System Management Mode (SMM, sometimes called ring −2 in reference to

protection ring In computer science, hierarchical protection domains, often called protection rings, are mechanisms to protect data and functionality from faults (by improving fault tolerance) and malicious behavior (by providing computer security). Computer ...

s) is an operating mode of

x86 x86 (also known as 80x86 or the 8086 family) is a family of complex instruction set computer (CISC) instruction set architectures initially developed by Intel based on the Intel 8086 microprocessor and its 8088 variant. The 8086 was introd ...

central processor unit A central processing unit (CPU), also called a central processor, main processor or just processor, is the electronic circuitry that executes instructions comprising a computer program. The CPU performs basic arithmetic, logic, controlling, and ...

s (CPUs) in which all normal execution, including the

operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also in ...

, is suspended. An alternate software system which usually resides in the computer's

firmware In computing, firmware is a specific class of computer software that provides the low-level control for a device's specific hardware. Firmware, such as the BIOS of a personal computer, may contain basic functions of a device, and may provide h ...

, or a hardware-assisted

debugger A debugger or debugging tool is a computer program used to software testing, test and debugging, debug other programs (the "target" program). The main use of a debugger is to run the target program under controlled conditions that permit the pr ...

, is then executed with high privileges. It was first released with the Intel 386SL. While initially special SL versions were required for SMM, Intel incorporated SMM in its mainline 486 and Pentium processors in 1993.

AMD Advanced Micro Devices, Inc. (AMD) is an American multinational semiconductor company based in Santa Clara, California, that develops computer processors and related technologies for business and consumer markets. While it initially manufactur ...

implemented Intel's SMM with the

Am386 The Am386 central processing unit, CPU is a IBM PC compatible, 100%-compatible clone of the Intel 80386 design released by AMD in March 1991. It sold millions of units, positioning Advanced Micro Devices, AMD as a legitimate competitor to Intel Co ...

processors in 1991. It is available in all later

microprocessor A microprocessor is a computer processor where the data processing logic and control is included on a single integrated circuit, or a small number of integrated circuits. The microprocessor contains the arithmetic, logic, and control circu ...

s in the x86

architecture Architecture is the art and technique of designing and building, as distinguished from the skills associated with construction. It is both the process and the product of sketching, conceiving, planning, designing, and constructing building ...

. Some

ARM In human anatomy, the arm refers to the upper limb in common usage, although academically the term specifically means the upper arm between the glenohumeral joint (shoulder joint) and the elbow joint. The distal part of the upper limb between th ...

processors also include the Management Mode, for the system firmware (such as

UEFI UEFI (Unified Extensible Firmware Interface) is a set of specifications written by the UEFI Forum. They define the architecture of the platform firmware used for booting and its interface for interaction with the operating system. Examples of ...

Operation

SMM is a special-purpose operating mode provided for handling system-wide functions like power management, system hardware control, or proprietary OEM designed code. It is intended for use only by system firmware (

BIOS In computing, BIOS (, ; Basic Input/Output System, also known as the System BIOS, ROM BIOS, BIOS ROM or PC BIOS) is firmware used to provide runtime services for operating systems and programs and to perform hardware initialization during the ...

), not by applications software or general-purpose systems software. The main benefit of SMM is that it offers a distinct and easily isolated processor environment that operates transparently to the operating system or executive and software applications. In order to achieve transparency, SMM imposes certain rules. The SMM can only be entered through SMI (System Management Interrupt). The processor executes the SMM code in a separate address space (SMRAM) that has to be made inaccessible to other operating modes of the CPU by the

. System Management Mode can address up to 4 GB memory as huge real mode. In

x86-64 x86-64 (also known as x64, x86_64, AMD64, and Intel 64) is a 64-bit version of the x86 instruction set, first released in 1999. It introduced two new modes of operation, 64-bit mode and compatibility mode, along with a new 4-level paging mod ...

processors, SMM can address >4 GB memory as real address mode.

