x86 architecture system management mode   processor state after SMM entry   register contents selector base limit access rights CS SMBASE SHR 4 #1 SMBASE (FFF)F_FFFFh 8093h #2 SS 0000h 0000_0000h (FFF)F_FFFFh 8093h DS 0000h 0000_0000h (FFF)F_FFFFh 8093h ES 0000h 0000_0000h (FFF)F_FFFFh 8093h FS 0000h 0000_0000_0000_0000h (FFF)F_FFFFh 8093h GS 0000h 0000_0000_0000_0000h (FFF)F_FFFFh 8093h RFLAGS 0000_0000_0000_0002h RIP 0000_0000_0000_8000h CR0 bits 0 (PE), 2 (EM), 3 (TS), and 31 (PG) cleared, rest unmodified CR4 0000_0000_0000_0000h DR7 0000_0000_0000_0400h EFER 0000_0000h TEMP_DR6 0000_0000_0000_0000h IN_REP false IN_SMM true IN_HLT false IN_SHUTDOWN false IN_FP_FREEZE false SUPPRESS_INTERRUPTS false (both bits) BLOCK_INIT true BLOCK_SMI true BLOCK_NMI true LATCH_INIT true if INIT recognized together with SMI, else false LATCH_SMI false LATCH_NMI true if NMI recognized together with SMI, else false FERR# unmodified A20M# processor-specific notes descriptions #1 On pre-P6 processors the CS selector is loaded with 3000h. #2 Like the data segments, CS is writeable too.   AMD64 SMM state save map   offset contents size notes FE00h ES sel word FE02h ar word FE04h lim dword FE08h bas qword FE10h CS sel word FE12h ar word FE14h lim dword FE18h bas qword FE20h SS sel word FE22h ar word FE24h lim dword FE28h bas qword FE30h DS sel word FE32h ar word FE34h lim dword FE38h bas qword FE40h FS sel word FE42h ar word FE44h lim dword FE48h bas qword FE50h GS sel word FE52h ar word FE54h lim dword FE58h bas qword FE60h GDTR sel word reserved FE62h ar word FE64h lim dword upper 16 bits are reserved FE68h bas qword FE70h LDTR sel word FE72h ar word FE74h lim dword FE78h bas qword FE80h IDTR sel word reserved FE82h ar word FE84h lim dword upper 16 bits are reserved FE88h bas qword FE90h TR sel word FE92h ar word FE94h lim dword FE98h bas qword FEA0h IO_RESTART_RIP qword FEA8h IO_RESTART_RCX qword FEB0h IO_RESTART_RSI qword FEB8h IO_RESTART_RDI qword FEC0h IO_RESTART_INFO dword FEC4...FEC7h reserved 4 bytes FEC8h IO_RESTART byte 00h=no, 01h=yes FEC9h HLT_RESTART byte 00h=no, FFh=yes FECAh BLOCK_NMI byte 00h=no, 01h=yes FECBh CPL byte 0...3 FECCh reserved byte FECDh reserved byte FECEh reserved byte FECFh reserved byte FED0h EFER qword FED8h reserved qword ideally: PDPTR0 -- AMD: SVM state FEE0h reserved qword ideally: PDPTR1 -- AMD: SVM guest VMCB PA FEE8h reserved qword ideally: PDPTR2 -- AMD: SVM guest virtual interrupt FEF0h reserved qword ideally: PDPTR3 FEF8h reserved dword ideally: TEMP_DR6 FEFCh REVISION dword 0003_xx64h, is at same offset as in traditional x86 SSM FF00h SMBASE dword FF04...FF17h reserved 20 bytes FF18h SSP qword FF20h reserved qword AMD: SVM guest PAT FF28h reserved qword AMD: SVM host EFER FF30h reserved qword AMD: SVM host CR4 FF38h reserved qword AMD: SVM host CR3 FF40h reserved qword AMD: SVM host CR0 FF48h CR4 qword FF50h CR3 qword FF58h CR0 qword FF60h DR7 qword FF68h DR6 qword FF70h RFLAGS qword FF78h RIP qword FF80h R15 qword FF88h R14 qword FF90h R13 qword FF98h R12 qword FFA0h R11 qword FFA8h R10 qword FFB0h R9 qword FFB8h R8 qword FFC0h RDI or R7 qword FFC8h RSI or R6 qword FFD0h RBP or R5 qword FFD8h RSP or R4 qword FFE0h RBX or R3 qword FFE8h RDX or R2 qword FFF0h RCX or R1 qword FFF8h RAX or R0 qword note From an architectural standpoint, PDPTR0...3 and TEMP_DR6 