System Management Mode is an operating mode of x86central processor units in which all normal execution, including the operating system, is suspended. An alternate software system which usually resides in the computer's firmware, or a hardware-assisted debugger, is then executed with high privileges. It was first released with the Intel 386SL. While initially special SL versions were required for SMM, Intel incorporated SMM in its mainline 486 and Pentium processors in 1993. AMD implemented Intel's SMM with the Am386 processors in 1991. It is available in all later microprocessors in the x86 architecture.
Operation
SMM is a special-purpose operating mode provided for handling system-wide functions like power management, system hardware control, or proprietary OEM designed code. It is intended for use only by system firmware, not by applications software or general-purpose systems software. The main benefit of SMM is that it offers a distinct and easily isolated processor environment that operates transparently to the operating system or executive and software applications. In order to achieve transparency, SMM imposes certain rules. The SMM can only be entered through SMI. The processor executes the SMM code in a separate address space that has to be made inaccessible to other operating modes of the CPU by the firmware.
System Management Mode can also be abused to run high-privileged rootkits, as demonstrated at Black Hat 2008 and 2015.
Entering SMM
SMM is entered via the SMI, which is invoked by:
Motherboard hardware or chipset signaling via a designated pin SMI# of the processor chip. This signal can be an independent event.
Software SMI triggered by the system software via an I/O access to a location considered special by the motherboard logic.
An I/O write to a location which the firmware has requested that the processor chip act on.
By entering SMM, the processor looks for the first instruction at the address SMBASE + 8000H, using registers CS = 3000H and EIP = 8000H. The CS register value is due to the use of real mode memory addresses by the processor when in SMM. In this case, the CS is internally appended with 0H on its rightmost end.
Problems
By design, the operating system cannot override or disable the SMI. Due to this fact, it is a target for malicious rootkits to reside in, including NSA's "implants" which have individual code names for specific hardware, like SOUFFLETROUGH for Juniper Networks firewalls, :File:Nsa-ant-schoolmontana.jpg|SCHOOLMONTANA for J-series routers of the same company, :File:NSA DEITYBOUNCE.jpg|DEITYBOUNCE for DELL, or :File:NSA IRONCHEF.jpg|IRONCHEF for HP Proliant servers. Improperly designed and insufficiently tested SMM BIOS code can make the wrong assumptions and not work properly when interrupting some other modes like PAE or 64-bit long mode. According to the documentation of the Linux kernel, around 2004, such buggy implementations of the USB legacy support feature were a common cause of crashes, for example on motherboards based on the Intel E7505 chipset. Since the SMM code is installed by the system firmware, the OS and the SMM code may have expectations about hardware settings that are incompatible, such as different ideas of how the Advanced Programmable Interrupt Controller should be set up. Operations in SMM take CPU time away from the applications, operating system kernel and hypervisor, with the effects magnified for multicore processors since each SMI causes all cores to switch modes. There is also some overhead involved with switching in and out of SMM, since the CPU state must be stored to memory and any write-back caches must be flushed. This can destroy real-time behavior and cause clock ticks to get lost. The Windows and Linux kernels define an 'SMI Timeout' setting a period within which SMM handlers must return control to the operating system or it will 'hang' or 'crash'. The SMM may disrupt the behavior of real-time applications with constrained timing requirements. A logic analyzer may be required to determine if the CPU has entered SMM. Recovering the SMI handler code to analyze it for bugs, vulnerabilities and secrets requires a logic analyzer or disassembly of the system firmware.
