I'm happy to announce today that the SMI Transfer Monitor (STM) documentation and code have been released today. This aligns with my Intel Developer Forum (IDF) presentation "STTS003 - Developing Best-in-Class Security Principles with Open Source Firmware." that is now available from http://www.intel.com/idfsessionsSF.
The information can be found at https://firmware.intel.com/content/smi-transfer-monitor-stm and includes the source code of: 1) the STM, 2) a small virtualization pre-OS agent for launch/test, and 3) platform code to adapt the STM on a MinnowBoard Max platform. All of these elements are built using EDK II https://github.com/tianocore/edk2 technology.
The flow of the STM to virtualize a system management interrupt (SMI) can be seen in the figure below from my IDF presentation.
The STM is ideally suited to work with a Intel (R) Trusted Execution Technology (TXT) launch, but the recently released specification includes chapter 12 of https://firmware.intel.com/sites/default/files/STM_User_Guide-001.pdf https://www.intel.com/content/dam/develop/external/us/en/documents/stm-user-guide-001-819978.pdf for a VT-only usage. This allows for investigation and research around this technology on any system with Intel Virtualization Technology (VT) support, such as MinnowBoard Max https://firmware.intel.com/blog/security-technologies-and-minnowboard-max.
We created a companion document https://firmware.intel.com/sites/default/files/A_Tour_Beyond_BIOS_Launching_STM_to_Monitor_SMM_in_EFI_Developer_Kit_II.pdf https://www.intel.com/content/dam/develop/external/us/en/documents/a-tour-beyond-bios-launching-stm-to-monitor-smm-in-efi-developer-kit-ii-819978.pdf to describe the reference implementation https://firmware.intel.com/sites/default/files/STM_Release_1.0.zip. This document was written in the spirit of our other "Tour" documents that dive into various implementation choices https://firmware.intel.com/blog/beyond-bios.
This is a preview release of the code that matches the 1.0 specification. Longer-term we intend to migrate this capability to the http://www.tianocore.org open source firmware community, especially given the fact that the STM is intended to be integrated within the firmware. Some of the choices in the preview release included duplicating some of the EDKII base library so that the STM can be produced only by using code within the STM.zip. Going forward it may make sense to use the existing MdePkg code, possibly accreting more virtualization-specific functions, for example.
This EDKII usage on MinnowBoard Max represents only one design integration choice, too. The STM specification and resultant STM binary derived from the source code could be integrated into a EDKI, PC/AT or coreboot-based platform initialization code. The STM binary would interact with EDKII PI, PC/AT, coreboot, or other system board firmware via the interfaces defined in the 1.0 STM User Guide.
There are some other interesting announcements from IDF that I will blog about later, including exciting advances in network boot. For now, though, take a look at the STM specification and code. Any feedback will be appreciated, too.
The information can be found at https://firmware.intel.com/content/smi-transfer-monitor-stm and includes the source code of: 1) the STM, 2) a small virtualization pre-OS agent for launch/test, and 3) platform code to adapt the STM on a MinnowBoard Max platform. All of these elements are built using EDK II https://github.com/tianocore/edk2 technology.
The flow of the STM to virtualize a system management interrupt (SMI) can be seen in the figure below from my IDF presentation.
The STM is ideally suited to work with a Intel (R) Trusted Execution Technology (TXT) launch, but the recently released specification includes chapter 12 of https://firmware.intel.com/sites/default/files/STM_User_Guide-001.pdf https://www.intel.com/content/dam/develop/external/us/en/documents/stm-user-guide-001-819978.pdf for a VT-only usage. This allows for investigation and research around this technology on any system with Intel Virtualization Technology (VT) support, such as MinnowBoard Max https://firmware.intel.com/blog/security-technologies-and-minnowboard-max.
We created a companion document https://firmware.intel.com/sites/default/files/A_Tour_Beyond_BIOS_Launching_STM_to_Monitor_SMM_in_EFI_Developer_Kit_II.pdf https://www.intel.com/content/dam/develop/external/us/en/documents/a-tour-beyond-bios-launching-stm-to-monitor-smm-in-efi-developer-kit-ii-819978.pdf to describe the reference implementation https://firmware.intel.com/sites/default/files/STM_Release_1.0.zip. This document was written in the spirit of our other "Tour" documents that dive into various implementation choices https://firmware.intel.com/blog/beyond-bios.
This is a preview release of the code that matches the 1.0 specification. Longer-term we intend to migrate this capability to the http://www.tianocore.org open source firmware community, especially given the fact that the STM is intended to be integrated within the firmware. Some of the choices in the preview release included duplicating some of the EDKII base library so that the STM can be produced only by using code within the STM.zip. Going forward it may make sense to use the existing MdePkg code, possibly accreting more virtualization-specific functions, for example.
This EDKII usage on MinnowBoard Max represents only one design integration choice, too. The STM specification and resultant STM binary derived from the source code could be integrated into a EDKI, PC/AT or coreboot-based platform initialization code. The STM binary would interact with EDKII PI, PC/AT, coreboot, or other system board firmware via the interfaces defined in the 1.0 STM User Guide.
There are some other interesting announcements from IDF that I will blog about later, including exciting advances in network boot. For now, though, take a look at the STM specification and code. Any feedback will be appreciated, too.