切换到smm模式

tielian

intel cpu的smm模式没有直接的切换指令，它是通过芯片组产生smi中断来切换的，因此
需要查查阅相关的芯片组手册，via的芯片组手册在官方站上下不了，真后悔买了这种主板
，我在实验时找了一个440bx主板，cpu是celeron 400mhz，实验最大的收获是描述符
cache的获取:

intel手册上0x7f03 - 0x7f9f是保留区，实际上这里是描述符cache区，详细的smram
排列请看：
http://www.sandpile.org/ia32/smm.htm

切换到smm模式源码见附件，全部gas书写。欢迎讨论

tielian

其他cpu切换到smm的方法。

The only processors which support entering SMM directly (ie. without
using the chipset to assert SMI#) are some old AMD 80486 processors,
and many Cyrix processors.

On these AMD 80486s one could set DR7.bit12=1, and then execute F1h,
to enter SMM.

See http://www.sandpile.org/80x86/ia32/drx.shtml for DR7 details.

Many Cyrix parts support the SMINT instruction (0Fh,7Eh for any pre-
6x86MX, or 0Fh,38h for the 6x86MX), if certain conditions (see Cyrix
AP-107 for details) are met.

See http://www.sandpile.org/80x86/opcodes2.shtml for SMINT details.
See http://www.sandpile.org/80x86/ccr.shtml for Cyrix CCRs details.

As for SMBASE there are two methods of changing it. Usually you will
find an entry for it in the state save map. After entering SMM it is
possible to change this SMBASE entry. The P5-core processors require
a 32KB-aligned value, whereas the P6-core processors should take any
value. If an invalid value is used, then the processor will shutdown
on RSM, else it will load the internal SMBASE register with this new
value you specified in the state save map.

See http://www.sandpile.org/80x86/ia32/smm.shtml for SMM details.

The second method is to use RDSHR/WRSHR. These instructions can only
be found on Cyrix 6x86MX processors though.

See http://www.sandpile.org/80x86/opcodes2.shtml for RDMSR/WRMSR.

To summarize this:

1. There is no way to enter SMM via software, except for (a) making
use of chipset (South Bridge) programming, or (b) using a method
which will work only on "niche" processors.

2. The SMBASE register can only be changed via changing an entry in
the state save map, except for using instructions which will not
work on anything but a "niche" processor.

tielian

一篇好的文章
This is how it works:

During the boot process the BIOS places a temporary SMM handler at the
default location, 00038000h. This consists of the default SMBASE value
of 00030000h plus the default (fixed) SMM entry offset of 8000h.

This temporary SMM handler does nothing but placing a new SMBASE value
in the SMBASE field of the state save map, and then it RSMs. As a part
of the RSM this new SMBASE value gets loaded into the processor.

Then the BIOS places the final SMM handler at the final location. With
Intel chipsets that usually is 000A8000h, ie. it uses DRAM which would
have to be remapped otherwise, since it is "underneath" VRAM.

To ensure that this final SMM handler works fine, a BIOS usually would
assert SMI# once more.

Placing such a temporary SMM handler doesn't require anything special.
However, placing the final SMM handler does, since its memory is over-
lapping other memmory for most chipsets. The chipsets provide bits, so
that the programmer can select which memory is visible/accessed, and a
few chipsets even provide the ability to protect the SMM handler until
the next RESET, so that nobody can overwrite it.