system management mode
| processor state after SMM entry |
||||
| register | contents | |||
| selector | base | limit | access rights | |
| CS | SMBASE SHR 4 #1 | SMBASE | (FFF)F_FFFFh | 8093h #2 |
| SS | 0000h | 0000_0000h | (FFF)F_FFFFh | 8093h |
| DS | 0000h | 0000_0000h | (FFF)F_FFFFh | 8093h |
| ES | 0000h | 0000_0000h | (FFF)F_FFFFh | 8093h |
| FS | 0000h | 0000_0000_0000_0000h | (FFF)F_FFFFh | 8093h |
| GS | 0000h | 0000_0000_0000_0000h | (FFF)F_FFFFh | 8093h |
| RFLAGS | 0000_0000_0000_0002h | |||
| RIP | 0000_0000_0000_8000h | |||
| CR0 | bits 0 (PE), 2 (EM), 3 (TS), and 31 (PG) cleared, rest unmodified | |||
| CR4 | 0000_0000_0000_0000h | |||
| DR7 | 0000_0000_0000_0400h | |||
| EFER | 0000_0000h | |||
| TEMP_DR6 | 0000_0000_0000_0000h | |||
| IN_REP | false | |||
| IN_SMM | true | |||
| IN_HLT | false | |||
| IN_SHUTDOWN | false | |||
| IN_FP_FREEZE | false | |||
| SUPPRESS_INTERRUPTS | false (both bits) | |||
| BLOCK_INIT | true | |||
| BLOCK_SMI | true | |||
| BLOCK_NMI | true | |||
| LATCH_INIT | true if INIT recognized together with SMI, else false | |||
| LATCH_SMI | false | |||
| LATCH_NMI | true if NMI recognized together with SMI, else false | |||
| FERR# | unmodified | |||
| A20M# | processor-specific | |||
| notes | descriptions | |||
| #1 | On pre-P6 processors the CS selector is loaded with 3000h. | |||
| #2 | Like the data segments, CS is writeable too. | |||
| AMD64 SMM state save map |
||||
| offset | contents | size | notes | |
| FE00h | ES | sel | word | |
| FE02h | ar | word | ||
| FE04h | lim | dword | ||
| FE08h | bas | qword | ||
| FE10h | CS | sel | word | |
| FE12h | ar | word | ||
| FE14h | lim | dword | ||
| FE18h | bas | qword | ||
| FE20h | SS | sel | word | |
| FE22h | ar | word | ||
| FE24h | lim | dword | ||
| FE28h | bas | qword | ||
| FE30h | DS | sel | word | |
| FE32h | ar | word | ||
| FE34h | lim | dword | ||
| FE38h | bas | qword | ||
| FE40h | FS | sel | word | |
| FE42h | ar | word | ||
| FE44h | lim | dword | ||
| FE48h | bas | qword | ||
| FE50h | GS | sel | word | |
| FE52h | ar | word | ||
| FE54h | lim | dword | ||
| FE58h | bas | qword | ||
| FE60h | GDTR | sel | word | reserved |
| FE62h | ar | word | ||
| FE64h | lim | dword | upper 16 bits are reserved | |
| FE68h | bas | qword | ||
| FE70h | LDTR | sel | word | |
| FE72h | ar | word | ||
| FE74h | lim | dword | ||
| FE78h | bas | qword | ||
| FE80h | IDTR | sel | word | reserved |
| FE82h | ar | word | ||
| FE84h | lim | dword | upper 16 bits are reserved | |
| FE88h | bas | qword | ||
| FE90h | TR | sel | word | |
| FE92h | ar | word | ||
| FE94h | lim | dword | ||
| FE98h | bas | qword | ||
| FEA0h | IO_RESTART_RIP | qword | ||
| FEA8h | IO_RESTART_RCX | qword | ||
| FEB0h | IO_RESTART_RSI | qword | ||
| FEB8h | IO_RESTART_RDI | qword | ||
