What is System Management Mode (SMM)?
System Management Mode, which is also called ring-2 sometimes with respect to the protection rings, implies the operating mode of x86 Central Processor Units (CPUs). In this mode, the operating system and all usual executions are suspended.
Typically, the process allows the CPU to execute the codes from a separate area in the memory. This is called the SMRAM or the System Management Random Access Memory.
- System Management Mode actually refers to a special-purpose operating mode that helps in handling several different functions across the system.
- The operations by the processor are carried out with the help of a special type of memory called the SMRAM which is available only to it and not accessible by any other programs, applications or the operating system.
- SMM has a variety of uses though it was initially used for power management. With its advanced features, it can handle several system events and help the firmware to run a few low-level management operations.
- This management mode helps the CPU to increase and decrease the power of any hardware item, which eventually helps in conserving the power of the system when it is in the idle state.
- The process helps in the operation of many BIOS-specific hardware control functions such as handling of USB and Thunderbolt hotswapping when the operating system is running.
Understanding System Management Mode (SMM)
System Management Mode, or SMM refers to the process introduced by Intel in October 1990 with their 386SL.
It allows the CPU to work more transparently with all other programs and the operating system.
There is an alternate software system in the firmware of the computer or a debugger assisted by the hardware that is executed thereafter with high privileges.
In addition to that, SMM also allows different functions throughout the system in a much better way which includes:
- Power management
- Proprietary OEM design codes
- System hardware control
The process is designed to be used by the processor or the system firmware such as Basic Input Output System or BIOS and the Unified Extensible Firmware Interface or UEFI, and not by any other general-purpose system software or application software.
The most significant benefit offered by this specific type of management mode is that it allows for a processor environment that can be easily isolated. It is distinct and functions transparently with the following:
- The operating system
- The software
- The executive applicants
Transparency is achieved in SMM through different roles imposed for and by the process. These rules include:
- The System Management Mode can only be entered and triggered through the SMI or System Management Interrupt.
- The processor can carry out the SMM code in a detached address space called SMRAM.
- The SMRAM is not accessible to any other program or operating system and not even by any other operating mode of the processor but the firmware.
SMM can support up to 4 GB of memory as real mode, and in x86-64 processors, it is even more than that as real address mode.
This is a special type of memory called SMRAM or System Management Random Access Memory, which is exclusive to the CPU.
By using this special memory to operate, SMM allows the processors to power up or down any hardware item.
This, in turn, allows the computer system to conserve its power even more, as a whole, when it is in an idle state.
All later versions of x86 architecture microprocessors come with this mode built in them.
There are also quite a few ARM processors that come with management mode for the system firmware such as UEFI.
Usually, when a computer system initializes, the firmware or BIOS has full control over it and performs whatever functions are necessary to configure operations in order to make the system ready for the operating system to take over.
However, the role of SMM is to ensure that the firmware still has some control over the system while the operating system is running, if that is what the firmware developer intends to do.
Ideally, when the platform is initialized, the entire process happens in the following way:
- The chipset is configured by the firmware, which results in a System Management Interrupt for different events that the firmware should be aware of.
- In addition to that, the firmware also assigns the part of the Random Access Memory that should be used as SMRAM and indicates to the processor where it should jump when the SMI occurs.
- The chipset identifies the events configured during the operation and signals the SMI to trigger the processor to enter SMM and jump to the entry point.
When the system enters SMM, the CPU searches for the opening instruction at the SMBASE address by using the Code Segment or CS register value and the Extended Instruction Pointer or EIP value.
The SMM is, however, very transparent to the operating system. When the system enters SMM, the firmware conserves the CPU state in the SMRAM. In addition to that, the firmware also carries out low-level management operations such as:
- Changing the speed of the fan
- Making adjustments to the CPU speed
- Checking the thermal zones and more.
When the firmware leaves the System Management Mode, it makes sure that the state of the CPU from the SMRAM is restored.
