Text preview for : Smm6x86.pdf part of Cyrix Cyrix SMM Programmer’s Guide



Back to : Smm6x86.pdf | Home

Cyrix SMM Programmer's Guide
Revision 2.1

Cyrix is a registered trademark of the Cyrix Corporation

1996
Order Number 94211-01

©1996 Copyright Cyrix Corporation. All rights reserved. Printed in the United States of America Trademark Acknowledgments: Cyrix is a registered trademark of Cyrix Corporation. Cx486DX, Cx486DX2, Cx486DX4, 5x86 and 6x86 are trademarks of Cyrix Corporation. Product names used in this publication are for identification purposes only and may be trademarks of their respective companies.
Cyrix Corporation 2703 North Central Expressway Richardson, Texas 75080 United States of America Order Number 94211-01 March 1996 This document contains source code for sample programs that can be used to demonstrate the functions/features described. CYRIX makes no representations that these programs are error-free. These programs are provided "AS IS" WITHOUT WARRANTY OR REPRESENTATION OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTY OF NONINFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT, AND ANY IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT WILL CYRIX BE LIABLE FOR ANY DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, OR OTHER PECUNIARY LOSS, AND OTHER CONSEQUENTIAL AND/OR INCIDENTAL DAMAGES) ARISING OUT OF THE USE OR INABILITY TO USE THESE PROGRAMS, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. BECAUSE SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THIS LIMITATION MAY NOT APPLY TO YOU.

Cyrix Corporation (Cyrix) reserves the right to make changes in the devices or specification described herein without notice. Before design-in or order placement, customers are advised to verify that the information on which orders or design activities are based is current. Cyrix warrants its products to conform to current specifications in accordance with Cyrix' standard warranty. Testing is performed to the extent necessary as determined by Cyrix to support this warranty. Unless explicitly specified by customer order requirements, and agreed to in writing by Cyrix, not all device characteristics are necessarily tested. Cyrix assumes no liability, unless specifically agreed to in writing, for customer's product design or infringement of patents or copyrights of third parties arising from use of Cyrix devices. No license, either express or implied, to Cyrix patents, copyrights, or other intellectual property rights pertaining to any machine or combination of Cyrix devices is hereby granted. Cyrix products are not intended for use in any medical, life saving, or life sustaining systems. Information in this document is subject to change without notice.

ii

SMM PROGRAMMER'S GUIDE
®

TABLE OF CONTENTS

1. SMM Overview 1.1 1.2 1.3 Introduction................................................................................ 1-1 Cyrix SMM Features.................................................................... 1-1 Typical SMM Routine .................................................................. 1-2

2. SMM Implementation 2.1 2.2 2.3 2.4 SMM Pins.................................................................................... 2-1 Cyrix SMM Mode........................................................................ 2-1 SL SMM Mode ............................................................................ 2-3 Configuration Control Registers and SMM .................................. 2-5

3. SMM Software Considerations 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 Initializing SMM ......................................................................... 3-1 SMM Handler Entry State ........................................................... 3-3 Maintaining the CPU State .......................................................... 3-8 Initializing the SMM Environment .............................................. 3-11 Accessing Main Memory Overlapped by SMM Memory .............. 3-12 I/O Restart .................................................................................. 3-13 I/O Port Shadowing and Emulation............................................. 3-14 Resume to HLT Instruction ......................................................... 3-15 Exiting the SMI Handler ............................................................. 3-16 Testing and Debugging SMM Code ............................................. 3-16

4. Power Management Features 4.1 4.2 4.3 Reduction of Clock Frequency .................................................... 4-1 Lowering the CPU Supply Voltage............................................... 4-1 Suspend Mode ............................................................................ 4-1

Appendices A. B. C. Assembler Macros for Cyrix Instructions..................................... A-1 DX2/DX4 Resume to HALT......................................................... B-1 Differences in Cyrix Processors ................................................... C-1
PRELIMINARY iii

SMM PROGRAMMER'S GUIDE

1. 1.1

SMM OVERVIEW Introduction

1.2

Cyrix SMM Features

This Programmer's Guide is provided to assist programmers in the creation of software that uses the Cyrix® System Management Mode (SMM) for the following Cyrix products:

· · · ·

Cx486DX2TM processo r Cx486DX4TM processo r 5x86TM processor 6x86TM processor

The Cyrix microprocessors have programmable location and size for the SMM memory region. The CPUs automatically save minimal register information, reducing the time needed for SMM entry and exit. The SMM implementation by Cyrix provides unique instructions that save additional segment registers. The x86 MOV instruction can be used to save the general purpose registers. The Cyrix processors simplify I/O trapping by providing I/O type identification and instruction restarting. Cyrix CPUs also make available to the SMM routine information that can simplify peripheral register shadowing. Cyrix provides a method to prevent SMM configuration registers from being accessed by applications. Not allowing an application to disable or alter SMM operation is useful for anti-virus or security measures.