| FEC0h | IO_RESTART_INFO | dword | ||
| FEC4...FEC7h | reserved | 4 bytes | ||
| FEC8h | IO_RESTART | byte | 00h=no, 01h=yes | |
| FEC9h | HLT_RESTART | byte | 00h=no, FFh=yes | |
| FECAh | BLOCK_NMI | byte | 00h=no, 01h=yes | |
| FECBh | reserved | byte | ||
| FECCh | reserved | byte | ||
| FECDh | reserved | byte | ||
| FECEh | reserved | byte | ||
| FECFh | reserved | byte | ||
| FED0h | EFER | qword | ||
| FED8h | reserved | qword | ||
| FEE0h | reserved | qword | ||
| FEE8h | reserved | qword | ||
| FEF0h | reserved | qword | ||
| FEF8...FEFBh | reserved | 4 bytes | ||
| FEFCh | REVISION | dword | 0003_xx64h, is at same offset as in traditional x86 SSM | |
| FF00h | SMBASE | dword | ||
| FF04...FF47h | reserved | 68 bytes | ||
| FF48h | CR4 | qword | ||
| FF50h | CR3 | qword | ||
| FF58h | CR0 | qword | ||
| FF60h | DR7 | qword | ||
| FF68h | DR6 | qword | ||
| FF70h | RFLAGS | qword | ||
| FF78h | RIP | qword | ||
| FF80h | R15 | qword | ||
| FF88h | R14 | qword | ||
| FF90h | R13 | qword | ||
| FF98h | R12 | qword | ||
| FFA0h | R11 | qword | ||
| FFA8h | R10 | qword | ||
| FFB0h | R9 | qword | ||
| FFB8h | R8 | qword | ||
| FFC0h | RDI or R7 | qword | ||
| FFC8h | RSI or R6 | qword | ||
| FFD0h | RBP or R5 | qword | ||
| FFD8h | RSP or R4 | qword | ||
| FFE0h | RBX or R3 | qword | ||
| FFE8h | RDX or R2 | qword | ||
| FFF0h | RCX or R1 | qword | ||
| FFF8h | RAX or R0 | qword | ||
| note | From an architectural standpoint, PDPTR0...3 and TEMP_DR6 also need to be part of the SSM. | |||
| traditional Intel P4 processor SMM state save map |
||||
| offset | contents | size | notes | |
| 7E00h | reserved | 196 bytes | ||
| 7EC4h | CR3 | dword | copy dumped for unknown purposes | |
| 7EC8h | PDPTR0 | qword | ||
| 7ED0h | PDPTR1 | qword | ||
| 7ED8h | PDPTR2 | qword | ||
| 7EE0h | PDPTR3 | qword | ||
| 7EE8h | ??? | dword | 0000_0001h | |
| 7EECh | ??? | byte | 12h | |
| reserved | byte | |||
| byte | ||||
| byte | ||||
| 7EF0h | CR4 | dword | ||
| 7EF4h | ??? | dword | 0000_0000h | |
| 7EF8h | SMBASE | dword | ||
| 7EFCh | REVISION | dword | 0003_0003h or 0003_0004h | |
| 7F00h | IO_RESTART | word | ||
| 7F02h | HLT_RESTART | word | ||
| 7F04h | ES | bas | dword | |
| 7F08h | ar | dword | shifted left by one, bit0=1 indicates NULL | |
| 7F0Ch | lim | dword | 000x_xxxxh or xxxx_xFFFh, with bits 19...16 also in ar | |
| 7F10h | CS | bas | dword | |
| 7F14h | ar | dword | shifted left by one, bit0=1 indicates NULL | |
| 7F18h | lim | dword | 000x_xxxxh or xxxx_xFFFh, with bits 19...16 also in ar | |
| 7F1Ch | SS | bas | dword | |
| 7F20h | ar | dword | shifted left by one, bit0=1 indicates NULL | |
| 7F24h | lim | dword | 000x_xxxxh or xxxx_xFFFh, with bits 19...16 also in ar | |
| 7F28h | DS | bas | dword | |
| 7F2Ch | ar | dword | shifted left by one, bit0=1 indicates NULL | |
