This report documents a comprehensive audit of SMM (System Management Mode) SMI handlers in the HP Elite Dragonfly laptop EFI firmware image. Using IDA Pro with efiXplorer plugin, the analysis identified ~341 unique module entry points across a 32MB flash image (72,501 functions). The firmware uses Intel Framework SMM Dispatch protocols (not PI SMM Dispatch2), plus PCH-specific dispatch protocols — an older but still common architecture.
Key Findings:
- 15+ unique SMM modules identified, with 10 SW SMI numbers mapped
- 1 MEDIUM design concern found in Module 0405 (BIOS flash management) related to shared buffer size validation
- No CRITICAL pointer injection or arbitrary read/write vulnerabilities found — a significant improvement over the Intel S1200 baseline
- No explicit SmmIsBufferOutsideSmmValid or CommBuffer validation routines present, but the architecture doesn't expose raw CommBuffer to handlers
- HP's SMM handlers primarily operate on internal protocol interfaces and NVRAM variables rather than processing raw user-supplied data
Overall Risk Assessment: LOW-MEDIUM
- IDA Pro with efiXplorer plugin (partial annotation success)
- ida-pro-mcp MCP server — surgical decompilation, xrefs, memory reads
- idasql MCP server — bulk SQL queries across 35+ database tables
- Enumerate all module entry points and identify SMM modules by name/string correlation
- Identify dispatch protocol GUIDs via memory reads (efiXplorer did not label them)
- Trace handler registrations from entry points → init functions → Register calls
- Decompile all SW SMI handler callbacks
- Analyze each for: pointer injection, CommBuffer validation, SMRAM overlap, arbitrary R/W, TOCTOU, callouts
- efiXplorer provided minimal annotation on this image (most modules labeled as
_NNNN_entry_GUIDwith no descriptive names) - Protocol GUIDs required manual memory reads for identification
- Some modules appear 2-4 times (duplicate copies in flash) — only primary instances analyzed
- HP uses proprietary protocol interfaces; not all data flows are fully transparent
| Property | Value |
|---|---|
| File | hp_dragonfly_orig.bin |
| Size | 32 MB (0x2000000) |
| IDB Size | 0x4711200 |
| Total Functions | 72,501 |
| Module Entry Points | ~341 unique (excl. duplicates) |
| SMM Modules (named) | 15+ |
| MD5 | cc6a0622851fe39ba3773f55a811bf3d |
| SHA256 | 40c0b26a347dfa3d0e0d0979788ac3d9b8c8a62d03cba7950857899c613dc364 |
Unlike the Intel S1200 (which used standard PI SMM Dispatch2 protocols), the HP Elite Dragonfly uses Intel Framework (EDK) SMM Dispatch protocols plus Intel PCH-specific protocols:
| Protocol | GUID | Purpose |
|---|---|---|
| EFI_SMM_SW_DISPATCH_PROTOCOL | {5B1B31A1-9562-11D2-8E3F-00A0C969723B} |
Software SMI dispatch (legacy) |
| EFI_SMM_SX_DISPATCH_PROTOCOL | {107A772C-D5E1-11D4-9A46-0090273FC14D} |
Sleep state transitions |
| EFI_SMM_POWER_BUTTON_DISPATCH | {107A772B-D5E1-11D4-9A46-0090273FC14D} |
Power button events |
| EFI_SMM_USB_DISPATCH_PROTOCOL | {0784924F-E296-11D4-9A49-0090273FC14D} |
USB events |
| EFI_SMM_PERIODIC_TIMER_DISPATCH | {09576E91-6D3F-11D2-8E39-00A0C969723B} |
Periodic timer |
| Protocol | GUID | Purpose |
|---|---|---|
| PCH_SMM_SW_DISPATCH_PROTOCOL | {11B34006-D85B-4D0A-A290-D5A571310EF7} |
PCH SW SMI dispatch |