Note: "6x86" is a product code that will be replaced by a product name at a later date. This guide should be used in conjunction with the appropriate Cyrix Processor Data Book. This manual is an update to the 1992 Cx486SLC/e SMM Programmer's Guide that describes SMM operations for the Cx486SLC/e and Cx486DX Cyrix CPUs. SMM provides the system designer with another operating mode for the CPU. Within this document, the standard x86 operating modes (real, V86, and protected) are referred to as normal mode. Normal-mode operation can be interrupted by an SMI interrupt or special instruction that places the processor in System Management Mode (SMM). SMM can be used to enhance the functionality of the system by providing power management, register shadowing, peripheral emulation and other system-level functions. SMM can be totally transparent to all software, including protected-mode operating systems.

PRELIMINARY

1-1

SMM Entry
Save State

Initialize SMM Environment

Service Non-Trap SMI

N

I/O Trap?

Y

Device OFF? N

Y

Service Trap SMI

HALT?

Y

Decrement EIP

Shadow or Emulate

Modify State For I/O Restart

N

Restore State

Resume

SMM Exit
Figure 1-1. Typical SMM Routine

1727400

1.3

Typical SMM Routines down, the SMM routine can power it up and reissue the I/O instruction. If the SMM routine is not the result of an I/O bus cycle, non-trap SMI functions can be serviced. If an HLT instruction is interrupted by an SMI then the HLT instruction should be restarted when the SMM routine is completed. Before normal operation is resumed, any CPU registers modified during the SMM routine must be restored to their previous state.

A typical SMM routine is illustrated in the flowchart shown in Figure 1-1. Upon entry to SMM, the CPU registers that will be used by the SMM routine must be saved. The SMM environment is initialized by setting up an Interrupt Descriptor Table, initializing segment limits, and setting up a stack. If entry to SMM results from an I/O bus cycle, the SMM routine can monitor peripheral activity, shadow read-only ports, and emulate peripherals in software. If a peripheral is powered

1-2

PRELIMINARY

TABLE OF CONTENTS

PRELIMINARY

3

SMM PROGRAMMER'S GUIDE

2.

SMM IMPLEMENTATION

2.2

Cyrix SMM Mode

This chapter describes the Cyrix SMM System interface. SMM operations for Cyrix microprocessors are similar to related operations performed by other x86 microprocessors. Cyrix CPUs support two SMM modes, Cyrix SMM mode and SL SMM mode--except for the 6x86 which supports only SL SMM mode. The CPU defaults to Cyrix SMM mode. Setting SMM_MODE bit (in CCR3) will cause the CPU to operate in SL SMM mode. 2.1 SMM Pins

The CPU defaults to Cyrix SMM mode. Cyrix SMM mode is not supported by the 6x86. An SMM routine can be started by asserting the SMI# "input" pin. Once the SMM routine has begun, the SMI# pin becomes an output pin that signals the chip set that an SMM routine is in progress. The SMADS# address strobe signal is generated (instead of an ADS# address strobe signal) while the CPU is executing instructions or accessing data in SMM address space 2.2.1 SMI# Pin Timing

In either SMM mode, two unique pins are required to support SMM. These pins perform three functions: 1. 2. 3. Signaling when an SMI interrupt should occur, Informing the chipset that the CPU is in SMM mode, Informing the chipset whether the bus cycle is intended for SMM memory or system memory.