From the point of view of the operating system, all these low-level management operations happen in the background automatically and atomically.
System Management Mode was used to implement power management, to begin with, and had hardware control features such as Advanced Power Management or APM.
However, OEMs and BIOS manufacturers realized its potential and wanted to use SMM for newer functionalities such as Advanced Configuration and Power Interface (ACPI) as well.
Some other uses of the System Management Mode are:
- Handling system events such as chipset or memory errors
- Managing safety functions of the system such as shutdown during high CPU temperature
- System Management BIOS or SMBIOS
- Power management operations control and voltage regulator module management
- LPCIO such as super I/O or embedded controller management
- Emulating USB mouse and keyboard as PS/2 mouse and keyboard which is referred to as USB legacy support
- Configuring a centralized system
- Managing the Trusted Platform Module or TPM
- Handling Universal Serial Bus (USB) and Thunderbolt hot swap during operating system run time and other similar BIOS-specific hardware control programs.
This specific type of management mode can also be used to run high-privileged rootkits.
How to Turn on SMM Protection?
Entering and triggering SMM protection can be done only through a System Management Interrupt or SMI. This is actually a signal sent to the processor from the chipset.
You can enter SMM as follows:
- Click on the Start menu
- Type Edit group policy
- Click on it
- Click on Computer Configuration
- Select Administrative Templates
- Go to System
- Click on Device Guard
- Turn on Virtualization Based Security
- Select Secure Launch Configuration
This will invoke the SMI in the following way:
- The chipset or the motherboard hardware will send a signal, which can be a separate event, through the dedicated pin SMI # of the CPU chip.
- The system software will trigger the software SMI through an I/O access and will send it to a location that the motherboard logic considers to be special.
- An I/O write to the location as requested by the firmware will happen where the processor needs to act on.
When all these things happen, the operating system does not have any way to know when the chipset will signal an SMI.
Therefore, it cannot catch it like it can with other interrupts. This is because the SMIs are not routed through the Interrupt Descriptor Table (IDT) or the Interrupt Vector Table (IVT).
The operating system can simply request the chipset to signal an SMI, while the handling of it will still be transparent. A specific port is determined by the ACPI for writing to it in order to perform this task.
However, if there is no reason to trigger an SMI even when the OS makes a request for it to the chipset, the operating system will almost immediately regain control, and the firmware will not have much to do in that case.
How to Disable SMM?
You can disable SMM if you want from the BIOS when the system does not respond when you deploy it or while installing updates.
The steps needed to follow for it are:
- Restart your computer while pressing and holding the F2 or Delete key to enter BIOS
- Go to System Setup
- Expand Security
- Click on SMM Security Mitigation
- Uncheck or clear it.
What is SMM Security Mitigation?
This is actually a static table that is defined in the ACPI name space. This table contains the flags that indicate particular types of security features that are used in the system.
The BIOS security mitigation in the firmware of the system in particular is indicated in the Protection Flags field.
The SMM Security Mitigation table is supported by different versions of the Windows operating system including Windows 10.
Reading by these supported versions of operating systems may also enable, disable, or de-feature a few specific security features depending on the existence of the SMM Protections Flags.
However, the presence of Protection Flags such as FIXED_COMM_BUFFERS and COMM_BUFFER_NESTED_PTR_PROTECTION will largely depend on the design of the firmware SMIs.
The Protection Flags mentioned above, however, refer only to pointer checks and input validation. They typically do not need enforcing by means of SMM page protections.
This means that it is not enough to check the pointers to see whether or not they are outside of SMM, but it is also necessary to make sure that they are essentially inside the safe regions.
This will avoid any confusion in the SMM and prevent bypassing the flagship Guard features of Windows.
System Management Mode is a special type of operating mode followed by the CPU.
It is transparent and is typically designed to ensure that the operating system does not have full control over the system during initialization.
Using a special memory, this mode helps run several low-level management functions.