| 7F30h | lim | dword | 000x_xxxxh or xxxx_xFFFh, with bits 19...16 also in ar | |
| 7F34h | FS | bas | dword | |
| 7F38h | ar | dword | shifted left by one, bit0=1 indicates NULL | |
| 7F3Ch | lim | dword | 000x_xxxxh or xxxx_xFFFh, with bits 19...16 also in ar | |
| 7F40h | GS | bas | dword | |
| 7F44h | ar | dword | shifted left by one, bit0=1 indicates NULL | |
| 7F48h | lim | dword | 000x_xxxxh or xxxx_xFFFh, with bits 19...16 also in ar | |
| 7F4Ch | GDTR | bas | dword | |
| 7F50h | lim | dword | ||
| 7F54h | IDTR | bas | dword | |
| 7F58h | lim | dword | ||
| 7F5Ch | LDTR | bas | dword | |
| 7F60h | lim | dword | 000x_xxxxh only, with bits 19...16 also in ar | |
| 7F64h | ar | word | has no G bit | |
| 7F66h | ??? | word | 0002h | |
| 7F68h | EFLAGS | dword | copy dumped for unknown purposes | |
| 7F6Ch | TR | bas | dword | |
| 7F70h | ar | dword | shifted left by one, bit0=1 indicates NULL | |
| 7F74h | lim | dword | 000x_xxxxh or xxxx_xFFFh, with bits 19...16 also in ar | |
| 7F78h | IO_RESTART_EDI | dword | ||
| 7F7Ch | IO_RESTART_EIP | dword | ||
| 7F80h | IO_RESTART_ECX | dword | ||
| 7F84h | IO_RESTART_ESI | dword | ||
| 7F88h | ??? | dword | 00130000h | |
| 7F8Ch | ??? | byte | 00h | |
| A20M | byte | 00h if A20M=flat, 30h if A20M=wrap | ||
| ??? | byte | FEh | ||
| ??? | byte | 01h | ||
| 7F90h | ??? | dword | 0000_0C00h | |
| 7F94h | ??? | dword | 03A4_FFB0h | |
| 7F98h | ??? | dword | 0000_0000h | |
| 7F9Ch | ??? | dword | 0008_4000h | |
| 7FA0h | IO_MEM_ADDR | dword | if rev=0004h | |
| 7FA4h | IO_MISC_INFO | dword | if rev=0004h | |
| 7FA8h | ES.sel | dword | ||
| 7FACh | CS.sel | dword | ||
| 7FB0h | SS.sel | dword | ||
| 7FB4h | DS.sel | dword | ||
| 7FB8h | FS.sel | dword | ||
| 7FBCh | GS.sel | dword | ||
| 7FC0h | LDTR.sel | dword | ||
| 7FC4h | TR.sel | dword | ||
| 7FC8h | DR7 | dword | ||
| 7FCCh | DR6 | dword | ||
| 7FD0h | EAX | dword | ||
| 7FD4h | ECX | dword | ||
| 7FD8h | EDX | dword | ||
| 7FDCh | EBX | dword | ||
| 7FE0h | ESP | dword | ||
| 7FE4h | EBP | dword | ||
| 7FE8h | ESI | dword | ||
| 7FECh | EDI | dword | ||
| 7FF0h | EIP | dword | ||
| 7FF4h | EFLAGS | dword | ||
| 7FF8h | CR3 | dword | ||
| 7FFCh | CR0 | dword | ||
| traditional Intel/AMD processor SMM state save map |
||||
| offset | Intel P5 | Intel P6 | AMD K5 | AMD K6 |
| 7E00...7EF7h | reserved | reserved | reserved | reserved |
| 7EF8h | SMBASE | SMBASE | SMBASE | SMBASE |
| 7EFCh | rev ID | rev ID | rev ID | rev ID |
| 7F00h | I/O restart | I/O restart | I/O restart | I/O restart |
| 7F02h | HLT restart | HLT restart | HLT restart | HLT restart |
| 7F04h | I/O restart EDI | I/O restart EDI | I/O restart EDI | I/O restart EDI |
| 7F08h | I/O restart ECX | I/O restart ECX | I/O restart ECX | I/O restart ECX |