To enter Cyrix SMM mode, the SMI# pin must be asserted for at least one CLK period (two clocks if SMI# is asserted asynchronously). To accomplish I/O trapping, the SMI# signal should be asserted two clocks before the RDY# for that I/O cycle. Once the CPU recognizes the active SMI# input, the CPU drives the SMI# input low for the duration of the SMM routine. The SMM routine is terminated with an SMM-specific resume instruction (RSM). When the RSM instruction is executed, the CPU drives the SMI# pin high for one CLK period. The SMI# pin must be allowed to go high for one CLK at the end of the SMM routine to allow for the next SMI to be recognized. Since the SMI# pin is bi-directional, only one SMI# interrupt can become active at one time.

Signals at the SMI# and SMADS# pins are used to implement SMM.

PRELIMINARY

2-1

2.2.2

the defined SMM region when the SMAC bit (CCR1, bit 2) is set while in normal mode. The The CPU has two address strobes, ADS# and generation of SMADS# permits a program in SMADS#. ADS# is the address strobe used dur- normal mode to execute out of SMM memory. ing normal operations. The SMADS# address The RSM instruction should not be executed strobe replaces ADS# during SMM for memory when not servicing an SMM interrupt unless accesses when data is written, read, or fetched valid return information is first written into the in the SMM defined region. Using a separate SMM header. address strobe simplifies chipset design. 2.2.3 Cache Coherency During an SMM interrupt routine, control can be transferred to main memory via a JMP, SMM memory is never cached in the CPU interCALL, Jcc instruction, or by execution of a soft- nal cache. This makes cache coherency comware interrupt (INT), or execution of a hardpletely transparent to the SMM programmer ware interrupt (INTR or NMI). using Cyrix SMM mode. If the CPU cache is in write-back mode, all write-back cycles will be Code accesses in main memory will assert directed to normal memory with the use of the ADS#. ADS# will also be asserted for data ADS# signal. An INVD or WBINVD will write accesses outside of the defined SMM address dirty data out to normal memory even if it overregion. It is assumed, but not required, that the laps with SMM space. chipset ultimately translates SMADS# and a particular address to some other address. SMM memory can be cached by an external cache controller, but it is up to the cache To access data in main memory that overlaps designer to be sure to maintain a distinction the SMM address space, the MMAC bit (CCR1, between SMM memory space and normal membit 3) must be set. This allows ADS# strobes to ory space. be generated for data accesses in memory that overlap SMM memory while in SMM mode. The A20M# input to the CPU is ignored for all While in SMM mode it is not possible to execute SMM space accesses (that is, any access that uses code in main memory that overlaps SMM space. SMADS#). SMADS# can also be generated for memory reads, memory writes, and code fetches within

Address Strobes

2-2

PRELIMINARY

2
2.3 SL SMM Mode 2.3.2 SMADS# (SMIACT#) Address Strobe SL SMM mode is selected by the SMM_MODE bit in CCR3 The 6x86 supports only SL SMM mode. The SMI# and SMADS# pins are used to implement SL SMM Mode. (SMADS# is referred to as SMIACT# on the 6x86.) The SMI# pin is an input pin used by the chipset to signal the CPU that an SMI has been requested. While the CPU is in the process of servicing an SMI interrupt, the SMADS# (SMIACT#) pin is an output used to signal the chipset that the SMM processing is occurring. The ADS# address strobe signal is asserted in order to access data in either normal memory or SMM address space. 2.3.1 SMI# Input The CPU uses one address strobe, ADS#, to initiate memory cycles for both normal and SMM memory. The chipset must monitor the address on the bus to determine if a given cycle is intended for normal or SMM memory. If SMADS# (SMIACT#) is inactive when an ADS# is asserted, the cycle will access normal memory. If SMADS# (SMIACT#) is active when an ADS# is asserted, the chipset must compare the address bus to the address range for SMM memory. If the address is within the SMM address region, the cycle should be directed to SMM memory. If the address is outside of the SMM address region, the cycle should be directed to normal memory. Normal memory located within the same physical address range as the SMM address region can only be accessed from within SMM mode by chipset-specific functions which will relocate the normal memory to an address that is accessible to the SMM code. In normal mode, SMM memory can be initialized by using chipset-specific functions to map the SMM memory into normal memory so that it can be accessed. The MMAC and SMAC bits in CCR1 should not be used while in SL SMM mode. See Appendix C for details on how these bits function in each of the Cyrix CPUs.

