RE: RFC: WMI Enhancements
From: Mario.Limonciello
Date: Thu Apr 13 2017 - 13:50:13 EST
> -----Original Message-----
> From: Andy Lutomirski [mailto:luto@xxxxxxxxxx]
> Sent: Thursday, April 13, 2017 12:44 PM
> To: Limonciello, Mario <Mario_Limonciello@xxxxxxxx>
> Cc: Darren Hart <dvhart@xxxxxxxxxxxxx>; Andrew Lutomirski <luto@xxxxxxxxxx>;
> MichaÅ KÄpieÅ <kernel@xxxxxxxxxx>; Rafael J. Wysocki <rjw@xxxxxxxxxxxxx>; Len
> Brown <len.brown@xxxxxxxxx>; Pali RohÃr <pali.rohar@xxxxxxxxx>; Corentin
> Chary <corentin.chary@xxxxxxxxx>; Andy Shevchenko
> <andriy.shevchenko@xxxxxxxxxxxxxxx>; linux-kernel@xxxxxxxxxxxxxxx; platform-
> driver-x86@xxxxxxxxxxxxxxx; linux-pm@xxxxxxxxxxxxxxx
> Subject: Re: RFC: WMI Enhancements
>
> On Thu, Apr 13, 2017 at 10:39 AM, <Mario.Limonciello@xxxxxxxx> wrote:
> >> -----Original Message-----
> >> From: Darren Hart [mailto:dvhart@xxxxxxxxxxxxx]
> >> Sent: Thursday, April 13, 2017 12:06 PM
> >> To: Limonciello, Mario <Mario_Limonciello@xxxxxxxx>
> >> Cc: luto@xxxxxxxxxx; kernel@xxxxxxxxxx; rjw@xxxxxxxxxxxxx;
> >> len.brown@xxxxxxxxx; pali.rohar@xxxxxxxxx; corentin.chary@xxxxxxxxx;
> >> andriy.shevchenko@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx; platform-
> >> driver-x86@xxxxxxxxxxxxxxx; linux-pm@xxxxxxxxxxxxxxx
> >> Subject: Re: RFC: WMI Enhancements
> >>
>
> > Well the "most" interesting to me is the SMBIOS calling interface on the
> > regular Dell GUID (WMBA IIRC). That's what is used to manipulate keyboard
> > LED timeouts in dell-laptop (although through direct SMI today).
> >
> > It's also what is used for other SMBIOS calls like changing random BIOS settings
> > that shouldn't be generically exposed in sysfs but should be controlled by
> > manageability tools.
> >
> > Example: turning on/off legacy option ROM or changing legacy boot order.
> >
>
> IIUC we basically can't expose the SMI--based interface to this entry
> point to userspace because of its use of physical addressing. It is
> reasonably safe to expose the WMI version? (IOW should be expect that
> it doesn't enable kernel-mode or SMM code execution?)
The SMI based entry is already exposed using dcdbas.
The WMI version when executing a call that would be run as a SMI
will copy the buffer to an area of memory that the BIOS has already
been marked reserved to execute the SMI and copy the result out.
>
> TBH, I've occasionally considered writing a driver to expose SMM code
> execution on systems with a known reliable exploit :)
On Dell HW? I'm sure our security folks would be very interested in this.