System Management Mode (SMM, sometimes called ring −2 in reference to protection rings) is an operating mode of x86central processor units (CPUs) in which all normal execution, including the operating system, is suspended. An alternate software system which usually resides in the computer's
firmware
In computing, firmware is a specific class of computer software that provides the low-level control for a device's specific hardware. Firmware, such as the BIOS of a personal computer, may contain basic functions of a device, and may provide h ...
, or a hardware-assisted debugger, is then executed with high privileges.
It was first released with the
Intel 386SL
The Intel 386, originally released as 80386 and later renamed i386, is a 32-bit microprocessor introduced in 1985. The first versions had 275,000 transistorsAMD implemented Intel's SMM with the Am386 processors in 1991. It is available in all later microprocessors in the x86 architecture.
Some ARM processors also include the Management Mode, for the system firmware (such as UEFI).
Operation
SMM is a special-purpose operating mode provided for handling system-wide functions like power management, system hardware control, or proprietary OEM designed code. It is intended for use only by system firmware (
BIOS
In computing, BIOS (, ; Basic Input/Output System, also known as the System BIOS, ROM BIOS, BIOS ROM or PC BIOS) is firmware used to provide runtime services for operating systems and programs and to perform hardware initialization during the ...
or UEFI), not by applications software or general-purpose systems software. The main benefit of SMM is that it offers a distinct and easily isolated processor environment that operates transparently to the operating system or executive and software applications.
In order to achieve transparency, SMM imposes certain rules. The SMM can only be entered through SMI (System Management Interrupt). The processor executes the SMM code in a separate address space (SMRAM) that has to be made inaccessible to other operating modes of the CPU by the
firmware
In computing, firmware is a specific class of computer software that provides the low-level control for a device's specific hardware. Firmware, such as the BIOS of a personal computer, may contain basic functions of a device, and may provide h ...
.
System Management Mode can address up to 4 GB memory as
huge real mode
In x86 computing, unreal mode, also big real mode, huge real mode, flat real mode, or voodoo mode is a variant of real mode, in which one or more segment descriptors has been loaded with non-standard values, like 32-bit limits allowing access t ...
. In x86-64 processors, SMM can address >4 GB memory as real address mode.
Usage
Initially, System Management Mode was used for implementing power management and hardware control features like Advanced Power Management (APM). However, BIOS manufacturers and OEMs have relied on SMM for newer functionality like Advanced Configuration and Power Interface (ACPI).
Some uses of the System Management Mode are:
* Handle system events like memory or chipset errors
* Manage system safety functions, such as shutdown on high CPU temperature
*
System Management BIOS
In computing, the System Management BIOS (SMBIOS) specification defines data structures (and access methods) that can be used to read management information produced by the BIOS of a computer. This eliminates the need for the operating system to ...
PS/2
The Personal System/2 or PS/2 is IBM's second generation of personal computers. Released in 1987, it officially replaced the IBM PC, XT, AT, and PC Convertible in IBM's lineup. Many of the PS/2's innovations, such as the 16550 UART (serial po ...
mouse/keyboard (often referred to as ''USB legacy support'')
* Centralize system configuration, such as on Toshiba and IBM/Lenovo notebook computers
* Managing the Trusted Platform Module (TPM)
* BIOS-specific hardware control programs, including USB hotswap and Thunderbolt hotswap in operating system runtime
System Management Mode can also be abused to run high-privileged rootkits, as demonstrated at Black Hat 2008 and 2015.
Entering SMM
SMM is entered via the SMI (system management interrupt), which is invoked by:
* Motherboard hardware or chipset signaling via a designated pin ''SMI#'' of the processor chip.Intel's System Management Mode by Robert R. Collins This signal can be an independent event.
* Software SMI triggered by the system software via an I/O access to a location considered special by the motherboard logic (port is common).
* An I/O write to a location which the firmware has requested that the processor chip act on.
By entering SMM, the processor looks for the first instruction at the address SMBASE (SMBASE register content) + 8000h (by default 38000h), using registers CS = 3000h and EIP = 8000h. The CS register value (3000h) is due to the use of real-mode memory addresses by the processor when in SMM. In this case, the CS is internally appended with 0h on its rightmost end.
