During our recent talk at HardwearIO (see here, slides here) we described a variety of AMD platform misconfigurations that could lead to critical vulnerabilities, such as:
- TSEG misconfigurations breaking SMRAM protections
- SPI controller misconfigurations allowing SPI access from the OS
- Platform Secure Boot misconfigurations breaking the hardware root-of-trust
Here we are providing a brief overview of essential registers settings and explain how our internally developed tool Platbox (seeĀ here) can be used to verify them and ultimately exploit them.
In a previous blog post about AMD platform security (see here) we explained how forgetting to set a single lock can lead to a complete compromise of System Management Mode (SMM).
To recap, on modern systems SMM lives in a protected memory region called TSEG and four Model Specific Registers (MSRs) need to be configured to guarantee these protections: