- System Management Mode
System Management Mode (SMM) is an operating mode first released with the Intel 386SL and available in later
microprocessor s in thex86 architecture , in which all normal execution (including the operating system) is suspended, and special separate software (usuallyfirmware or a hardware-assisteddebugger ) is executed in high-privilege mode.Usage
Some uses of SMM are:
* primarily to handle system events like memory or chipset errors
* system safety functions, such as shutdown on high CPU temperature.
* power management operations, such as turning on fans.
* to emulate motherboard hardware that is unimplemented or buggy.
* to emulate a PS/2 mouse or keyboard from a USB one.
* system configuration, such as on Toshiba and IBM notebook computers
* To run high-privileged rootkits as shown at Black Hat 2008. [ [http://www.linuxworld.com.au/index.php?id=1048371291&rid=-50 Hackers find a new place to hide rootkits] ]Entering SMM
SMM is entered via the SMI (system management interrupt), which is caused by:
* motherboard hardware or chipset signaling via a designated pin of the processor chip. This signal can be an independent event
* SW SMI triggered by the system software via an I/O access to a location considered special by the motherboard logic (port 0B2h is common)
* an IO write to a location which the firmware has requested that the processor chip act onProblems
*By design, the OS cannot override or disable SMIs.
*Since the SMM code (SMI handler) is installed by the system firmware (BIOS ), the OS and the SMM code may have expectations about hardware settings that are incompatible, such as different ideas of how theAPIC should be set up.
*Operations in SMM take CPU time away from the OS, since the CPU state must be stored to memory (SMRAM) and any write back caches must be flushed. This can destroy real-time behavior and causeclock tick s to get lost. Windows/Linux define an SMI Timeout within which SMM Handlers should complete their job and return control back to OS normal operations. Otherwise the OS will crash.
*Adigital logic analyser may be required to determine if SMM is occurring.
*Recovering the SMI handler code to analyze it for bugs, vulnerabilities, and secrets requires a logic analyzer or dissassembly of the system firmware.
*SMI handling may cause unacceptable latencies in real-time systems.References
ee also
*
MediaGX processor which implements nonexistent hardware via SMM
*Intel 80486SL
*Extensible Firmware Interface External links
*Badness of SMM, [http://blogs.msdn.com/carmencr/archive/2005/08/31/458609.aspx part 1] and [http://blogs.msdn.com/carmencr/archive/2005/09/01/459194.aspx part 2]
* [http://www.intel.com/design/processor/manuals/253669.pdf Intel 32/64 Architectures Software Developer’s Manual Volume 3B: System Programming Guide, Part 2]
* [http://www.amd.com/us-en/assets/content_type/DownloadableAssets/dwamd_26049.pdf#6 AMD Hammer BIOS and Kernel Developer's guide] , Chapter 6
* [http://www.ssi.gouv.fr/fr/sciences/fichiers/lti/cansecwest2006-duflot-paper.pdf An exploit against SMM based on OpenBSD]
* [http://www.pcworld.com/businesscenter/article/145703/ SMM based rootkit]
* [http://www.msuiche.net/2008/08/06/smm-rootkit-limitations-and-how-to-defeat-it/ SMM Rootkit limitations. (and how to defeat it)]
Wikimedia Foundation. 2010.