| PCH_SMM_ICHN_DISPATCH_PROTOCOL | {6A7A5CFF-E8D9-4E70-BADA-75AB3025CE14} |
PCH ICH/Northbridge events |
| PCH_SMM_IO_TRAP_DISPATCH | {18A031AB-B443-4D1A-A5C0-0C09261E9F71} |
IO port trap |
- Entry:
0x18BC288(_00CD_entry_D3120A82) - Root SMI Handler:
sub_18BC6ECat0x18BC6EC - Setup Function:
sub_18BC478at0x18BC478 - All SW SMI registrations flow through this central dispatcher
| Module Name | String Address | Role |
|---|---|---|
| PlatformAuthSmm | 0x4B130 | Platform authentication registration |
| TpmActivationPolicySmm | 0x7F250 | TPM activation policy |
| ProductionSignedBiosSmm | 0x1451D0 | Production BIOS signing verification |
| LabProductionModeSmm | 0x14C290 | Lab/production mode management |
| SecureBootPostProcessSmm | 0x40F400 | Secure Boot post-processing |
| CprPvtSmm | 0x4924E0 | HP CPR private module |
| CryptSmm | 0x510F70 | Cryptographic operations in SMM |
| GbERestoreSmm | 0x5AA110 | GbE NIC restore |
| SmcSmm | 0x8791C0 | System Management Controller SMM |
| TrustedShmLockSmm | 0x8B70B0 | Trusted shared memory locking |
| SmmHpBiosMudData | 0x8C90F0 | HP BIOS MUD data handler |
| BiosRollbackSmm | 0x9200A0 | BIOS rollback protection |
| SecureBootProtectionPolicySmm | 0x14D11E0 | Secure Boot protection policy |
| SecureBootRAPSmm | 0x15300F0 | Secure Boot RAP |
| CpuSmm | 0x1ECB2D0 | CPU-specific SMM handling |
Note: Most named SMM modules (PlatformAuthSmm, SmcSmm, CprPvtSmm, etc.) are registration stubs — they locate a management protocol and register their module name via a function call at offset +40. They do not directly register SW SMI handlers.
| Module | Entry Address | SW SMI # | Handler Callback(s) | Purpose |
|---|---|---|---|---|
| 0306 | 0x17D30A4 | 310, 311 | sub_17D3404 |
TPM/Platform feature flags |
| 0405 | 0x17D8108 | 305 | sub_17D8208, sub_17D82F8, sub_17D8298 |
BIOS flash management |
| 0528 | 0x1701124 | 12 | sub_17016A0, sub_17011B8 |
Dual-OS detection (GRUB/Ubuntu) |
| 051A | 0x1707124 | 14, 15, 16, 17 | sub_17076F4, sub_1707B2C, sub_17088A8, sub_1708988, sub_1708C48 |
Intel Optane/audio config |
| 051D | 0x1767144 | — | Various | USB port configuration |
| 062A | 0x196B124 | 269 | sub_196B2B8, sub_196B5A0 |
ODD/drive detection + BIOS lock hook |
| 0616 | 0x1971188 | — | Various | Hardware configuration |
| 0212 | 0x19E8270 | 389 | sub_19E86F4 |
Keyboard/platform support |
| Module | Entry Address | Handler Callback(s) | Purpose |
|---|---|---|---|
| 040C | 0x17FC168 | sub_17FC344, sub_17FC63C, sub_17FC87C |
USB/built-in device detection |
| 0416 | 0x18150D0 | sub_1815328 → sub_1815380 |
Power management scheduling |
| SW SMI # | Module | Trigger Method |
|---|---|---|
| 12 | 0528 | IO port 0xB2 write |
| 14-17 | 051A | IO port 0xB2 write |
| 269 | 062A | IO port 0xB2 write |
| 305 | 0405 | IO port 0xB2 write |
| 310, 311 | 0306 | IO port 0xB2 write |
| 389 | 0212 | IO port 0xB2 write |
| 37892 | 0416 | IO port 0xB2 write |
| 38421 | 051A | IO port 0xB2 write |
Location: sub_17D8208 at 0x17D8208, sub_17D82F8 at 0x17D82F8
SW SMI#: 305
Category: Potential unchecked size from shared buffer
Description:
Module 0405 manages BIOS flash update operations through a shared buffer (qword_17DA548) allocated in SMRAM via SmmAllocatePages. The buffer is 0x30000 bytes (192KB) and is populated by the dispatch protocol during SW SMI processing.
