System Management Mode

What is System Management Mode (SMM)?

System Management Mode, which is also called ring-2 sometimes with respect to the protection rings, implies the operating mode of x86 Central Processor Units (CPUs). In this mode, the operating system and all usual executions are suspended.

Typically, the process allows the CPU to execute the codes from a separate area in the memory. This is called the SMRAM or the System Management Random Access Memory.

Understanding System Management Mode (SMM)

System Management Mode, or SMM refers to the process introduced by Intel in October 1990 with their 386SL.

It allows the CPU to work more transparently with all other programs and the operating system.

There is an alternate software system in the firmware of the computer or a debugger assisted by the hardware that is executed thereafter with high privileges.

In addition to that, SMM also allows different functions throughout the system in a much better way which includes:

• Power management
• Proprietary OEM design codes
• System hardware control

The process is designed to be used by the processor or the system firmware such as Basic Input Output System or BIOS and the Unified Extensible Firmware Interface or UEFI, and not by any other general-purpose system software or application software.

The most significant benefit offered by this specific type of management mode is that it allows for a processor environment that can be easily isolated. It is distinct and functions transparently with the following:

• The operating system
• The software
• The executive applicants

Transparency is achieved in SMM through different roles imposed for and by the process. These rules include:

• The System Management Mode can only be entered and triggered through the SMI or System Management Interrupt.
• The processor can carry out the SMM code in a detached address space called SMRAM.
• The SMRAM is not accessible to any other program or operating system and not even by any other operating mode of the processor but the firmware.

Read Also:  What is kHz (Kilohertz)? (Explained)

SMM can support up to 4 GB of memory as real mode, and in x86-64 processors, it is even more than that as real address mode.

This is a special type of memory called SMRAM or System Management Random Access Memory, which is exclusive to the CPU.

By using this special memory to operate, SMM allows the processors to power up or down any hardware item.

This, in turn, allows the computer system to conserve its power even more, as a whole, when it is in an idle state.

SMM was included by Intel in the Pentium and mainline 486 processors in 1993. On the other hand, AMD implemented SMM of Intel in 1991 with the Am386 processors.

All later versions of x86 architecture microprocessors come with this mode built in them.

There are also quite a few ARM processors that come with management mode for the system firmware such as UEFI.

Usually, when a computer system initializes, the firmware or BIOS has full control over it and performs whatever functions are necessary to configure operations in order to make the system ready for the operating system to take over.

However, the role of SMM is to ensure that the firmware still has some control over the system while the operating system is running, if that is what the firmware developer intends to do.

Process:

Ideally, when the platform is initialized, the entire process happens in the following way:

• The chipset is configured by the firmware, which results in a System Management Interrupt for different events that the firmware should be aware of.
• In addition to that, the firmware also assigns the part of the Random Access Memory that should be used as SMRAM and indicates to the processor where it should jump when the SMI occurs.
• The chipset identifies the events configured during the operation and signals the SMI to trigger the processor to enter SMM and jump to the entry point.

When the system enters SMM, the CPU searches for the opening instruction at the SMBASE address by using the Code Segment or CS register value and the Extended Instruction Pointer or EIP value.

Functions:

The SMM is, however, very transparent to the operating system. When the system enters SMM, the firmware conserves the CPU state in the SMRAM. In addition to that, the firmware also carries out low-level management operations such as:

• Changing the speed of the fan
• Making adjustments to the CPU speed
• Checking the thermal zones and more.

Read Also:  What is LGA (Land Grid Array)? Uses, Pros, Cons & More

When the firmware leaves the System Management Mode, it makes sure that the state of the CPU from the SMRAM is restored.

From the point of view of the operating system, all these low-level management operations happen in the background automatically and atomically.

Usage:

System Management Mode was used to implement power management, to begin with, and had hardware control features such as Advanced Power Management or APM.

