System management mode (SMM) is an operating mode of a computing system in which normal execution (including operation of the operating system (OS)) is suspended, and special separate software (usually firmware or a hardware-assisted debugger, hereinafter referred to as “SMM code”) is executed in a high-privilege mode. Here, the SMM code is special code that, ideally, fully comprehends the complete hardware details of the particular computing system that it runs on.
Examples of possible SMM functions include: i) centralized system configuration (such as the dedicated configuration of a specific computer); ii) handling of system events like memory or chipset errors; iii) security functions, such as flash device lock down or the forwarding of calls to a Trusted Platform Module (TPM); iv) system safety management functions, such as computer shutdown upon detection of a high CPU temperature, turning fans on/off, etc.; and, v) power management functions such as deep sleep power management and management of voltage regulator modules.
Note that the awareness and reach of the SMM is far reaching for a particular system. That is, typically, the SMM is permitted to have unrestricted access into any aspect of the computer that it runs on. A significant security risk, therefore, is that the SMM might be “highjacked” or otherwise compromised by some form of malware or unwanted code. If the security of the SMM were to be breached, the malware could potentially disrupt or infect normal system operation of any/all components within the system.
Typically, the SMM code is kept in a “highly privileged” region of memory. Part of the definition of the highly privileged and secure aspect of the SMM code is that no other code is permitted to access it within its special region of memory, nor is the SMM supposed to execute code that is stored outside the highly privileged region of memory. Thus, if malware is to attack the SMM, in all likelihood it will be a consequence of the SMM running code or at least making a call to code that is outside of the highly privileged region of memory. Upon this event, malware stored outside the protected region of memory can be incorporated into the operation of the SMM thereby compromising its security.
Unfortunately it is becoming more and more difficult to keep the SMM code within the confines of the protected region of memory. The difficult stems not only from the increasing sophistication of the SMM code (as a function of increasingly complex hardware platforms and associated features), but also, the reliance on, within the SMM, of OEM code provided by OEM manufacturers of the different components that the system is composed of.
FIG. 1 shows a typical transition from normal operating mode into SMM mode. Upon the detection of an event 101 that is supposed to trigger the SMM code (such as a configuration event, a power management, etc.), a processor will save its state 102. After the processor state is saved, SMM begins execution out the protected region of memory 103.