SMI# is an edge-triggered input pin sampled by two rising edges of CLK. SMI# must meet certain setup and hold times to be detected on a specific clock edge. To accomplish I/O trapping, the SMI# signal should be asserted three clocks before the RDY# or BRDY# for that I/O cycle. Once the CPU recognizes the active SMI# input, the CPU drives SMADS# (SMIACT#) active for the duration of the SMM routine. The SMM routine is terminated with an SMM-specific resume instruction (RSM). When the RSM instruction is executed, the CPU negates the SMADS# (SMIACT#) pin after the last bus cycle to SMM memory. While executing the SMM service routine, one additional SMI# can be latched for service after resuming from the first SMI.

PRELIMINARY

2-3

2.3.3

Cache Coherency

Intel's SL Enhanced 486 allows SMM memory accesses to be cached. This may cause coherency problems in systems where SMM memory space and normal memory space overlap. Therefore, Intel recommends one of two options: (1) flush the cache when entering and exiting an SMM service routine, or (2) flush the cache when entering an SMM service routine and then make all SMM accesses non-cacheable using the KEN# pin. In both cases, Intel recommends asserting the FLUSH# input when SMIACT# is asserted. This is acceptable for a CPU with a write-through cache because the flush invalidates the cache in a single clock. Therefore, the Cyrix CPU must also write back and invalidate the cache prior to asserting SMADS# (SMIACT#). No dirty data can exist in the CPU (cache and write buffers) at the time

that SMADS# (SMIACT#) is asserted. On the 486DX2/DX4 this flush is done automatically before SMADS# (SMIACT#) is asserted. On 5x86 and 6x86 CPUs, the chipset must drive FLUSH# on the same clock as SMI# to ensure that the dirty data is written out to memory before the SMIACT# is asserted. If the software instruction SMINT is used to enter SMM a WBINVD instruction should be executed immediately before the SMINIT instruction to assure that no dirty data is in the cache. A bus snoop will not hit in the CPU cache if the FLUSH# pin has been asserted before entering SMM. Cyrix CPUs prevent dirty data hits within SMM because the SMM space is always non-cacheable.

2-4

PRELIMINARY

2
2.4 Configuration Control Registers and SMM Before accessing these registers, all interrupts must be disabled. A problem could occur if an interrupt occurs after writing to port 22h but before accessing port 23h. The interrupt service routine might access port 22h or 23h. After returning from the interrupt, the access to port 23h would be redirected to another index or possibly off chip. An SMI interrupt cannot interrupt accesses to the configuration registers. After writing an index to port 22h in the CPU configuration space, SMI interrupts are disabled until the corresponding access to port 23h is complete. The portions of the configuration registers that apply to SMM and power management are described in the following pages.

This section describes fields in the Configuration Registers that configure SMM operations. Fields not related to SMM are not described in this manual and are shown as blank fields in the configuration register tables. For a complete description of the configuration registers, refer to the appropriate data book. All configuration-register bits related to SMM and power management are cleared to 0 when RESET is asserted. Asserting WM_RST does not affect the configuration registers. These registers are accessed by writing the register index to I/O port 22h. I/O port 23h is used for data transfer. Each data transfer to I/O port 23h must be preceded by an I/O port 22h register-index selection, otherwise the port 23h access will be directed off chip.

PRELIMINARY

2-5

Table 2-1. CCR1 Register Register INDEX = C1h 7 SM3 6 5 4 3 MMAC 2 SMAC 1 USE_SMI 0

Table 2-2. CCR1 Bit Definitions
BIT POSITION NAME DESCRIPTION Notes

1

USE_SMI

Enable SMM Pins. If = 1: The SMI# input/output pin and SMADS# (SMIACT#) output pin are enabled. USE_SMI must be set to 1 before any attempted access to SMM memory is made.