Usage

Initially, System Management Mode was used for implementing power management and hardware control features like

Advanced Power Management Advanced power management (APM) is an API developed by Intel and Microsoft and released in 1992 which enables an operating system running an IBM-compatible personal computer to work with the BIOS (part of the computer's firmware) to achieve power m ...

(APM). However, BIOS manufacturers and OEMs have relied on SMM for newer functionality like

Advanced Configuration and Power Interface Advanced Configuration and Power Interface (ACPI) is an open standard that operating systems can use to discover and configure computer hardware components, to perform power management (e.g. putting unused hardware components to sleep), auto c ...

(ACPI). Some uses of the System Management Mode are: * Handle system events like memory or chipset errors * Manage system safety functions, such as shutdown on high CPU temperature * System Management BIOS (SMBIOS) *

* Control

power management Power management is a feature of some electrical appliances, especially copiers, computers, computer CPUs, computer GPUs and computer peripherals such as monitors and printers, that turns off the power or switches the system to a low-power st ...

operations, such as managing the

voltage regulator module A voltage regulator module (VRM), sometimes called processor power module (PPM), is a buck converter that provides microprocessor and chipset the appropriate supply voltage, converting , or to lower voltages required by the devices, allowing dev ...

and

LPCIO The Low Pin Count (LPC) bus is a computer bus used on IBM-compatible personal computers to connect low-bandwidth devices to the CPU, such as the BIOS ROM (BIOS ROM was moved to the Serial Peripheral Interface (SPI) bus in 2006), "legacy" I/ ...

(

super I/O Super I/O is a class of I/O controller integrated circuits that began to be used on personal computer motherboards in the late 1980s, originally as add-in cards, later embedded on the motherboards. A super I/O chip combines interfaces for a vari ...

embedded controller An Embedded Controller (EC) is a microcontroller in computers that handles various system tasks. Now it is usually merged with Super I/O, especially on mobile platforms (such as laptop). Tasks An embedded controller can have the following task ...

) * Emulate

USB Universal Serial Bus (USB) is an industry standard that establishes specifications for cables, connectors and protocols for connection, communication and power supply (interfacing) between computers, peripherals and other computers. A broad ...

mouse/keyboard as PS/2 mouse/keyboard (often referred to as ''USB legacy support'') * Centralize system configuration, such as on Toshiba and IBM/Lenovo notebook computers * Managing the

Trusted Platform Module Trusted Platform Module (TPM, also known as ISO/IEC 11889) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. The term can also refer to a ch ...

(TPM) * BIOS-specific hardware control programs, including USB hotswap and

Thunderbolt A thunderbolt or lightning bolt is a symbolic representation of lightning when accompanied by a loud thunderclap. In Indo-European mythology, the thunderbolt was identified with the 'Sky Father'; this association is also found in later Hell ...

hotswap in

runtime System Management Mode can also be abused to run high-privileged

rootkit A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the exis ...

s, as demonstrated at

Black Hat Black hat, blackhats, or black-hat refers to: Arts, entertainment, and media * Black hat (computer security), a hacker who violates computer security for little reason beyond maliciousness or for personal gain * Black hat, part of black and whit ...

2008 and 2015.

Entering SMM

SMM is entered via the SMI (system management interrupt), which is invoked by: * Motherboard hardware or chipset signaling via a designated pin ''SMI#'' of the processor chip.Intel's System Management Mode
by Robert R. Collins This signal can be an independent event. * Software SMI triggered by the

system software System software is software designed to provide a platform for other software. Examples of system software include operating systems (OS) like macOS, Linux, Android and Microsoft Windows, computational science software, game engines, search engin ...

via an I/O access to a location considered special by the motherboard logic (port is common). * An I/O write to a location which the firmware has requested that the processor chip act on. By entering SMM, the processor looks for the first instruction at the address SMBASE (SMBASE register content) + 8000h (by default 38000h), using registers CS = 3000h and EIP = 8000h. The CS register value (3000h) is due to the use of real-mode memory addresses by the processor when in SMM. In this case, the CS is internally appended with 0h on its rightmost end.

