System Management Mode (SMM, sometimes called ring −2 in reference to

protection ring In computer science, hierarchical protection domains, often called protection rings, are mechanisms to protect data and functionality from faults (by improving fault tolerance) and malicious behavior (by providing computer security). Computer ...

s) is an operating mode of

x86 x86 (also known as 80x86 or the 8086 family) is a family of complex instruction set computer (CISC) instruction set architectures initially developed by Intel, based on the 8086 microprocessor and its 8-bit-external-bus variant, the 8088. Th ...

central processor units (CPUs) in which all normal execution, including the

operating system An operating system (OS) is system software that manages computer hardware and software resources, and provides common daemon (computing), services for computer programs. Time-sharing operating systems scheduler (computing), schedule tasks for ...

, is suspended. An alternate software system which usually resides in the computer's

firmware In computing Computing is any goal-oriented activity requiring, benefiting from, or creating computer, computing machinery. It includes the study and experimentation of algorithmic processes, and the development of both computer hardware, h ...

, or a hardware-assisted

debugger A debugger is a computer program used to test and debug other programs (the "target" programs). Common features of debuggers include the ability to run or halt the target program using breakpoints, step through code line by line, and display ...

, is then executed with high privileges. It was first released with the

Intel 386SL The Intel 386, originally released as the 80386 and later renamed i386, is the third-generation x86 architecture microprocessor from Intel. It was the first 32-bit computing, 32-bit processor in the line, making it a significant evolution in ...

. While initially special SL versions were required for SMM, Intel incorporated SMM in its mainline 486 and Pentium processors in 1993.

AMD Advanced Micro Devices, Inc. (AMD) is an American multinational corporation and technology company headquartered in Santa Clara, California and maintains significant operations in Austin, Texas. AMD is a hardware and fabless company that de ...

implemented Intel's SMM with the

Am386 The Am386 CPU is a 100%-compatible clone of the Intel 80386 design released by AMD in March 1991. It sold millions of units, positioning AMD as a legitimate competitor to Intel, rather than being merely a second source for ''x86'' CPUs (then te ...

processors in 1991. It is available in all later

microprocessor A microprocessor is a computer processor (computing), processor for which the data processing logic and control is included on a single integrated circuit (IC), or a small number of ICs. The microprocessor contains the arithmetic, logic, a ...

s in the x86

architecture Architecture is the art and technique of designing and building, as distinguished from the skills associated with construction. It is both the process and the product of sketching, conceiving, planning, designing, and construction, constructi ...

. In

ARM architecture ARM (stylised in lowercase as arm, formerly an acronym for Advanced RISC Machines and originally Acorn RISC Machine) is a family of reduced instruction set computer, RISC instruction set architectures (ISAs) for central processing unit, com ...

the Exception Level 3 (EL3) mode is also referred as Secure Monitor Mode or System Management Mode.

Operation

SMM is a special-purpose operating mode provided for handling system-wide functions like power management, system hardware control, or proprietary OEM designed code. It is intended for use only by system firmware (

BIOS In computing, BIOS (, ; Basic Input/Output System, also known as the System BIOS, ROM BIOS, BIOS ROM or PC BIOS) is a type of firmware used to provide runtime services for operating systems and programs and to perform hardware initialization d ...

UEFI Unified Extensible Firmware Interface (UEFI, as an acronym) is a Specification (technical standard), specification for the firmware Software architecture, architecture of a computing platform. When a computer booting, is powered on, the UEFI ...

), not by applications software or general-purpose systems software. The main benefit of SMM is that it offers a distinct and easily isolated processor environment that operates transparently to the operating system or executive and software applications. In order to achieve transparency, SMM imposes certain rules. The SMM can only be entered through SMI (System Management Interrupt). The processor executes the SMM code in a separate address space (SMRAM) that has to be made inaccessible to other operating modes of the CPU by the

. System Management Mode can address up to 4 GB memory as huge real mode. In

x86-64 x86-64 (also known as x64, x86_64, AMD64, and Intel 64) is a 64-bit extension of the x86 instruction set architecture, instruction set. It was announced in 1999 and first available in the AMD Opteron family in 2003. It introduces two new ope ...

processors, SMM can address >4 GB memory as real address mode.

