World Library  
Flag as Inappropriate
Email this Article

System Management Mode

Article Id: WHEBN0003362916
Reproduction Date:

Title: System Management Mode  
Author: World Heritage Encyclopedia
Language: English
Subject: Unified Extensible Firmware Interface, Intel 80486SL, Real mode, Active State Power Management, Intel 80386
Publisher: World Heritage Encyclopedia

System Management Mode

System Management Mode (SMM) is an operating mode in which all normal execution (including the operating system) is suspended, and special separate software (usually firmware or a hardware-assisted debugger) is executed in high-privilege mode.

It was first released with the Intel 386SL.[1] While initially special SL versions were required for SMM, Intel incorporated SMM in its mainline 486 and Pentium processors in 1993. AMD copied Intel's SMM with the Enhanced Am486 processors in 1994. It is available in all later microprocessors in the x86 architecture.


SMM is a special-purpose operating mode provided for handling system-wide functions like power management, system hardware control, or proprietary OEM designed code. It is intended for use only by system firmware, not by applications software or general-purpose systems software. The main benefit of SMM is that it offers a distinct and easily isolated processor environment that operates transparently to the operating system or executive and software applications.

In order to achieve transparency, SMM imposes certain rules. The SMM can only be entered through SMI (System Management Interrupt). The processor executes the SMM code in a separate address space that is inaccessible to other operating modes of the CPU.[2]


Initially, System Management Mode was used for implementing Advanced Power Management (APM) features. However, over time, some BIOS manufacturers have relied on SMM for other functionality like making an USB keyboard work in real mode.[3]

Some uses of the System Management Mode are:

  • Handle system events like memory or chipset errors.
  • Manage system safety functions, such as shutdown on high CPU temperature and turning the fans on and off.
  • Security functions, such as flash device lock down require SMM support on some chipsets.
  • Deeper sleep power management support on Intel systems.
  • Control power management operations, such as managing the voltage regulator modules.
  • Emulate motherboard hardware that is unimplemented or buggy.
  • Emulate a [4]
  • Centralize system configuration, such as on Toshiba and IBM notebook computers.
  • Breaking into SMM to run high-privileged rootkits as shown at Black Hat 2008.[5]
  • Emulate or forward calls to a Trusted Platform Module (TPM).[6]

Entering SMM

SMM is entered via the SMI (system management interrupt), which is caused by:

  • Motherboard hardware or chipset signaling via a designated pin SMI# of the processor chip.[7] This signal can be an independent event.
  • Software SMI triggered by the system software via an I/O access to a location considered special by the motherboard logic (port 0B2h is common).
  • An I/O write to a location which the firmware has requested that the processor chip act on.


NSA's SOUFFLETROUGH "implant", a SMM-based rootkit.

By design, the operating system cannot override or disable the SMI. Due to this fact, it is a target for malicious rootkits to reside in,[8][9][10] including NSA's "implants"[11] which have individual code names for specific hardware, like SOUFFLETROUGH for Juniper Networks firewalls,[12] SCHOOLMONTANA for J-series routers of the same company,[13] DEITYBOUNCE for DELL,[14] or IRONCHEF for HP Proliant servers.[15]

Improperly designed and insufficiently tested SMM BIOS code can make the wrong assumptions and not work properly when interrupting some other modes like [4]

Since the SMM code (SMI handler) is installed by the system firmware (BIOS), the OS and the SMM code may have expectations about hardware settings that are incompatible, such as different ideas of how the Advanced Programmable Interrupt Controller (APIC) should be set up.

Operations in SMM take CPU time away from the applications, operating system kernel and hypervisor, with the effects magnified for multicore processors since each SMI causes all cores to switch modes.[16] There is also some overhead involved with switching in and out of SMM, since the CPU state must be stored to memory (SMRAM) and any write-back caches must be flushed. This can destroy real-time behavior and cause clock ticks to get lost. The Windows and Linux kernels define an ‘SMI Timeout’ setting a period within which SMM handlers must return control to the operating system or it will ‘hang’ or ‘crash’.

The SMM may disrupt the behavior of real-time applications with constrained timing requirements.

A digital logic analyzer may be required to determine if the CPU has entered SMM (checking state of SMIACT# pin of CPU).[7] Recovering the SMI handler code to analyze it for bugs, vulnerabilities and secrets requires a logic analyzer or disassembly of the system firmware.

See also


  1. ^ SMIs Are EEEEVIL (Part 1)
  2. ^ Intel 32/64 Architectures Software Developer’s Manual Volume 3B: System Programming Guide, Part 2
  3. ^ SMIs Are EEEEVIL (Part 2)
  4. ^ a b Vojtech Pavlik (January 2004). "Linux kernel documentation". USB Legacy support. Retrieved 2013-10-06. 
  5. ^ Hackers find a new place to hide rootkits
  6. ^ Google Tech Talks - Coreboot - 00:34:30
  7. ^ a b Intel's System Management Mode by Robert R. Collins
  8. ^ Loïc Duflot. "Security Issues Related to Pentium System Management Mode" (PDF). Retrieved 2013-10-06. 
  9. ^ Shawn Embleton; Sherri Sparks; Cliff Zou (September 2008). "SMM Rootkits: A New Breed of OS Independent Malware" (PDF). ACM. Retrieved 2013-10-06. 
  10. ^ "Hackers Find a New Place to Hide Rootkits". PC World. 2008-05-09. Retrieved 2013-10-06. 
  11. ^ #1 Source for Leaks Around the World! (2013-12-30). "NSA’s ANT Division Catalog of Exploits for Nearly Every Major Software/Hardware/Firmware | LeakSource". Retrieved 2014-01-13. 
  12. ^ Posted on January 13, 2014 at 2:45 PM • 2 Comments (2013-12-30). "Schneier on Security: SOUFFLETROUGH: NSA Exploit of the Day". Retrieved 2014-01-13. 
  13. ^ Posted on January 15, 2014 at 2:56 PM • 6 Comments (2008-05-30). "Schneier on Security: SCHOOLMONTANA: NSA Exploit of the Day". Retrieved 2014-01-16. 
  14. ^
  15. ^ "Schneier on Security: IRONCHEF: NSA Exploit of the Day". January 3, 2014. Retrieved 2014-01-13. 
  16. ^ Brian Delgado and Karen L. Karavanic, "Performance Implications of System Management Mode," 2013 IEEE International Symposium on Workload Characterization, Sept. 22-24, Portland, OR USA.

Further reading

  • AMD Hammer BIOS and Kernel Developer's guide, Chapter 6
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.

Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.