Problems
By design, the operating system cannot override or disable the SMI. Due to this fact, it is a target for malicious rootkits to reside in, including NSA's "implants", which have individual
code name
A code name, call sign or cryptonym is a code word or name used, sometimes clandestinely, to refer to another name, word, project, or person. Code names are often used for military purposes, or in espionage. They may also be used in industrial c ...
s for specific hardware, like SOUFFLETROUGH for Juniper Networks firewalls, SCHOOLMONTANA for J-series routers of the same company, DEITYBOUNCE for DELL, or IRONCHEF for HP Proliant servers.
Improperly designed and insufficiently tested SMM BIOS code can make the wrong assumptions and not work properly when interrupting some other x86 operating modes like PAE or 64-bit
long mode
In the x86-64 computer architecture, long mode is the mode where a 64-bit operating system can access 64-bit instructions and registers. 64-bit programs are run in a sub-mode called 64-bit mode, while 32-bit programs and 16-bit protected mode pr ...
. According to the documentation of the
Linux kernel
The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel. It was originally authored in 1991 by Linus Torvalds for his i386-based PC, and it was soon adopted as the kernel for the GNU ope ...
, around 2004, such buggy implementations of the USB legacy support feature were a common cause of crashes, for example, on motherboards based on the Intel
E7505 Around the time that the Pentium III processor was introduced, Intel's Xeon line diverged from its line of desktop processors, which at the time was using the Pentium branding.
The divergence was implemented by using different sockets; since then, ...
chipset.
Since the SMM code (SMI handler) is installed by the system firmware (
BIOS
In computing, BIOS (, ; Basic Input/Output System, also known as the System BIOS, ROM BIOS, BIOS ROM or PC BIOS) is firmware used to provide runtime services for operating systems and programs and to perform hardware initialization during the ...
), the OS and the SMM code may have expectations about hardware settings that are incompatible, such as different ideas of how the Advanced Programmable Interrupt Controller (APIC) should be set up.
Operations in SMM take CPU time away from the applications, operating-system kernel and hypervisor, with the effects magnified for multicore processors, since each SMI causes all cores to switch modes.Brian Delgado and Karen L. Karavanic, "Performance Implications of System Management Mode", 2013 IEEE International Symposium on Workload Characterization, Sep. 22–24, Portland, OR USA. There is also some overhead involved with switching in and out of SMM, since the CPU state must be stored to memory (SMRAM) and any write-back caches must be flushed. This can destroy real-time behavior and cause
clock tick
Jiffy can be an informal term for any unspecified short period, as in "I will be back in a jiffy". From this, it has acquired a number of more precise applications as the name of multiple units of measurement, each used to express or measure very b ...
s to get lost. The Windows and Linux kernels define an "SMI Timeout" setting a period within which SMM handlers must return control to the operating system, or it will " hang" or " crash".
The SMM may disrupt the behavior of real-time applications with constrained timing requirements.
A
logic analyzer
A logic analyzer is an electronic instrument that captures and displays multiple signals from a digital system or digital circuit. A logic analyzer may convert the captured data into timing diagrams, protocol decodes, state machine traces, asse ...
may be required to determine whether the CPU has entered SMM (checking state of ''SMIACT#'' pin of CPU). Recovering the SMI handler code to analyze it for bugs, vulnerabilities and secrets requires a logic analyzer or disassembly of the system firmware.
See also
* Coreboot includes an open-source SMM/SMI handler implementation for some chipsets
* Intel 80486SL
* LOADALL
* MediaGX a processor which emulates nonexistent hardware via SMM
*
Ring −3
The Intel Management Engine (ME), also known as the Intel Manageability Engine, is an autonomous subsystem that has been incorporated in virtually all of Intel's processor chipsets since 2008. It is located in the Platform Controller Hub of mod ...
Basic Input/Output System
In computing, BIOS (, ; Basic Input/Output System, also known as the System BIOS, ROM BIOS, BIOS ROM or PC BIOS) is firmware used to provide runtime services for operating systems and programs and to perform Computer hardware, hardware initializ ...
(BIOS)
References
Further reading
* {{cite patent, country=US, number=5175853, title=Transparent system interrupt, inventor=James Kardach, inventor2=Gregory Mathews, inventor3=Cau Nguyen, inventor4=Sung S. Cho, Kameswaran Sivamani, David Vannier, Shing Wong, Edward Zager, assign=
Intel Corporation
Intel Corporation is an American multinational corporation and technology company headquartered in Santa Clara, California. It is the world's largest semiconductor chip manufacturer by revenue, and is one of the developers of the x86 series ...