| 7F0Ch | I/O restart ESI | I/O restart ESI | I/O restart ESI | I/O restart ESI |
| 7F10h | I/O restart EIP | I/O restart EIP | CR4 | CR4 |
| 7F14h | reserved | CR4 | CR2 | CR2 |
| 7F18 | reserved | A20M# | reserved | reserved |
| 7F1Ah | reserved | |||
| 7F1Bh | ??? | |||
| 7F1Ch | reserved | |||
| 7F1Eh | SMM_status | |||
| 7F20h | CPL | |||
| 7F21h | reserved | |||
| 7F23h | shutdown | |||
| 7F24h | alternative DR6 | alternative DR6 | ES limit | ES limit |
| 7F26h | RSM control | RSM control | ||
| 7F28h | CR4 | sreg_status0 | ES base | ES base |
| 7F2Ch | reserved | DS selector | ES access rights | ES access rights |
| 7F2Eh | DS access rights | |||
| 7F30h | ES limit | DS limit | CS limit | CS limit |
| 7F34h | ES base | DS base | CS base | CS base |
| 7F38h | ES access rights | FS selector | CS access rights | CS access rights |
| 7F3Ah | FS access rights | |||
| 7F3Ch | CS limit | FS limit | SS limit | SS limit |
| 7F40h | CS base | FS base | SS base | SS base |
| 7F44h | CS access rights | GS selector | SS access rights | SS access rights |
| 7F46h | GS access rights | |||
| 7F48h | SS limit | GS limit | DS limit | DS limit |
| 7F4Ch | SS base | GS base | DS base | DS base |
| 7F50h | SS access rights | IDTR selector | DS access rights | DS access rights |
| 7F52h | IDTR access rights | |||
| 7F54h | DS limit | IDTR limit | FS limit | FS limit |
| 7F58h | DS base | IDTR base | FS base | FS base |
| 7F5Ch | DS access rights | TR selector | FS access rights | FS access rights |
| 7F5Eh | TR access rights | |||
| 7F60h | FS limit | TR limit | GS limit | GS limit |
| 7F64h | FS base | TR base | GS base | GS base |
| 7F68h | FS access rights | sreg_status1 | GS access rights | GS access rights |
| 7F6Ch | GS limit | GDTR selector | LDTR limit | LDTR high |
| 7F6Eh | GDTR access rights | |||
| 7F70h | GS base | GDTR limit | LDTR base | LDTR low |
| 7F74h | GS access rights | GDTR base | LDTR access rights | reserved |
| 7F78h | LDTR limit | LDTR selector | TR limit | TR limit |
| 7F7Ah | LDTR access rights | |||
| 7F7Ch | LDTR base | LDTR limit | TR base | TR base |
| 7F80h | LDTR access rights | LDTR base | TR access rights | TR access rights |
| 7F84h | GDTR limit | ES selector | GDTR limit | GDTR limit |
| 7F86h | ES access rights | |||
| 7F88h | GDTR base | ES limit | GDTR base | GDTR base |
| 7F8Ch | GDTR access rights | ES base | IDTR limit | IDTR limit |
| 7F90h | IDTR limit | CS selector | IDTR base | IDTR base |
| 7F92h | CS access rights | |||
| 7F94h | IDTR base | CS limit | reserved | reserved |
| 7F98h | IDTR access rights | CS base | reserved | reserved |
| 7F9Ch | TR limit | SS selector | I/O restart EIP | I/O restart EIP |
| 7F9Eh | SS access rights | |||
| 7FA0h | TR base | SS limit | reserved | reserved |
| 7FA4h | TR access rights | SS base | I/O restart DWORD | I/O restart DWORD |