Also called SMI

2

SMAC

If = 0: the SMI# input pin is ignored and SMADS# (SMIACT#) output pin floats. Execution of Cyrix specific SMM instructions will generate an invalid opcode exception. Valid on System Management Memory Access. Cx486DX2/DX4 If = 1: SMI# input is ignored. Memory accesses while in normal mode and 5x86 only that fall within the specified SMM address region generate an when operating in SMADS# (SMIACT#) output and access SMM memory. Instructions Cyrix SMM mode. with SMM opcodes are enabled. SMAC is always If = 0: All memory accesses in normal mode go to system memory available for 6x86. with ADS# output active. In normal mode, execution of Cyrix specific SMM instructions generate an invalid opcode exception. Not available for Main Memory Access. 6x86. If = 1: Data accesses while in SMM mode that fall within the specified Do not set MMAC SMM address region will generate an ADS# output and access main unless operating memory. Code fetches are not effected by the MMAC bit. Code in Cyrix SMM fetches from the SMM address region always generate an SMADS# mode. output and access SMM memory. If both the SMAC and MMAC bits are set to 1, the MMAC bit has precedence. If = 0: All memory accesses to the SMM address region while in SMM mode go to SMM memory with SMADS# output active. SMM Space Address Region 3 Available for 6x86 If = 1 Address Region 3 (ARR3) is redefined as the SMM Address only. Region (SMAR).

3

MMAC

7

SM3

2-6

PRELIMINARY

2
Table 2-3. CCR2 Register Register INDEX = C2h 7 USE_SUSP 6 5 4 3 SUSP_HALT 2 1 0

Table 2-4.
BIT POSITION NAME

CCR2 Bit Definitions
DESCRIPTION Notes

3

SUSP_HALT

7

USE_SUSP

Also called HALT. Suspend on HALT. If = 1: CPU enters suspend mode following execution of a HLT instruction. If = 0: CPU does not enter suspend mode following execution of a HLT instruction. Also called SUSP. Enable Suspend Pins. If = 1: SUSP# input and SUSPA# output are enabled. If = 0: SUSP# input is ignored and SUSPA# output floats.

PRELIMINARY

2-7

Table 2-5. CCR3 Register INDEX = C3h 7 6 5 4 3
SMM_MODE

2

1 NMI_EN

0 SMI_LOCK

Table 2-6.
BIT POSITION NAME

CCR3 Bit Definitions
DESCRIPTION Notes

0

SMI_LOCK

SMM Register Lock. If = 1: the following Configuration Control Register bits can not be modified unless operating in SMM mode: USE_SMI, SMAC, MMAC, NMI_EN, SM3 and SMAR. If = 0: any program in normal mode, as well as SMM software, has access to all Configuration Control Registers. Once set, the SMI_LOCK bit can only be cleared by asserting the RESET pin. Also called NMIEN NMI Enable. If = 1: NMI is enabled during SMM. This bit should only be set temporarily while in the SMM routine to allow NMI interrupts to be serviced. NMI_EN should not be set to 1 while in normal mode. If NMI_EN = 1 when an SMI occurs, an NMI could occur before the SMM code has initialized the Interrupt Descriptor Table.

1

NMI_EN

3

If = 0: NMI (Non-Maskable Interrupt) is not recognized during SMM. One occurrence of NMI can be latched and serviced after SMM mode is exited. The NMI_EN bit should be cleared before executing a RSM instruction to exit SMM. Not available on SMM_MODE SMM Mode 6x86 as 6x86 operates in SL SMM If = 1: SMM pins function as defined for SL-compatible mode. mode only. If = 0: SMM pins function as defined for Cyrix SMM compatible mode.

2-8

PRELIMINARY

2
Table 2-7. SMM Address Region Registers (SMAR )
REG. INDEX = CDh 7 A31 0 7 STARTING ADDRESS A24 A23 REG. INDEX = CEh 0 7 A16 A15 REG. INDEX = CFh 4 3 A12 SIZE 0

SMAR

1713403

Table 2-8.
Bits 3-0

SMAR Register SIZE Field
Bits 3-0 BLOCK SIZE

BLOCK SIZE

0h 1h 2h 3h 4h 5h 6h 7h

Disable 4 KBytes 8 KBytes 16 KBytes 32 KBytes 64 KBytes 128 KBytes 256 KBytes

8h 9h Ah Bh Ch Dh Eh Fh

512 KBytes 1 MBytes 2 MBytes 4 MBytes 8 MBytes 16 MBytes 32 MBytes 4 KBytes (same as 1h) 4 GBytes (6x86 only)

Note for 6x86 processors only: Address Region 3 (ARR3) is designated as SMM address space if CCR1 bit 7 (SM3) is set.