Usage

Initially, System Management Mode was used for implementing power management and hardware control features like

Advanced Power Management Advanced power management (APM) is a technical standard for power management developed by Intel and Microsoft and released in 1992 which enables an operating system running an IBM-compatible personal computer to work with the BIOS (part of the com ...

(APM). However, BIOS manufacturers and OEMs have relied on SMM for newer functionality like

Advanced Configuration and Power Interface Advanced Configuration and Power Interface (ACPI) is an open standard that operating systems can use to discover and configure computer hardware components, to perform power management (e.g. putting unused hardware components to sleep), auto con ...

(ACPI). Some uses of the System Management Mode are: * Handle system events like memory or chipset errors * Manage system safety functions, such as shutdown on high CPU temperature *

System Management BIOS In computing, the System Management BIOS (SMBIOS) specification defines data structures (and access methods) that can be used to read management information produced by the BIOS of a computer. This eliminates the need for the operating system to ...

(SMBIOS) *

* Control

power management Power management is a feature of some electrical appliances, especially copiers, computers, computer CPUs, computer GPUs and computer peripherals such as monitors and printers, that turns off the power or switches the system to a low-power ...

operations, such as managing the

voltage regulator module A voltage regulator module (VRM), sometimes called processor power module (PPM), is a buck converter that provides the microprocessor and chipset the appropriate supply voltage, converting , or to lower voltages required by the devices, allowi ...

and LPCIO (

super I/O Super I/O (sometimes Multi-IO) is a class of I/O controller integrated circuits that began to be used on personal computer motherboards in the late 1980s, originally as add-in cards, later embedded on the motherboards. A super I/O chip combine ...

embedded controller An Embedded Controller (EC) is a microcontroller in computers that handles various system tasks. Now it is usually merged with Super I/O, especially on mobile platforms (such as laptops). Tasks An embedded controller can have the following t ...

) * Emulate

USB Universal Serial Bus (USB) is an industry standard, developed by USB Implementers Forum (USB-IF), for digital data transmission and power delivery between many types of electronics. It specifies the architecture, in particular the physical ...

mouse/keyboard as PS/2 mouse/keyboard (often referred to as ''USB legacy support'') * Centralize system configuration, such as on Toshiba and IBM/Lenovo notebook computers * Managing the

Trusted Platform Module A Trusted Platform Module (TPM) is a secure cryptoprocessor that implements the ISO/IEC 11889 standard. Common uses are verifying that the boot process starts from a trusted combination of hardware and software and storing disk encryption keys. ...

(TPM) * BIOS-specific hardware control programs, including USB hotswap and

Thunderbolt A thunderbolt or lightning bolt is a symbolic representation of lightning when accompanied by a loud thunderclap. In Indo-European mythology, the thunderbolt was identified with the 'Sky Father'; this association is also found in later Hel ...

hotswap in

runtime System Management Mode can also be abused to run high-privileged

rootkit A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the exist ...

s, as demonstrated at Black Hat 2008 and 2015.

Entering SMM

SMM is entered via the SMI (system management interrupt), which is invoked by: * Motherboard hardware or chipset signaling via a designated pin ''SMI#'' of the processor chip.Intel's System Management Mode
by Robert R. Collins This signal can be an independent event. * Software SMI triggered by the

system software System software is software designed to provide a platform for other software. An example of system software is an operating system (OS) (like macOS, Linux, Android, and Microsoft Windows). Application software is software that allows users to d ...

via an I/O access to a location considered special by the motherboard logic (port is common). * An I/O write to a location which the firmware has requested that the processor chip act on. By entering SMM, the processor looks for the first instruction at the address SMBASE (SMBASE register content) + 8000h (by default 38000h), using registers CS = 3000h and EIP = 8000h. The CS register value (3000h) is due to the use of real-mode memory addresses by the processor when in SMM. In this case, the CS is internally appended with 0h on its rightmost end.