| 7FA8h | ES | ES | ES | ES |
| 7FACh | CS | CS | CS | CS |
| 7FB0h | SS | SS | SS | SS |
| 7FB4h | DS | DS | DS | DS |
| 7FB8h | FS | FS | FS | FS |
| 7FBCh | GS | GS | GS | GS |
| 7FC0h | LDTR | LDTR | LDTR | LDTR |
| 7FC4h | TR | TR | TR | TR |
| 7FC8h | DR7 | DR7 | DR7 | DR7 |
| 7FCCh | DR6 | DR6 | DR6 | DR6 |
| 7FD0h | EAX | EAX | EAX | EAX |
| 7FD4h | ECX | ECX | ECX | ECX |
| 7FD8h | EDX | EDX | EDX | EDX |
| 7FDCh | EBX | EBX | EBX | EBX |
| 7FE0h | ESP | ESP | ESP | ESP |
| 7FE4h | EBP | EBP | EBP | EBP |
| 7FE8h | ESI | ESI | ESI | ESI |
| 7FECh | EDI | EDI | EDI | EDI |
| 7FF0h | EIP | EIP | EIP | EIP |
| 7FF4h | EFLAGS | EFLAGS | EFLAGS | EFLAGS |
| 7FF8h | CR3 | CR3 | CR3 | CR3 |
| 7FFCh | CR0 | CR0 | CR0 | CR0 |
| Cyrix pre-M2 processor SMM state save map |
||||||||||||||||||||||||||||||||
| offset | 3 1 |
3 0 |
2 9 |
2 8 |
2 7 |
2 6 |
2 5 |
2 4 |
2 3 |
2 2 |
2 1 |
2 0 |
1 9 |
1 8 |
1 7 |
1 6 |
1 5 |
1 4 |
1 3 |
1 2 |
1 1 |
1 0 |
9 | 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
| -30h | ESI or EDI | |||||||||||||||||||||||||||||||
| -2Ch | I/O write data | |||||||||||||||||||||||||||||||
| -28h | I/O write data size | I/O write port address | ||||||||||||||||||||||||||||||
| -24h | reserved | H | S | P | I | r. | ||||||||||||||||||||||||||
| -20h | CS descriptor (bit31...0) | |||||||||||||||||||||||||||||||
| -1Ch | CS descriptor (bit63...31) | |||||||||||||||||||||||||||||||
| -18h | reserved | CPL | reserved | CS selector | ||||||||||||||||||||||||||||
| -14h | next EIP | |||||||||||||||||||||||||||||||
| -10h | current EIP | |||||||||||||||||||||||||||||||
| -0Ch | CR0 | |||||||||||||||||||||||||||||||
| -08h | EFLAGS | |||||||||||||||||||||||||||||||
| -04h | DR7 | |||||||||||||||||||||||||||||||
| Cyrix M2 processor SMM state save map |
||||||||||||||||||||||||||||||||
| offset | 3 1 |
3 0 |
2 9 |
2 8 |
2 7 |
2 6 |
2 5 |
2 4 |
2 3 |
2 2 |
2 1 |
2 0 |
1 9 |
1 8 |
1 7 |
1 6 |
1 5 |
1 4 |
1 3 |
1 2 |
1 1 |
1 0 |
9 | 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
| -30h | ESI or EDI | |||||||||||||||||||||||||||||||
| -2Ch | I/O write data | |||||||||||||||||||||||||||||||
| -28h | I/O write data size | I/O write port address | ||||||||||||||||||||||||||||||
| -24h | reserved | CPL | reserved | N | r. | IS | reserved | H | S | P | I | C | ||||||||||||||||||||
| -20h | CS descriptor (bit31...0) | |||||||||||||||||||||||||||||||
| -1Ch | CS descriptor (bit63...31) | |||||||||||||||||||||||||||||||
| -18h | reserved | CS selector | ||||||||||||||||||||||||||||||
| -14h | next EIP | |||||||||||||||||||||||||||||||
| -10h | current EIP | |||||||||||||||||||||||||||||||
| -0Ch | CR0 | |||||||||||||||||||||||||||||||
| -08h | EFLAGS | |||||||||||||||||||||||||||||||
| -04h | DR7 | |||||||||||||||||||||||||||||||
