Anonymous user
APIC: Difference between revisions
Introduced "Local APIC and x86 SMM Attacks" Section
| [unchecked revision] | [unchecked revision] |
mNo edit summary |
(Introduced "Local APIC and x86 SMM Attacks" Section) |
||
Line 83:
}
</source>
== Local APIC and x86 SMM Attacks ==
The APIC was introduced to the core Intel processor architecture skeleton in [https://4donline.ihs.com/images/VipMasterIC/IC/INTL/INTLD047/INTLD047-2-1259.pdf?hkey=EF798316E3902B6ED9A73243A3159BB0 Intel's 82489DX discrete chip] in a similar time period as [[System Management Mode]] was introduced to operating systems. In original architecture, the APIC could not be mapped to memory, and it wasn't until later changes that it became mappable.
As System Management Mode's memory (SMRAM) is given a protected range of memory (which can vary from system to system), it is possible to map the APIC memory location into the SMRAM. The result of this is that SMM memory is pushed outside its protected range and exposed to lesser-privileged permission rings. Using this method, attackers can leverage their permissions using System Management Mode, which is protected from all rings above -2.
In newer generation Intel processors (starting with the [https://en.wikipedia.org/wiki/Intel_Atom Intel Atom] in 2013), this has been taken into account. An undocumented check is performed against the [[System Management Range Registers]] when the APIC is relocated to memory. This check ensures that the APIC does not overlap with the SMRAM. '''However''', this relies on the SMRR to be configured correctly. Otherwise, this mitigation will not work properly and attackers will still be able to user the attack.
== Local APIC registers ==
| |||