652 checked 1
    Identified outlier: duration 2456476 code 57 data 00 (rax=B284F000 rbx=B284F000 rcx=00, rdx=B284F000 rsi=B284F000 rdi=B284F000)

The message informs about the average CPU counts for that SMI code, the number
of SMIs executed for that code (scanning for data and rcx values) until the
first outlier is found or a memory change detected (in checked), followed by
information about the outlier.

When no outlier is found, the log message does not include the 'outlier'
information.

[*] SCANNED: SMI# 58 average 759601 checked 4096

At the end of the report, it lists the number of long-running SMIs found,
followed by the remaining smm_ptr results.

[+] <<< Done: found 5 long-running SMIs
[-] <<< Done: found 4 potential occurrences of unchecked input pointers

[CHIPSEC] ***************************  SUMMARY  ***************************
[CHIPSEC] Time elapsed            547.306
[CHIPSEC] Modules total           1
[CHIPSEC] Modules failed to run   0:
[CHIPSEC] Modules passed          0:
[CHIPSEC] Modules information     0:
[CHIPSEC] Modules failed          1:
[-] FAILED: chipsec.modules.tools.smm.smm_ptr
[CHIPSEC] Modules with warnings   0:
[CHIPSEC] Modules not applicable  0:
[CHIPSEC] *****************************************************************

@cpey
Add SMI enumeration mode to the smm_ptr module
eaad11a 
Signed-off-by: Carles Pey <carles.pey@nccgroup.com>
@cpey cpey requested a review from a team as a code owner April 20, 2024 16:37
github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 22, 2024
View reviewed changes
chipsec/modules/tools/smm/smm_ptr.py Outdated
if scan and scan.skip():
break
if scan_mode:
msg = scan.log_smi_result(self.logger)

Check notice

Code scanning / CodeQL

Unused local variable Note

Variable msg is not used.
chipsec/modules/tools/smm/smm_ptr.py
self.hist_smi_num = 0
self.outliers_hist = 0

def find_address_in_regs(self, gprs):

Check notice

Code scanning / CodeQL

Explicit returns mixed with implicit (fall through) returns Note

Mixing implicit and explicit returns may indicate an error as implicit returns always return None.
chipsec/modules/tools/smm/smm_ptr.py Outdated
self.data = data

def get_info(self):
if self.code == None:

Check notice

Code scanning / CodeQL

Testing equality to None Note

Testing for None should use the 'is' operator.
chipsec/modules/tools/smm/smm_ptr.py Dismissed Show resolved Hide resolved
chipsec/modules/tools/smm/smm_ptr.py
except BadSMIDetected as msg:
bad_ptr_cnt = 1
self.logger.log_important("Potentially bad SMI detected! Stopped fuzing (see FUZZ_BAIL_ON_1ST_DETECT option)")

if scan_mode:
self.logger.log_good(f'<<< Done: found {scan.get_total_outliers()} long-running SMIs')

Check failure

Code scanning / CodeQL

Potentially uninitialized local variable Error

Local variable 'scan' may be used before it is initialized.
npmitche
npmitche reviewed Apr 22, 2024
View reviewed changes
Copy link
Member

@npmitche npmitche left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At first glance this looks good. We'll need to take some time to test it out.

Eventually we'll need to handle the case when this is attempted to be run in other environments.

chipsec/modules/tools/smm/smm_ptr.py Outdated Show resolved Hide resolved
@cpey cpey force-pushed the smi-enumeration branch 3 times, most recently from 49eebf8 to 081890f Compare April 24, 2024 02:07
@cpey
Copy link
Author

cpey commented May 7, 2024

Hi @npmitche, is there any progress on this?

npmitche
npmitche requested changes May 20, 2024
View reviewed changes
chipsec/modules/tools/smm/smm_ptr.py Outdated Show resolved Hide resolved
chipsec/modules/tools/smm/smm_ptr.py Show resolved Hide resolved
@cpey
Review fixes
070d8d8 
Signed-off-by: Carles Pey <carles.pey@nccgroup.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Sae86 Sae86 Sae86 approved these changes

@npmitche npmitche npmitche approved these changes

@frinzell frinzell Awaiting requested review from frinzell

@dscott90 dscott90 Awaiting requested review from dscott90

@jun2zhou jun2zhou Awaiting requested review from jun2zhou

Assignees
No one assigned
Labels
next release
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@cpey @Sae86 @npmitche