Problems

By design, the operating system cannot override or disable the SMI. Due to this fact, it is a target for malicious rootkits to reside in, including NSA's "implants", which have individual

code name A code name, call sign or cryptonym is a code word or name used, sometimes clandestinely, to refer to another name, word, project, or person. Code names are often used for military purposes, or in espionage. They may also be used in industrial c ...

s for specific hardware, like SOUFFLETROUGH for

Juniper Networks Juniper Networks, Inc. is an American multinational corporation headquartered in Sunnyvale, California. The company develops and markets networking products, including routers, switches, network management software, network security products, ...

firewalls, SCHOOLMONTANA for J-series routers of the same company, DEITYBOUNCE for DELL, or IRONCHEF for HP

Proliant ProLiant is a brand of server computers that was originally developed and marketed by Compaq and currently marketed by Hewlett Packard Enterprise. After Compaq merged with Hewlett-Packard (HP), HP retired its NetServer brand in favor of the P ...

servers. Improperly designed and insufficiently tested SMM BIOS code can make the wrong assumptions and not work properly when interrupting some other x86 operating modes like PAE or 64-bit long mode. According to the documentation of the

Linux kernel The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel. It was originally authored in 1991 by Linus Torvalds for his i386-based PC, and it was soon adopted as the kernel for the GNU ope ...

, around 2004, such buggy implementations of the USB legacy support feature were a common cause of crashes, for example, on motherboards based on the Intel E7505 chipset. Since the SMM code (SMI handler) is installed by the system firmware (

), the OS and the SMM code may have expectations about hardware settings that are incompatible, such as different ideas of how the

Advanced Programmable Interrupt Controller In computing, Intel's Advanced Programmable Interrupt Controller (APIC) is a family of interrupt controllers. As its name suggests, the APIC is more advanced than Intel's 8259 Programmable Interrupt Controller (PIC), particularly enabling the co ...

(APIC) should be set up. Operations in SMM take CPU time away from the applications, operating-system kernel and

hypervisor A hypervisor (also known as a virtual machine monitor, VMM, or virtualizer) is a type of computer software, firmware or hardware that creates and runs virtual machines. A computer on which a hypervisor runs one or more virtual machines is calle ...

, with the effects magnified for multicore processors, since each SMI causes all cores to switch modes.Brian Delgado and Karen L. Karavanic, "Performance Implications of System Management Mode", 2013 IEEE International Symposium on Workload Characterization, Sep. 22–24, Portland, OR USA. There is also some overhead involved with switching in and out of SMM, since the CPU state must be stored to memory (SMRAM) and any write-back caches must be flushed. This can destroy real-time behavior and cause clock ticks to get lost. The Windows and Linux kernels define an "SMI Timeout" setting a period within which SMM handlers must return control to the operating system, or it will "

hang Hang or Hanging may refer to: People * Choe Hang (disambiguation), various people * Luciano Hang (born 1962/1963), Brazilian billionaire businessman * Ren Hang (disambiguation), various people Law * Hanging, a form of capital punishment Arts, e ...

" or "

crash Crash or CRASH may refer to: Common meanings * Collision, an impact between two or more objects * Crash (computing), a condition where a program ceases to respond * Cardiac arrest, a medical condition in which the heart stops beating * Couch su ...

". The SMM may disrupt the behavior of

real-time Real-time or real time describes various operations in computing or other processes that must guarantee response times within a specified time (deadline), usually a relatively short time. A real-time process is generally one that happens in defined ...

applications with constrained timing requirements. A

logic analyzer A logic analyzer is an electronic instrument that captures and displays multiple signals from a digital system or digital circuit. A logic analyzer may convert the captured data into timing diagrams, protocol decodes, state machine traces, a ...

may be required to determine whether the CPU has entered SMM (checking state of ''SMIACT#'' pin of CPU). Recovering the SMI handler code to analyze it for bugs, vulnerabilities and secrets requires a logic analyzer or disassembly of the system firmware.

Operation

Usage

Entering SMM

Problems

See also

References

Further reading