must also be part of the SSM.   traditional Intel P4 processor SMM state save map   offset contents size notes 7E00h reserved 196 bytes 7EC4h CR3 dword copy dumped for unknown purposes 7EC8h PDPTR0 qword 7ED0h PDPTR1 qword 7ED8h PDPTR2 qword 7EE0h PDPTR3 qword 7EE8h ??? dword 0000_0001h 7EECh ??? byte 12h reserved byte byte byte 7EF0h CR4 dword 7EF4h ??? dword 0000_0000h 7EF8h SMBASE dword 7EFCh REVISION dword 0003_0003h or 0003_0004h 7F00h IO_RESTART word 7F02h HLT_RESTART word 7F04h ES bas dword 7F08h ar dword shifted left by one, bit0=1 indicates NULL 7F0Ch lim dword 000x_xxxxh or xxxx_xFFFh, with bits 19...16 also in ar 7F10h CS bas dword 7F14h ar dword shifted left by one, bit0=1 indicates NULL 7F18h lim dword 000x_xxxxh or xxxx_xFFFh, with bits 19...16 also in ar 7F1Ch SS bas dword 7F20h ar dword shifted left by one, bit0=1 indicates NULL 7F24h lim dword 000x_xxxxh or xxxx_xFFFh, with bits 19...16 also in ar 7F28h DS bas dword 7F2Ch ar dword shifted left by one, bit0=1 indicates NULL 7F30h lim dword 000x_xxxxh or xxxx_xFFFh, with bits 19...16 also in ar 7F34h FS bas dword 7F38h ar dword shifted left by one, bit0=1 indicates NULL 7F3Ch lim dword 000x_xxxxh or xxxx_xFFFh, with bits 19...16 also in ar 7F40h GS bas dword 7F44h ar dword shifted left by one, bit0=1 indicates NULL 7F48h lim dword 000x_xxxxh or xxxx_xFFFh, with bits 19...16 also in ar 7F4Ch GDTR bas dword 7F50h lim dword 7F54h IDTR bas dword 7F58h lim dword 7F5Ch LDTR bas dword 7F60h lim dword 000x_xxxxh only, with bits 19...16 also in ar 7F64h ar word has no G bit 7F66h ??? word 0002h 7F68h EFLAGS dword copy dumped for unknown purposes 7F6Ch TR bas dword 7F70h ar dword shifted left by one, bit0=1 indicates NULL 7F74h lim dword 000x_xxxxh or xxxx_xFFFh, with bits 19...16 also in ar 7F78h IO_RESTART_EDI dword 7F7Ch IO_RESTART_EIP dword 7F80h IO_RESTART_ECX dword 7F84h IO_RESTART_ESI dword 7F88h ??? dword 00130000h 7F8Ch ??? byte 00h A20M byte 00h if A20M=flat, 30h if A20M=wrap ??? byte FEh ??? byte 01h 7F90h ??? dword 0000_0C00h 7F94h ??? dword 03A4_FFB0h 7F98h ??? dword 0000_0000h 7F9Ch ??? dword 0008_4000h 7FA0h IO_MEM_ADDR dword if rev=0004h 7FA4h IO_MISC_INFO dword if rev=0004h 7FA8h ES.sel dword 7FACh CS.sel dword 7FB0h SS.sel dword 7FB4h DS.sel dword 7FB8h FS.sel dword 7FBCh GS.sel dword 7FC0h LDTR.sel dword 7FC4h TR.sel dword 7FC8h DR7 dword 7FCCh DR6 dword 7FD0h EAX dword 7FD4h ECX dword 7FD8h EDX dword 7FDCh EBX dword 7FE0h ESP dword 7FE4h EBP dword 7FE8h ESI dword 7FECh EDI dword 7FF0h EIP dword 7FF4h EFLAGS dword 7FF8h CR3 dword 7FFCh CR0 dword   traditional Intel/AMD processor SMM state save map   offset Intel P5 Intel P6 AMD K5 AMD K6 7E00...7EF7h reserved reserved reserved reserved 7EF8h SMBASE SMBASE SMBASE SMBASE 7EFCh rev ID rev ID rev ID rev ID 7F00h I/O restart I/O restart I/O restart I/O restart 7F02h HLT restart HLT restart HLT restart HLT restart 7F04h I/O restart EDI I/O restart EDI I/O restart EDI I/O restart EDI 7F08h I/O restart ECX I/O restart ECX I/O restart ECX I/O restart ECX 7F0Ch I/O restart ESI I/O restart ESI I/O restart ESI I/O restart ESI 7F10h I/O restart EIP I/O restart EIP CR4 CR4 7F14h reserved CR4 CR2 CR2 7F18 reserved A20M# reserved reserved 7F1Ah reserved 7F1Bh ??? 