However, OEMs and BIOS manufacturers realized its potential and wanted to use SMM for newer functionalities such as Advanced Configuration and Power Interface (ACPI) as well.

Some other uses of the System Management Mode are:

• Handling system events such as chipset or memory errors
• Managing safety functions of the system such as shutdown during high CPU temperature
• System Management BIOS or SMBIOS
• Power management operations control and voltage regulator module management
• LPCIO such as super I/O or embedded controller management
• Emulating USB mouse and keyboard as PS/2 mouse and keyboard which is referred to as USB legacy support
• Configuring a centralized system
• Managing the Trusted Platform Module or TPM
• Handling Universal Serial Bus (USB) and Thunderbolt hot swap during operating system run time and other similar BIOS-specific hardware control programs.

This specific type of management mode can also be used to run high-privileged rootkits.

How to Turn on SMM Protection?

Entering and triggering SMM protection can be done only through a System Management Interrupt or SMI. This is actually a signal sent to the processor from the chipset.

You can enter SMM as follows:

• Click on the Start menu
• Type Edit group policy
• Click on it
• Click on Computer Configuration
• Select Administrative Templates
• Go to System
• Click on Device Guard
• Turn on Virtualization Based Security
• Select Secure Launch Configuration

This will invoke the SMI in the following way:

• The chipset or the motherboard hardware will send a signal, which can be a separate event, through the dedicated pin SMI # of the CPU chip.
• The system software will trigger the software SMI through an I/O access and will send it to a location that the motherboard logic considers to be special.
• An I/O write to the location as requested by the firmware will happen where the processor needs to act on.

When all these things happen, the operating system does not have any way to know when the chipset will signal an SMI.

Therefore, it cannot catch it like it can with other interrupts. This is because the SMIs are not routed through the Interrupt Descriptor Table (IDT) or the Interrupt Vector Table (IVT).

The operating system can simply request the chipset to signal an SMI, while the handling of it will still be transparent. A specific port is determined by the ACPI for writing to it in order to perform this task.

However, if there is no reason to trigger an SMI even when the OS makes a request for it to the chipset, the operating system will almost immediately regain control, and the firmware will not have much to do in that case.

Read Also:  What is Xeon Processor? Works, Types, Uses & More

How to Disable SMM?

You can disable SMM if you want from the BIOS when the system does not respond when you deploy it or while installing updates.

The steps needed to follow for it are:

• Restart your computer while pressing and holding the F2 or Delete key to enter BIOS
• Go to System Setup
• Expand Security
• Click on SMM Security Mitigation
• Uncheck or clear it.

What is SMM Security Mitigation?

This is actually a static table that is defined in the ACPI name space. This table contains the flags that indicate particular types of security features that are used in the system.

The BIOS security mitigation in the firmware of the system in particular is indicated in the Protection Flags field.

The SMM Security Mitigation table is supported by different versions of the Windows operating system including Windows 10.

Reading by these supported versions of operating systems may also enable, disable, or de-feature a few specific security features depending on the existence of the SMM Protections Flags.

However, the presence of Protection Flags such as FIXED_COMM_BUFFERS and COMM_BUFFER_NESTED_PTR_PROTECTION will largely depend on the design of the firmware SMIs.

These interrupts may allow only reading or writing to the eligible list of regions. This includes memory allocated by the Extensible Firmware Interface or EFI and the memory Mapped I/O or MMIO.

The Protection Flags mentioned above, however, refer only to pointer checks and input validation. They typically do not need enforcing by means of SMM page protections.

This means that it is not enough to check the pointers to see whether or not they are outside of SMM, but it is also necessary to make sure that they are essentially inside the safe regions.

This will avoid any confusion in the SMM and prevent bypassing the flagship Guard features of Windows.

Conclusion

System Management Mode is a special type of operating mode followed by the CPU.

It is transparent and is typically designed to ensure that the operating system does not have full control over the system during initialization.

Using a special memory, this mode helps run several low-level management functions.