System Management Mode (SMM, sometimes called ring −2 in reference to

protection ring In computer science, hierarchical protection domains, often called protection rings, are mechanisms to protect data and functionality from faults (by improving fault tolerance) and malicious behavior (by providing computer security). Computer ...

s) is an operating mode of x86 central processor units (CPUs) in which all normal execution, including the

operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common daemon (computing), services for computer programs. Time-sharing operating systems scheduler (computing), schedule tasks for ef ...

, is suspended. An alternate software system which usually resides in the computer's

firmware In computing, firmware is a specific class of computer software that provides the low-level control for a device's specific hardware. Firmware, such as the BIOS of a personal computer, may contain basic functions of a device, and may provide h ...

, or a hardware-assisted debugger, is then executed with high privileges. It was first released with the Intel 386SL. While initially special SL versions were required for SMM, Intel incorporated SMM in its mainline 486 and Pentium processors in 1993. AMD implemented Intel's SMM with the

Am386 The Am386 CPU is a 100%-compatible clone of the Intel 80386 design released by AMD in March 1991. It sold millions of units, positioning AMD as a legitimate competitor to Intel, rather than being merely a second source for ''x86'' CPUs (then term ...

processors in 1991. It is available in all later

microprocessor A microprocessor is a computer processor where the data processing logic and control is included on a single integrated circuit, or a small number of integrated circuits. The microprocessor contains the arithmetic, logic, and control circ ...

s in the x86

architecture Architecture is the art and technique of designing and building, as distinguished from the skills associated with construction. It is both the process and the product of sketching, conceiving, planning, designing, and constructing buildings ...

. Some ARM processors also include the Management Mode, for the system firmware (such as

UEFI UEFI (Unified Extensible Firmware Interface) is a set of specifications written by the UEFI Forum. They define the architecture of the platform firmware used for booting and its interface for interaction with the operating system. Examples ...

Operation

SMM is a special-purpose operating mode provided for handling system-wide functions like power management, system hardware control, or proprietary OEM designed code. It is intended for use only by system firmware (

BIOS In computing, BIOS (, ; Basic Input/Output System, also known as the System BIOS, ROM BIOS, BIOS ROM or PC BIOS) is firmware used to provide runtime services for operating systems and programs and to perform hardware initialization during the b ...

), not by applications software or general-purpose systems software. The main benefit of SMM is that it offers a distinct and easily isolated processor environment that operates transparently to the operating system or executive and software applications. In order to achieve transparency, SMM imposes certain rules. The SMM can only be entered through SMI (System Management Interrupt). The processor executes the SMM code in a separate address space (SMRAM) that has to be made inaccessible to other operating modes of the CPU by the

. System Management Mode can address up to 4 GB memory as huge real mode. In

x86-64 x86-64 (also known as x64, x86_64, AMD64, and Intel 64) is a 64-bit version of the x86 instruction set, first released in 1999. It introduced two new modes of operation, 64-bit mode and compatibility mode, along with a new 4-level paging ...

processors, SMM can address >4 GB memory as real address mode.

Usage

Initially, System Management Mode was used for implementing power management and hardware control features like

Advanced Power Management Advanced power management (APM) is an API developed by Intel and Microsoft and released in 1992 which enables an operating system running an IBM-compatible personal computer to work with the BIOS (part of the computer's firmware) to achieve po ...

(APM). However, BIOS manufacturers and OEMs have relied on SMM for newer functionality like

Advanced Configuration and Power Interface Advanced Configuration and Power Interface (ACPI) is an open standard that operating systems can use to discover and configure computer hardware components, to perform power management (e.g. putting unused hardware components to sleep), auto co ...

(ACPI). Some uses of the System Management Mode are: * Handle system events like memory or chipset errors * Manage system safety functions, such as shutdown on high CPU temperature *

System Management BIOS In computing, the System Management BIOS (SMBIOS) specification defines data structures (and access methods) that can be used to read management information produced by the BIOS of a computer. This eliminates the need for the operating system t ...

(SMBIOS) *

* Control

power management Power management is a feature of some electrical appliances, especially copiers, computers, computer CPUs, computer GPUs and computer peripherals such as monitors and printers, that turns off the power or switches the system to a low-power st ...

operations, such as managing the

voltage regulator module A voltage regulator module (VRM), sometimes called processor power module (PPM), is a buck converter that provides microprocessor and chipset the appropriate supply voltage, converting , or to lower voltages required by the devices, allowing dev ...

and LPCIO ( super I/O or embedded controller) * Emulate USB mouse/keyboard as

PS/2 The Personal System/2 or PS/2 is IBM's second generation of personal computers. Released in 1987, it officially replaced the IBM PC, XT, AT, and PC Convertible in IBM's lineup. Many of the PS/2's innovations, such as the 16550 UART (serial p ...

mouse/keyboard (often referred to as ''USB legacy support'') * Centralize system configuration, such as on Toshiba and IBM/Lenovo notebook computers * Managing the Trusted Platform Module (TPM) * BIOS-specific hardware control programs, including USB hotswap and Thunderbolt hotswap in

runtime System Management Mode can also be abused to run high-privileged rootkits, as demonstrated at Black Hat 2008 and 2015.

