From owner-freebsd-hackers@FreeBSD.ORG Fri Mar 27 14:00:14 2009 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3C4771065675 for ; Fri, 27 Mar 2009 14:00:14 +0000 (UTC) (envelope-from won.derick@yahoo.com) Received: from n63.bullet.mail.sp1.yahoo.com (n63.bullet.mail.sp1.yahoo.com [98.136.44.33]) by mx1.freebsd.org (Postfix) with SMTP id 195D88FC18 for ; Fri, 27 Mar 2009 14:00:14 +0000 (UTC) (envelope-from won.derick@yahoo.com) Received: from [216.252.122.219] by n63.bullet.mail.sp1.yahoo.com with NNFMP; 27 Mar 2009 13:47:14 -0000 Received: from [69.147.65.155] by t4.bullet.sp1.yahoo.com with NNFMP; 27 Mar 2009 13:47:14 -0000 Received: from [127.0.0.1] by omp403.mail.sp1.yahoo.com with NNFMP; 27 Mar 2009 13:47:14 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 640805.54419.bm@omp403.mail.sp1.yahoo.com Received: (qmail 82828 invoked by uid 60001); 27 Mar 2009 13:47:14 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1238161634; bh=uFXKEGscEawekV+JTgHtA1mfOwGbScZWXZKjeCMNihc=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding; b=IJr12P3J+/IqDKKm7F2EEAL60FQo+M7ue4jaKyAdSfU7lwLWPCwkYb4vB1EkbMj2y5NQNyCUodf9GnsO/X2b6V+xQzOlrfPnngZ5ZJGeMHeO3s1ZeoZyeUyPasv70JkRZMzZxFVMbsoYL5PLE1NtxRynXHXhmzKzG2W8GLZ8dL4= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding; b=KiilzO/E5JJsOMiPpuFFlkA7Nz5Vl95VO0osbmtjhZeaVCwqcpfYKq6HXFQCIMQRQ/ziBfjBPle7IQvYupftF4nTBkQNcidVNQ4TVmKNxO00b+se8yhFM1Jhjch0O0mM2aBUouaVoGLqtxccHPz4urN/kVeXKJpHK8Tn5H2WCgQ=; Message-ID: <492862.81876.qm@web45808.mail.sp1.yahoo.com> X-YMail-OSG: taXu_OYVM1nwuCIOPMMtkfoUabqJ4z.pX5W3rYy4wRFxBGg4ZzqM0cGOZnvDdrxHwVSx6tYlGLVG78bKlyoe1ThzHyHbYroJIiKv2BHiOfe.Pi.tsMubt9W1vnhXJWR0izo2Pieh5XxkusyETctrqEOntBd2ORxgAWBJbAU9SQBG1WGPfXwEBz65czA.Oh71WrvPOCzCzCkqHrXC7Jrq2vtndwdsB45u Received: from [58.71.34.137] by web45808.mail.sp1.yahoo.com via HTTP; Fri, 27 Mar 2009 06:47:14 PDT X-Mailer: YahooMailClassic/5.2.14 YahooMailWebService/0.7.289.1 Date: Fri, 27 Mar 2009 06:47:14 -0700 (PDT) From: Won De Erick To: Ivan Voras , Andriy Gapon MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-hackers@freebsd.org Subject: Re: Switching to SMM with FreeBSD 6.2 onwards X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Mar 2009 14:00:14 -0000 --- On Fri, 3/27/09, Andriy Gapon wrote:=0A> on 27/03/200= 9 12:35 Ivan Voras said=0A> the following:=0A> > Takanori Watanabe wrote:= =0A> >> In message <17314.10813.qm@web45811.mail.sp1.yahoo.com>,=0A> Won De= Erick wrote:=0A> >>> Hi All,=0A> >>>=0A> >>> I'm not quite familiar with F= reeBSD, but I=0A> >>> want to do the following in 6.2/7.1=0A> >>> . =0A> >>= >=0A> >>>=A0 /* Raise IOPL to 3 to open all I/O ports=0A> >>> */=0A> >>>= =A0 /* something like 'i386_iopl(3)' */=0A> >>>=A0 ...=0A> >> see=A0 i386_g= et_ioperm(2) or io(4).=0A> >>=0A> >>>=A0 /* Open SMRAM access */=0A> >>>=A0= outl(unsigned int port, unsigned long=0A> >>> int data);=0A> >>>=0A> >>>= =0A> >>> Also, I appreciate comments on the following=0A> >>> wrapper:=0A> = >>>=0A> >>> static inline outl(unsigned int port, unsigned=0A> >>> long int= data)=0A> >>> {=0A> >>>=A0 asm("outl %0, %1" : : "a" (data), "dN"=0A> >>> = (port));=0A> >>> }=0A> >>>=0A> =0A> Take a look at machine/cpufunc.h=0A=0A= Oh I see. :)=0A=0A> =0A> >>> My goal is to switch the processor to SMM by= =0A> >>> triggering SMI from userland.=0A> >>=0A> >> Probably this will wor= k.=0A> >> So what do you want ask about that?=0A=0AIf it is possible, I sho= uld want to write data to certain registers or portion of a memory where th= e BIOS firmware or the BMC firmware could possibly detect it as 'reconfigur= ation', and make significant log on SEL as "System Reconfigured". If someon= e has a better idea, it is very much welcome. =0A=0A> > =0A> > One thing th= at comes to my mind is this:=0A> > http://invisiblethingslab.com/resources/= misc09/smm_cache_fun.pdf=0A=0AI will add that to the ff:=0A=0Ahttp://www.ss= i.gouv.fr/fr/sciences/fichiers/lti/cansecwest2006-duflot-paper.pdf=0A=0AI'v= e made the Exploit code found at the appendix runnable on FreeBSD 7.1 repla= cing some of the unsupported functions, but I'm still finding ways how to v= erify whether I've written successfully a data to the intended address or n= ot. I've replaced '/dev/xf86 with '/dev/mem'. Then opened 'dev/io' instead = of using 'i386_get_ioperm()'. Am I on the right track?=0A=0A> > =0A> > :)= =0A> =0A> Yeah, and IDA Pro rocks too :-)=0A> =0A> =0A> -- =0A> Andriy Gapo= n=0A=0A=0A=0A