Problems

By design, the operating system cannot override or disable the SMI. Due to this fact, it is a target for malicious rootkits to reside in, including NSA's "implants", which have individual

code name A code name, codename, call sign, or cryptonym is a code word or name used, sometimes clandestinely, to refer to another name, word, project, or person. Code names are often used for military purposes, or in espionage. They may also be used in ...

s for specific hardware, like SOUFFLETROUGH for

Juniper Networks Juniper Networks, Inc. is an American multinational corporation headquartered in Sunnyvale, California. The company develops and markets networking products, including Router (computing), routers, Network switch, switches, network management so ...

firewalls, SCHOOLMONTANA for J-series routers of the same company, DEITYBOUNCE for DELL, or IRONCHEF for HP Proliant servers. Improperly designed and insufficiently tested SMM BIOS code can make the wrong assumptions and not work properly when interrupting some other x86 operating modes like PAE or 64-bit

long mode In the x86-64 computer architecture, long mode is the mode where a 64-bit operating system can access 64-bit instructions and registers. 64-bit programs are run in a sub-mode called 64-bit mode, while 32-bit programs and 16-bit protected mod ...

. According to the documentation of the

Linux kernel The Linux kernel is a Free and open-source software, free and open source Unix-like kernel (operating system), kernel that is used in many computer systems worldwide. The kernel was created by Linus Torvalds in 1991 and was soon adopted as the k ...

, around 2004, such buggy implementations of the USB legacy support feature were a common cause of crashes, for example, on motherboards based on the Intel E7505 chipset. Since the SMM code (SMI handler) is installed by the system firmware (

), the OS and the SMM code may have expectations about hardware settings that are incompatible, such as different ideas of how the

Advanced Programmable Interrupt Controller In computing, Intel's Advanced Programmable Interrupt Controller (APIC) is a family of programmable interrupt controllers. As its name suggests, the APIC is more advanced than Intel's 8259 Programmable Interrupt Controller (PIC), particularly enabl ...

(APIC) should be set up. Operations in SMM take CPU time away from the applications, operating-system kernel and

hypervisor A hypervisor, also known as a virtual machine monitor (VMM) or virtualizer, is a type of computer software, firmware or hardware that creates and runs virtual machines. A computer on which a hypervisor runs one or more virtual machines is called ...

, with the effects magnified for multicore processors, since each SMI causes all cores to switch modes.Brian Delgado and Karen L. Karavanic, "Performance Implications of System Management Mode", 2013 IEEE International Symposium on Workload Characterization, Sep. 22–24, Portland, OR USA. There is also some overhead involved with switching in and out of SMM, since the CPU state must be stored to memory (SMRAM) and any write-back caches must be flushed. This can destroy real-time behavior and cause clock ticks to get lost. The Windows and Linux kernels define an "SMI Timeout" setting a period within which SMM handlers must return control to the operating system, or it will " hang" or " crash". The SMM may disrupt the behavior of

real-time Real-time, realtime, or real time may refer to: Computing * Real-time computing, hardware and software systems subject to a specified time constraint * Real-time clock, a computer clock that keeps track of the current time * Real-time Control Syst ...

applications with constrained timing requirements. A

logic analyzer A logic analyzer is an electronic instrument that captures and displays multiple logic signals from a digital system or digital circuit. A logic analyzer may convert the capture into timing diagrams, protocol decodes, state machine traces, op ...

may be required to determine whether the CPU has entered SMM (checking state of ''SMIACT#'' pin of CPU). Recovering the SMI handler code to analyze it for bugs, vulnerabilities and secrets requires a logic analyzer or disassembly of the system firmware.

Operation

Usage

Entering SMM

Problems

See also

References

Further reading