Entering SMM

SMM is entered via the SMI (system management interrupt), which is invoked by: * Motherboard hardware or chipset signaling via a designated pin ''SMI#'' of the processor chip.Intel's System Management Mode
by Robert R. Collins This signal can be an independent event. * Software SMI triggered by the

system software System software is software designed to provide a platform for other software. Examples of system software include operating systems (OS) like macOS, Linux, Android and Microsoft Windows, computational science software, game engines, search engin ...

via an I/O access to a location considered special by the motherboard logic (port is common). * An I/O write to a location which the firmware has requested that the processor chip act on. By entering SMM, the processor looks for the first instruction at the address SMBASE (SMBASE register content) + 8000h (by default 38000h), using registers CS = 3000h and EIP = 8000h. The CS register value (3000h) is due to the use of real-mode memory addresses by the processor when in SMM. In this case, the CS is internally appended with 0h on its rightmost end.

Problems

By design, the operating system cannot override or disable the SMI. Due to this fact, it is a target for malicious rootkits to reside in, including NSA's "implants", which have individual

code name A code name, call sign or cryptonym is a code word or name used, sometimes clandestinely, to refer to another name, word, project, or person. Code names are often used for military purposes, or in espionage. They may also be used in industrial ...

s for specific hardware, like SOUFFLETROUGH for

Juniper Networks Juniper Networks, Inc. is an American multinational corporation headquartered in Sunnyvale, California. The company develops and markets networking products, including routers, switches, network management software, network security product ...

firewalls, SCHOOLMONTANA for J-series routers of the same company, DEITYBOUNCE for DELL, or IRONCHEF for HP Proliant servers. Improperly designed and insufficiently tested SMM BIOS code can make the wrong assumptions and not work properly when interrupting some other x86 operating modes like PAE or 64-bit

long mode In the x86-64 computer architecture, long mode is the mode where a 64-bit operating system can access 64-bit instructions and registers. 64-bit programs are run in a sub-mode called 64-bit mode, while 32-bit programs and 16-bit protected mode ...

. According to the documentation of the

Linux kernel The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel. It was originally authored in 1991 by Linus Torvalds for his i386-based PC, and it was soon adopted as the kernel for the GNU ...

, around 2004, such buggy implementations of the USB legacy support feature were a common cause of crashes, for example, on motherboards based on the Intel E7505 chipset. Since the SMM code (SMI handler) is installed by the system firmware (

), the OS and the SMM code may have expectations about hardware settings that are incompatible, such as different ideas of how the Advanced Programmable Interrupt Controller (APIC) should be set up. Operations in SMM take CPU time away from the applications, operating-system kernel and

hypervisor A hypervisor (also known as a virtual machine monitor, VMM, or virtualizer) is a type of computer software, firmware or hardware that creates and runs virtual machines. A computer on which a hypervisor runs one or more virtual machines is called ...

, with the effects magnified for multicore processors, since each SMI causes all cores to switch modes.Brian Delgado and Karen L. Karavanic, "Performance Implications of System Management Mode", 2013 IEEE International Symposium on Workload Characterization, Sep. 22–24, Portland, OR USA. There is also some overhead involved with switching in and out of SMM, since the CPU state must be stored to memory (SMRAM) and any write-back caches must be flushed. This can destroy real-time behavior and cause clock ticks to get lost. The Windows and Linux kernels define an "SMI Timeout" setting a period within which SMM handlers must return control to the operating system, or it will " hang" or "

crash Crash or CRASH may refer to: Common meanings * Collision, an impact between two or more objects * Crash (computing), a condition where a program ceases to respond * Cardiac arrest, a medical condition in which the heart stops beating * Couch ...

". The SMM may disrupt the behavior of

real-time Real-time or real time describes various operations in computing or other processes that must guarantee response times within a specified time (deadline), usually a relatively short time. A real-time process is generally one that happens in defined ...

applications with constrained timing requirements. A

logic analyzer A logic analyzer is an electronic instrument that captures and displays multiple signals from a digital system or digital circuit. A logic analyzer may convert the captured data into timing diagrams, protocol decodes, state machine traces, ass ...

may be required to determine whether the CPU has entered SMM (checking state of ''SMIACT#'' pin of CPU). Recovering the SMI handler code to analyze it for bugs, vulnerabilities and secrets requires a logic analyzer or disassembly of the system firmware.

Operation

Usage

Entering SMM

Problems

See also

References

Further reading