Ensuring that the platform firmware is healthy and trustworthy is fundamental to guaranteeing that powerful platform security features like Hypervisor-protected code integrity( HVCI) and Windows Defender Credential Guard are functioning as expected. Windows 10 achieves this by leveraging a hardware-based root of trust that ensures unauthorized code like Unified Extensible Firmware Interface( UEFI) malware cannot take root before the Windows bootloader launches.
Key to defending the hypervisor, and by extension the rest of the OS, from such low-level menaces is protecting System Management Mode( SMM ), an executing mode in x86-based processors that runs at a higher effective privilege than the hypervisor. Because of its traditionally unfettered access to memory and machine resources, SMM is a known vector of strike for gaining access to the OS and hardware. SMM is particularly vulnerable to menaces like confused deputy attempts, in which malicious code tricks another code with higher privileges to perform certain activities. One could have perfect code in SMM and still be affected by behavior like trampolining into secure kernel code.
Sometimes referred to as “Ring -2”, SMM is used by OEMs to interact with hardware like NV RAM, emulate hardware functionality, manage hardware interrupts or errata, and perform other functions. SMM runs in accordance with the arrangements of interrupt handlers that are triggered by timers or be made available to certain recollection, registers, or hardware resources. OEM drivers and runtime firmware services may explicitly trap SMM to control certain hardware functionality.
To stop sophisticated onslaughts from taking control of the system through SMM, the OS must have enforcement or oversight of SMM’s behavior. As part of Secured-core PCs and System Guard, Intel and AMD have developed mechanisms to isolate SMM from the OS by enforcing and reporting what resources SMM has access to.
Isolating SMM is implemented in three parts: OEMs implement a policy that states what they require access to; the microchip vendor enforces such a policy on SMIs; and the chip marketer reports compliance to this policy to the OS.
The policy provided by the OEM is a list detailing the resources that the SMI handlers require access to. This policy is validated and enforced by the chipset vendors’ specific enforcement mechanism detailed later. The OS does not have any control over what the policy is; it is only guaranteed enforcement of the policy stated.
Trusted Computing Base( Tcb) Launch, include in the Windows implementation of Dynamic Root of Trust( DRTM ), gets the enforced policy from the microchip vendor’s reporting mechanism. Because resource access is specific to a platform’s needs, Tcb Launch compares the OEM’s SMM access policy with several levels of Windows SMM isolation requirements to determine the level of separation provided. The isolation degree achieved by the OEM’s policy is measured for attestation and is reported to the OS.
The isolation degrees consist of increasing restrictions on what SMIs may retrieve, as well as enforcement capabilities required on the system. An instance of an separation requirement is that SMIs may not access memory owned by the OS. Additionally, these requirements can include to limit the following resources 😛 TAGEND
In order to ensure a consistent security promise for customers use Secured-core PCs if the minimum requirements are not met, the DRTM measurements are capped, and local and remote attestation fail. SMM isolation is tied with DRTM because without DRTM, the OS cannot trust anything evaluated by the boot environment as it is not protected from the influence of SMM. SMIs are suspended during DRTM, so the new root of trust established by DRTM can evaluate the security of the SMM access policy.
Not merely are these protections utilized by Windows for local secrets protection, but remote attestation tools can also leveraging this information to determine the security posture of a specific device. This attestation report can be used to prevent access to sensitive network files, for example, unless a certain combination of features is present.
AMD answer( SMM Supervisor)
During UEFI boot phase, the SMM Supervisor is loaded as a UEFI driver. This driver is signed by AMD and authenticated by the Platform Security Processor( PSP) at the time of DRTM launch. Failure of authentication will fail DRTM.( It is also under firmware anti-rollback protection by PSP .)
SMM Supervisor renders and initializes the SMI entry routine( the first code block executed after SMI is triggered ). This routine is also signed by AMD and authenticated by PSP at the time of DRTM launch. Upon DRTM event, PSP likewise verifies that the SMI entry is properly configured to this authenticated block. Failure of this authentication will also to be translated into DRTM failure.
SMM Supervisor marks critical pages–including SMM Supervisor code block, internal data, the page table itself, exception handler, as well as processor save state–as director pages, accessible merely from current privilege level 0( CPL0, “the worlds largest” privileged level ).
Immediately after SMI is triggered, the SMI entry routine demotes the system to execute under CPL3( least privileged level) before executing any third party SMI handlers. From CPL3 surrounding, MSR, IO, and superintendent pages access, critical register changes such as CR3, as well as privileged instructions such as “hlt” and “cli” all end up as General Protection Fault enforced by CPU hardware.
In order for SMI handlers under CPL3 to access privileged data and register, SMM Supervisor provides syscall interface to allow third-party SMI handlers to making this requests. The backend of the syscall interface, which resides in SMM supervisor, is controlled by SMM secure policy. The said policy is a deny list that can be customized per platform to determine which MSRs, IOs, or remembrance regions can be accessed from CPL3. SMM secure policy is reported to and verified by OS secure loader during DRTM event.
Intel Hardware Shield
Intel( r) Hardware Shield, a part of the Intel vPro( r) platform, use CPU hardware and firmware to enforce the platform’s SMM access policy. Generationally, these capabilities evolve using new CPU hardware features in conjunction with existing CPU capabilities to strengthen referred micro-architectural flows and offer new register locks in supporting referred firmware hardening *.
Intel vPro( r) platform with 8th Generation Intel( r) Core vPro( r) processors introduced firmware hardening and hardware-locked static page table support to reduce SMM privilege with regard to memory and to lock the remembrance configuration. These new locks include: CR3 lock, MSEG lock, SMBASE lock, etc. Intel vPro platform with 9th Generation Intel Core vPro processors added an Intel signed SMM module enables attestation of the SMM memory configuration using Intel( r) Trusted Execution Technology( Intel( r) TXT ), an element of Intel( r) Hardware Shield, via PCR1 7. The module first corroborates the soundnes of the hardened SMM code used to enforce the SMM access policy. It then reports this, as well as the details of the policy, back to the OS. Therefore, the OS can corroborate the trustworthiness of SMM and evaluate the platform’s SMM access policy without the possibility of interference from SMI handlers. Intel vPro platform with 10 th Generation Intel Core vPro processors enhanced the verified CPL0 SMM ingredients to create a privilege separation with SMI handlers in order to extend policy enforcement to MSRs, IO ports, and SMM state save( access policy may vary by platform ). The appropriate mechanism was extended to include these capabilities as well.
* No product or ingredient can be absolutely secure.
Secured-core PCs give the simplest experience for customers to get Secure Launch and SMM protection
Intel, AMD, or ARM virtualization extensions Trusted Platform Module( TPM) 2.0 On Intel: TXT support in the BIOS On AMD: SKINIT package must be integrated in the Windows system image On Qualcomm: Implements DRTM TrustZone application and supportings SMC memory protections. Kernel DMA Protection( learn more)
Further configuration information and requirements can be found here.On Secured-core PCs, virtualization-based security is supported, and hardware-backed security features like System Guard Secure Launch with SMM Protection are enabled by default. Customers do not need to worry about configuring the necessary functionality as Secured-core PCs come with the right configurations from OEMs, thereby providing the simplest path to the most secure Windows 10 systems. Learn more about the line of Secured-core PCs available today.
The post System Management Mode deep dive: How SMM isolation hardens the platform seemed first on Microsoft Security .
Read more: microsoft.com