System management mode

from Wikipedia, the free encyclopedia

The System Management Mode ( SMM ) is an execution mode of processors of the x86 architecture . It was introduced with the Intel386 SL and is intended for hardware control, energy management and manufacturer-specific applications. The firmware executed in the SMM interrupts the operating system and the running applications in a transparent way.

Characteristics

The transition from Protected Mode , Virtual 8086 Mode or Real Mode to the SMM always takes place via an external, non-maskable System Management Interrupt (SMI). It is, however, possible to trigger this interrupt indirectly via software by a program making certain privileged port accesses. The processor context is saved and restored with the RSM instruction after the SMM has ended .

As with high privileges, all I / O and system commands can be used within the SMM. It uses its own addressing mode called SMRAM. Nevertheless, the entire physical memory can be accessed.

Interrupts are blocked in the SMM so that processing can only take place after the exit. In particular, a nested execution of the SMM cannot happen because an SMI cannot occur during execution in the SMM.

Problems

safety

Since the execution in the SMM is not visible to the operating system and the running applications (such as virus scanners), the SMM is a desirable operating mode for malware.

Real time

By running in SMM can at x86 - real-time systems latencies occur within milliseconds. Two aspects make a violation of the real-time barriers possible:

  1. Interrupts cannot be responded to during execution in the SMM.
  2. The execution time is withdrawn from the real-time system.

Under Linux there is a kernel module to detect the execution in the SMM due to the time “stolen” by the operating system.

See also

Individual evidence

  1. Intel® 64 and IA-32 Architectures Software Developer's Manual Volume 3B: System Programming Guide
  2. Using CPU System Management Mode to Circumvent Operating System Security Functions (PDF; 130 kB)
  3. "System Management Mode Hack" in Phrack
  4. SMI Detector: a simple module for detecting system management interrupts, LKML