7F1Ch reserved 7F1Eh SMM_status 7F20h CPL 7F21h reserved 7F23h shutdown 7F24h alternative DR6 alternative DR6 ES limit ES limit 7F26h RSM control RSM control 7F28h CR4 sreg_status0 ES base ES base 7F2Ch reserved DS selector ES access rights ES access rights 7F2Eh DS access rights 7F30h ES limit DS limit CS limit CS limit 7F34h ES base DS base CS base CS base 7F38h ES access rights FS selector CS access rights CS access rights 7F3Ah FS access rights 7F3Ch CS limit FS limit SS limit SS limit 7F40h CS base FS base SS base SS base 7F44h CS access rights GS selector SS access rights SS access rights 7F46h GS access rights 7F48h SS limit GS limit DS limit DS limit 7F4Ch SS base GS base DS base DS base 7F50h SS access rights IDTR selector DS access rights DS access rights 7F52h IDTR access rights 7F54h DS limit IDTR limit FS limit FS limit 7F58h DS base IDTR base FS base FS base 7F5Ch DS access rights TR selector FS access rights FS access rights 7F5Eh TR access rights 7F60h FS limit TR limit GS limit GS limit 7F64h FS base TR base GS base GS base 7F68h FS access rights sreg_status1 GS access rights GS access rights 7F6Ch GS limit GDTR selector LDTR limit LDTR high 7F6Eh GDTR access rights 7F70h GS base GDTR limit LDTR base LDTR low 7F74h GS access rights GDTR base LDTR access rights reserved 7F78h LDTR limit LDTR selector TR limit TR limit 7F7Ah LDTR access rights 7F7Ch LDTR base LDTR limit TR base TR base 7F80h LDTR access rights LDTR base TR access rights TR access rights 7F84h GDTR limit ES selector GDTR limit GDTR limit 7F86h ES access rights 7F88h GDTR base ES limit GDTR base GDTR base 7F8Ch GDTR access rights ES base IDTR limit IDTR limit 7F90h IDTR limit CS selector IDTR base IDTR base 7F92h CS access rights 7F94h IDTR base CS limit reserved reserved 7F98h IDTR access rights CS base reserved reserved 7F9Ch TR limit SS selector I/O restart EIP I/O restart EIP 7F9Eh SS access rights 7FA0h TR base SS limit reserved reserved 7FA4h TR access rights SS base I/O restart DWORD I/O restart DWORD 7FA8h ES ES ES ES 7FACh CS CS CS CS 7FB0h SS SS SS SS 7FB4h DS DS DS DS 7FB8h FS FS FS FS 7FBCh GS GS GS GS 7FC0h LDTR LDTR LDTR LDTR 7FC4h TR TR TR TR 7FC8h DR7 DR7 DR7 DR7 7FCCh DR6 DR6 DR6 DR6 7FD0h EAX EAX EAX EAX 7FD4h ECX ECX ECX ECX 7FD8h EDX EDX EDX EDX 7FDCh EBX EBX EBX EBX 7FE0h ESP ESP ESP ESP 7FE4h EBP EBP EBP EBP 7FE8h ESI ESI ESI ESI 7FECh EDI EDI EDI EDI 7FF0h EIP EIP EIP EIP 7FF4h EFLAGS EFLAGS EFLAGS EFLAGS 7FF8h CR3 CR3 CR3 CR3 7FFCh CR0 CR0 CR0 CR0   Cyrix pre-M2 processor SMM state save map   offset 3 1 3 0 2 9 2 8 2 7 2 6 2 5 2 4 2 3 2 2 2 1 2 0 1 9 1 8 1 7 1 6 1 5 1 4 1 3 1 2 1 1 1 0 9 8 7 6 5 4 3 2 1 0 -30h ESI or EDI -2Ch I/O write data -28h I/O write data size I/O write port address -24h reserved H S P I r. -20h CS descriptor (bit31...0) -1Ch CS descriptor (bit63...31) -18h reserved CPL reserved CS selector -14h next EIP -10h current EIP -0Ch CR0 -08h EFLAGS -04h DR7   Cyrix M2 processor SMM state save map   offset 3 1 3 0 2 9 2 8 2 7 2 6 2 5 2 4 2 3 2 2 2 1 2 0 1 9 1 8 1 7 1 6 1 5 1 4 1 3 1 2 1 1 1 0 9 8 7 6 5 4 3 2 1 0 -30h ESI or EDI -2Ch I/O write data -28h I/O write data size I/O write port address -24h reserved CPL reserved N r. IS reserved H S P I C -20h CS descriptor (bit31...0) -1Ch CS descriptor (bit63...31) -18h reserved CS selector -14h next EIP -10h current EIP -0Ch CR0 -08h EFLAGS -04h DR7 © 1996-2024 by Christian Ludloff. All rights reserved. Use at your own risk.