Two handlers read size values from this buffer without visible bounds checking:
Handler sub_17D8208 (one-shot flash init):
v2 = *(unsigned __int16 *)(qword_17DA548 + 12); // 16-bit size from buffer
sub_17D8D70(&unk_17DA0E0, *v1, v2 << 12); // flash write: size = v2 * 4096Maximum size: 65535 * 4096 = ~256MB of flash data.
Handler sub_17D82F8 (flash commit):
*(_DWORD *)(buffer + 16) = *(_DWORD *)(buffer + 8) + 3; // 32-bit size from buffer
sub_17D8D70(&unk_17DA0C0, *buffer, *(unsigned int *)(buffer + 16)); // flash write with this sizeMaximum size: 4GB (32-bit value).
Mitigating Factors:
- Buffer is in SMRAM — not directly writable by Ring 0; data must flow through the dispatch protocol
- Flash write functions (
sub_17D8D70) go through a dedicated BIOS flash service protocol (sub_17D8C80()), which likely implements its own bounds checking and hardware-level flash access controls sub_17D8208is protected by a one-shot flag (byte at offset 20), preventing repeated invocation- Intel hardware flash protections (BIOS_CNTL, PRR registers) provide an additional defense layer
Risk: MEDIUM — while the code doesn't perform explicit size validation, the layered architecture (dispatch protocol → SMRAM buffer → flash service protocol → hardware protections) provides defense-in-depth. An attacker would need to compromise the dispatch protocol's data path AND bypass flash hardware protections.
All other analyzed SW SMI handlers demonstrated secure design patterns:
SW SMI# 310, 311 | sub_17D3404
- Reads dispatch status bits for SMI# 310 and 311
- Sets internal boolean flags in a protocol structure
- No external data processing, no pointer dereferences from user data
SW SMI# 12 | sub_17016A0, sub_17011B8
- Reads disk sectors via internal protocol interfaces
- Scans for GRUB signature and Ubuntu bootloader files
- Sets NVRAM "HpCommonSetup" flag based on detection
- All data comes from internal protocol reads, not from caller
SW SMI# 14-17, 38421 | sub_17076F4, sub_1707B2C, sub_17088A8, etc.
- Reads NVRAM variables: "IntelOptaneOpt", "SecurityMemFlags", "HDDOptions"
- Enumerates internal protocol handles
- Toggles configuration flags
- No CommBuffer or shared memory data processing
SW SMI# 269 | sub_196B2B8, sub_196B5A0
sub_196B2B8: Reads NVRAM "HPCheckODDAnserQuery", enumerates disk handles, checks SMBIOS datasub_196B5A0: One-shot hook that wraps a protocol function with BIOS lock/unlock calls (calls protocol offset +16 before and +24 after the original handler)- No external data processing
SW SMI via Framework dispatch | sub_17FC344, sub_17FC63C, sub_17FC87C
sub_17FC344: Reads PCH GPIO register (bit 1 of register 34), one-shot USB port configsub_17FC63C: Enumerates USB handles, detects camera (type 32) and fingerprint (type 34) devices, writes NVRAM flagssub_17FC87C: Finds specific device path, replaces protocol function pointer withsub_17FC870- All data from internal handle/protocol enumeration
SW SMI# 389 | sub_19E86F4
- Reads NVRAM "PlatformSupport" and "MiscMobileKBCD" variables
- Sets internal configuration flags
- Installs a 5-function vtable as a protocol interface
- No external data processing
SW SMI# 37892 | sub_1815380
- Reads filesystem path data via internal protocol
- Processes "PowerControlSchedule" NVRAM variable
- Iterates 7 power schedule entries
- All data from trusted sources (filesystem protocol, NVRAM)
-
No raw CommBuffer exposure: Unlike PI SMM Dispatch2 handlers that directly receive CommBuffer pointers, HP's Framework dispatch architecture passes data through intermediate protocol interfaces, reducing the attack surface.
-
NVRAM-based communication: Most handlers communicate with the OS through NVRAM variables (GetVariable/SetVariable), which have built-in access control attributes (BS, RT, NV) and are handled by the variable driver with its own validation.
