x86 System Management Mode
System Management Mode (SMM) is a special processor mode used by firmware for low-level platform control such as power management, thermal control, flash protection, hardware emulation and OEM-specific logic. The processor enters SMM after receiving a System Management Interrupt (SMI).
SMM executes from a protected memory region called SMRAM. Normal software cannot access SMRAM while the processor is outside SMM.
SMIs are generated by chipset/platform logic. Common sources include:
- ACPI and power-management events
- thermal alarms
- watchdog timers
- GPIO events
- SPI flash protection events
- software-triggered IO port accesses
Software SMIs are commonly generated through writes to ports such as:
out 0xB2, al
The chipset monitors IO cycles and generates an SMI when configured ports are accessed. The written value is typically interpreted as an SMM command number. Some systems also use port B3h for parameters.
When the processor accepts an SMI:
- execution is synchronized
- interrupts are blocked
- processor state is automatically saved into SMRAM
- processor enters SMM state
- execution begins at the SMM entry vector
Saved state includes:
- general registers
- RIP/EIP
- RFLAGS
- segment registers
- control registers
- descriptor tables
- debug registers
- EFER and paging state
Each CPU core has its own save-state area and typically its own SMRAM region.
SMBASE defines the base address used for SMM entry. Historically the default value is 0x30000.
Execution starts at SMBASE + 0x8000
The CPU save-state area is located near SMBASE + 0xFE00
Firmware commonly relocates SMBASE during boot.
SMRAM is implemented through chipset-controlled physical address remapping.
The chipset checks:
- accessed physical address
- SMRAM configuration bits
- current CPU SMM state
When the CPU is outside SMM, accesses to the SMRAM range are blocked or redirected. When the CPU enters SMM, the chipset changes memory decode behavior so the same physical address range resolves to hidden SMRAM storage.
Historically this was often implemented using the A-segment area: 0xA0000 - 0xBFFFF
Modern systems usually place SMRAM inside TSEG near the top of physical DRAM.
Typical chipset control bits include:
- D_OPEN
- D_CLS
- D_LCK
D_OPEN temporarily exposes SMRAM outside SMM. D_LCK locks SMRAM configuration until reset.
SMM handlers typically:
- switch stacks
- parse save-state data
- dispatch firmware handlers
- access chipset registers
- emulate hardware behavior
- modify saved CPU state if needed
The save-state area is writable by SMM code, allowing firmware to modify execution state before returning.
SMM exits through the RSM instruction.
RSM restores:
- instruction pointer
- registers
- control registers
- paging state
- long mode state
- interrupt state
Execution resumes exactly where the SMI interrupted normal execution.
When SMM exits, the chipset hides SMRAM again.
Modern systems protect SMRAM using:
- TSEG isolation
- SMRR range protection
- locked chipset configuration
- DMA restrictions through IOMMU
Firmware usually locks SMRAM configuration before transferring control to the operating system.
For Pentium M 6D8:
(offsets from SMBASE+0xFFFC = TMP2):
| Data off | uCode rel Offset | Size | Content saved |
| −0x104 (via CONSTROM2.1F5) | 32 | Some flag from CONST.0E.061 (bit0<<11) | |
| +0x6 (CONST.6) | 32 | TMP0 (pre-save EFLAGS variant) | |
| +0x1FC | 32 | CR3 | |
| +0x1F8 | 32 | EFLAGS (TMP1) | |
| +0x1F4 | 32 | EIP | |
| +0x1F0 | 32 | EDI | |
| +0x1EC | 32 | ESI | |
| +0x1E8 | 32 | EBP | |
| +0x1E4 | 32 | ESP | |
| +0x1E0 | 32 | EBX | |
| +0x1DC | 32 | EDX | |
| +0x1D8 | 32 | ECX | |
| 7FD0 | +0x1D4 | 32 | EAX |
| +0x1D0 | 32 | DR6 | |
| +0x1CC | 32 | DR7 (= TMPE) | |
| +0x1C8 | 32 | TR (task register descriptor word) | |
| +0x1C4 | 32 | LDTR | |
| +0x1C0 | 32 | GS | |
| +0x1BC | 32 | FS | |
| +0x1B8 | 32 | DS | |
| +0x1B4 | 32 | SS | |
| +0x1B0 | 32 | CS | |
| +0x1AC | 32 | ES | |
| +0x118 | 32 | SystemFlags (internal EFLAGS copy = TMPC) | |
| +0x144..+0x160 | 8×32 | Internal descriptor CREGs (GDTR/IDTR/etc, SC4 stride) | |
| +0x128 | 32 | ALTDR6 (alternate debug DR6 value) | |
| +0x114 | 32 | CR_SCP14 | |
| +0x110 | 32 | TMP5 (saved SMBASE for nested SMM?) | |
| +0x10C | 32 | TMP7 (saved EFER?) | |
| +0x100 | 32 | SMREVID (SMM revision identifier) | |
| +0x11F | 8 | Some status byte (TMP8, 1-byte) | |
| +0x104 | 16 | Zero (auto-halt restart word, initialized to 0) | |
| 0xFEF8−0xFEFC | 32×2 | SMBASE + nested-SMM SMBASE | |
- sandpile.org/x86/smm.htm↗
- opensecuritytraining.info/.../Day1_07_Advanced%20x86%20-%20BIOS%20and%20S....pdf↗
The author is not affiliated with, endorsed by, or sponsored by Intel Corporation or its affiliates. All trademarks, including but not limited to Intel, Pentium, and any other registered or unregistered marks mentioned herein, are the property of their respective owners. Their use in this context is solely for descriptive and informational purposes and constitutes nominative fair use under applicable trademark laws.