System Management Mode deep dive: How SMM isolation hardens the platform

To ensure that the platform’s powerful security features, such as Hypervisor Protected Code Integrity (HVCI) and Windows Defender Credential Guard, work as intended, it is critical that the platform’s firmware is good and reliable. Windows 10 achieves this by using the Hardware Trust Root, which ensures that unauthorized code such as the Unified Extensible Firmware Interface (UEFI) cannot take root before the Windows bootloader starts.

The key to protecting the hypervisor and thus the rest of the operating system from these low-level threats is System Management Mode (SMM), an execution mode in x86 processors that runs with higher effective permissions than the hypervisor. With traditionally unlimited access to memory and device resources, SMM is a well-known attack vector for accessing the operating system and devices. MMS is particularly vulnerable to threats such as complex surrogate attacks, where one malicious code defrauds another with higher privileges to perform certain actions. It is possible to have perfect code in SMM and still be influenced by behavior such as jumping into secure kernel code.

Sometimes referred to as ring -2, SMM is used by OEMs to interact with hardware such as NV RAM, mimic hardware functionality, manage hardware interruptions or errors, and perform other functions. SMM functions as an interrupt handler, triggered by timers or accessing specific memory sources, registers or devices. OEM drivers and firmware services can explicitly prevent the MMS from controlling certain hardware functions.

In order to stop complex attacks that want to take control of the system via the MMS, the operating system must have control or supervision of the behaviour of the MMS. As part of Secured-core PC and System Guard, Intel and AMD have developed mechanisms to isolate the MMS from the operating system, allowing control and reporting of what the MMS is accessible.

SMM insulation

SMM insulation is made in three parts: OEMs have a policy that specifies what they should have access to; the chip manufacturer applies this policy to SMIs; and the chip manufacturer reports compliance to the operating system.

The OEM’s policy is to provide a list with a detailed description of the resources to which PMI managers should have access. This policy is confirmed and implemented through a specific enforcement mechanism for chip manufacturers, which is explained in more detail below. The operating system has no control over this policy; it is simply a guaranteed implementation of the declared policy.

The implementation of the Trusted Computing Base (Tcb), which is introduced in the Windows Dynamic Root of Trust (DRTM) implementation, will receive a forced policy from the chip manufacturer’s reporting mechanism. Since access to resources is platform-specific, Tcb Launch compares the OEM’s SMM access policy with different levels of Windows SMM isolation requirements to determine the level of isolation. The level of insulation achieved by the OEM policy is measured for certification and communicated to the control system.

The degree of segregation is to increase the limitations on what OCs can achieve and the ability to ensure compliance with system requirements. An example of an isolation requirement is that the PMI may not be able to access the operating system memory. In addition, these requirements may impose restrictions on the following means:

  1. Locking the SMM Page Configuration
  2. Tables of static pages
  3. Access to the Model Specific Register (MSR)
  4. Access to the IO port
  5. Save processor status Access

To ensure a consistent security promise to customers using Secured Core PCs, DRTM measures are closed and local and external certifications are not achieved if minimum requirements are not met. SMM isolation is associated with DRTM because without DRTM, the control system cannot trust anything evaluated by the boat environment because it is not protected against SMM influences. The IMS is interrupted during the DRTM so that the new trust root defined by the DRTM can assess the security of the MMS access policy.

Windows not only uses these security tools to protect local secrets, but certification tools can also use this information remotely to determine the security location of a particular device. This evaluation report can be used to prevent access to important network files, e.g. when a certain combination of functions is missing.

AMD solution (SMM monitor)

During the start-up phase of the UEFI, the SMM Supervisor is assigned as the UEFI driver. This driver is signed by AMD and verified by the Platform Security Processor (PSP) when the DRTM is launched. If authentication fails, the DRTM will fail. (It is also PSP protected against reverse firmware).

The SMM Supervisor takes care of and initializes the SMI input routine (the first block of code that is executed after starting the SMI). This procedure is also signed by the MDA and certified by the PSP when the DRTM is introduced. In the DRTM event, the PSP also checks if the SMI input on this authenticated block is configured correctly. The failure of this authentication also causes the DRTM to fail.

The SMM Supervisor marks critical pages, including the SMM Supervisor code block, internal data, the page table itself, the exception handler, and the processor tracks the status of Supervisor pages only accessible from the current preference level 0 (CPL0, highest privilege level).

Immediately after starting up the SMI, the SMI input routine will disconnect the system to run under PLC3 (least privileged level) before running third-party SMI drivers. From CPL3, MSR, IO and supervisor page access, critical registry changes such as CR3 and privileged instructions such as hlt and cli all end with a general security flaw imposed by the CPU hardware.

To ensure that PLC3 PMI managers have access to privileged data and recordings, the SMM Supervisor provides a SysCall interface for external PMI managers to make such requests. The back end of the syscall interface, which is located in the SMM Supervisor, is controlled by the SMM security policy. This policy is a revocation list that can be configured for each platform to determine which MSR, IO or memory areas are accessible from PLC3. The SMM security policy is reported and verified by the operating system security charger during the DRTM event.

IntelHardware Display

Intel® Hardware Shield, part of the Intel vPro® platform, uses CPU hardware and firmware to enforce access policies to the SMM platform. Gradually, these capabilities are being developed using new CPU hardware capabilities combined with existing CPU capabilities to enhance relevant micro-architectural flows and provide new registry locks to support appropriate firmware hardening*.

  • The Intel vPro® platform with Intel® Core™ vPro® 8th generation processors The 3rd generation has implemented firmware hardening and support for hardware-closed static page tables to reduce SMM storage rights and lock storage configuration. One of those new locks: CR3 lock, MSEG lock, SMBASE lock, etc.
  • The Intel vPro platform with 9th generation Intel Core vPro processors The 3rd generation has added an Intel Signed SMM module that allows the SMM memory configuration to be certified by Intel® Trusted Execution Technology (Intel® TXT), part of the Intel® Hardware Shield, via PCR17. The module first checks the integrity of the hardened SMM code used to enforce the SMM access policy. It then reports this, together with the details of the policy, to the ES. This allows the operating system to check the reliability of the MMS and evaluate the access policy to the MMS platform without the intervention of PMI managers.
  • The 10th Generation Intel Core vPro Platform The SMM PLC0 Generation has enhanced the verified SMM PLC0 components to enable privilege sharing with PMI managers, extending policy enforcement for MSRs, I/O ports and maintaining PSM status (access policies may vary from platform to platform). The reporting mechanism has been extended to cover these possibilities.

*No product or part can be absolutely safe on its own.

Secure PCs offer customers the easiest way to achieve safe launch and SMM protection

The activation of SMM protection and the safe launch of System Guard can be achieved with the following support:

  • Intel, AMD or ARM Virtualization Extensions
  • Trusted Platform Module (TPM) 2.0
  • Intelligence: TXT support in the BIOS
  • For Dram: The SKINIT package must be embedded in a Windows system image.
  • At Qualcomm: Complementary to the DRTM TrustZone application and supports SMC memory protection
  • DMA core protection (more details)

Here you can find more information about the configuration and requirements. Virtualization-based security is supported on secure kernel PCs and hardware-based security features, such as System Guard Secure Launch with SMM protection, are enabled by default. Customers don’t have to worry about implementing the right functionality as Secured Core PCs come with the right OEM configurations, giving them easy access to the most secure Windows 10 systems. Read more about the Secured Core line of PCs available today.

Related Tags:

system management interrupt,global smi lock bios,osdev system management mode,system management mode protection,smm stands for in computer,rsm instruction