-
Internal protocol-based design: Handlers primarily operate on UEFI protocol interfaces obtained via
SmmLocateProtocol, not on user-supplied data structures. -
One-shot flags: Several handlers (sub_17D8208, sub_17FC344) implement one-shot flags to prevent re-execution after first invocation.
-
No embedded pointer patterns: None of the analyzed handlers dereference pointers embedded in user-controlled data structures — the primary vulnerability pattern found in the Intel S1200 SmiVariable module.
-
No explicit SMRAM validation: The image contains no
SmmIsBufferOutsideSmmValidcalls or similar buffer validation routines. While the Framework dispatch architecture may not expose raw pointers, this means there's no safety net if a code path does reach user-controlled pointers. -
Flash management buffer sizes: Module 0405 reads sizes from a shared buffer without explicit bounds checking, relying on downstream flash service validation.
-
Older Framework dispatch: The use of Intel Framework SMM dispatch (circa 2007) rather than PI SMM (2010+) means the code predates many modern SMM security improvements. However, in this case the simpler interface actually reduces attack surface.
-
Large codebase: With 72,501 functions and 341 modules, there may be additional handler registrations through less obvious mechanisms (e.g., protocol notification callbacks, deferred registration) that were not captured in this analysis.
| Aspect | Intel S1200 | HP Elite Dragonfly |
|---|---|---|
| Dispatch Protocol | PI SMM Dispatch2 | Intel Framework + PCH-specific |
| Total SMM Modules | ~28 | 15+ named (many more unnamed) |
| SW SMI Handlers | 10 | 10+ (mapped 10 SW SMI numbers) |
| Critical Vulns | 2 (SmiVariable pointer injection) | 0 |
| Medium Vulns | 1 (weak name pointer validation) | 1 (flash buffer size) |
| Low Vulns | 1 (pre-validation read) | 0 |
| CommBuffer Validation | SmmIsBufferOutsideSmmValid (buggy decompilation) | No explicit validation (not needed by architecture) |
| Pointer Injection | Cases 6/7 use embedded NVS pointers | No embedded pointer patterns found |
| Data Communication | ACPI NVS shared memory | NVRAM variables + dispatch protocol |
| Overall Risk | HIGH | LOW-MEDIUM |
-
Module 0405: Add explicit size validation before flash operations. Verify that
*(uint16*)(buffer+12) << 12does not exceed the allocated buffer size (0x30000) and that*(uint32*)(buffer+8) + 3is within acceptable flash region bounds. -
SMRAM Validation: Consider adding
SmmIsBufferOutsideSmmValidchecks as defense-in-depth, even if the current architecture doesn't directly expose CommBuffer pointers. -
Protocol Dispatch2 Migration: Consider migrating from Framework SMM dispatch to PI SMM Dispatch2 protocols. While the older protocol currently limits attack surface, it lacks modern security features like CommBuffer size validation and structured handler contexts.
-
Code Audit Depth: Given the large codebase (72K+ functions), a more exhaustive analysis of unnamed modules is recommended, particularly modules in the 0x08xx-0x09xx range which may contain security-critical code.
| Module ID | Entry Address | GUID Suffix | Identified Purpose |
|---|---|---|---|
| 00CD | 0x18BC288 | D3120A82 | PCH SMM Dispatcher |
| 0306 | 0x17D30A4 | — | TPM/Platform feature flags |
| 0405 | 0x17D8108 | 4FE1969F | BIOS flash management |
| 0416 | 0x18150D0 | 47BFCEFA | Power management |
| 040C | 0x17FC168 | 8CC64EFB | USB/built-in device detection |
| 0528 | 0x1701124 | AD966A00 | Dual-OS detection |
| 051A | 0x1707124 | C7833E83 | Intel Optane/audio config |
| 051D | 0x1767144 | 5D161F78 | USB port configuration |
| 062A | 0x196B124 | E06E47BA | ODD/drive detection |
| 0616 | 0x1971188 | 7A1A4C0A | Hardware configuration |
| 0212 | 0x19E8270 | B5784897 | Keyboard/platform support |
Audit performed: March 2026 Analyst: Claude (via IDA Pro MCP + idasql) Image: HP Elite Dragonfly EFI flash (hp_dragonfly_orig.bin)