PRELIMINARY

2-9

2.5

SMM Instruction Summary

Cyrix has added seven new instructions to the x86 standard instruction set to aid in SMM programming. These instructions are only valid when: 1) 2) 3) 4) USE_SMI = 1 SMAR > 0 Current Privilege Level (CPL) = 0 SMAC bit is set or the CPU is in SMM mode

The CPU will generate an invalid opcode fault when the conditions above are not met and one of the SMM instructions is executed. The assembly language macro SMIMAC.INC listed in Appendix A will automatically generate the appropriate machine code when included in a source file containing Cyrix SMM instructions. Most of the Cyrix SMM instructions are used to access the non-programmer visible internal descriptors. The standard x86 instructions cannot access this information inside the CPU. This information is stored in memory in a 10-byte area that is comprised of both the descriptor (8 bytes) and the segment register/selector (2 bytes). The 8-byte descriptor is in the same format that it is found in the GDT or LDT. If the data area is dword aligned, the memory access time will be minimized.

Note: There are minor differences between CPUs concerning when these instruction are valid as detailed in Appendix C.

Table 2-9. Register and Descriptor Save Format 15 14 13 12 11 10 9 8 7 6 5 0 4 3 2 1

0
+8 +6 +4 +2 +0

P

DPL

BASE 31-24 DT

SELECTOR or SEGMENT G D TYPE BASE 15-0 LIMIT 15-0

AVL LIMIT 19-16 BASE 23-16

2-10

PRELIMINARY

2
2.5.1 RSDC - Restore Register and Descriptor

Table 2-10. Restore Register and Descriptor
Instruction Opcode Parameters

RSDC

0F 79 [mod sreg3 r/m]

sreg3, mem80

RSDC loads the information at the mem80 into a segment register/selector and its associated descriptor. Attempting to use this instruction to load the Code Segment or Code Selector will generate an invalid opcode instruction. Code Segment or Code Selector is restored from the SMM header as part of the RSM instruction.

2.5.2

RSLDT - Restore LDT and Descriptor
Table 2-11. Restore LDT and Descriptor
Instruction Opcode Parameters

RSLDT

0F 7B [mod 000 r/m]

mem80

RSLDT loads the information at the mem80 into Local Descriptor Table Register and its associated descriptor.

2.5.3

RSM - Resume Back to Normal Mode
Table 2-12.
Instruction

Resume Back to Normal Mode
Opcode Parameters

RSM

0F AA

None

RSM will restore the state of the CPU from the SMM header at the top of SMM space and exit SMM. This is the last instruction executed in an SMM handler.

PRELIMINARY

2-11

2.5.4

RSTS - Restore TSR and Descriptor
Table 2-13. Restore TSR and Descriptor
Instruction Opcode Parameters

RSTS

0F 7D [mod 000 r/m]

mem80

RSTS loads the information at the mem80 address into the Task Register and its associated descriptor. 2.5.5 SMINT - Software SMM Interrupt
Table 2-14. Software SMM Interrupt
Instruction Opcode Parameters

SMINT

0F 7E

None

SMINT will cause the CPU to enter SMM as though the hardware SMI# pin were sampled enabled. The SMINT instruction sets the "S" bit in the SMM header. The SMI# signal is not driven by the CPU if an SMM routine is entered using an SMINT instruction and if the CPU is operating in Cyrix SMM mode. If operating an 6x86 in write-back mode, a WBINVD instruction should be executed immediately proceeding a SMINT instruction to preserve cache coherency. 2.5.6 SVDC - Save Register and Descriptor
Table 2-15. Save Register and Descriptor
Instruction Opcode Parameters

SVDC

0F 78 [mod sreg3 r/m]

mem80, sreg3

SVDC saves the contents of a segment register/selector and its associated descriptor to memory at mem80. This instruction can be used on any segment/selector including the Code Segment.

2-12

PRELIMINARY

2
2.3.7 SVLDT - Save LDT and Descriptor
Table 2-16. Save LDT and Descriptor
Instruction Opcode Parameters

SVLDT

0F 7A [mod 000 r/m]

mem80

SVLDT saves the Local Descriptor Table Selector and non-programmer visible descriptor information at the address location mem80.

2.3.8

SVTS - Save TSR and Descriptor
Table 2-17.
Instruction

Save TSR and Descriptor
Opcode Parameters

SVTS

0F 7C

mem80

SVTS saves the Task Register and its associated descriptor to address location mem80.

PRELIMINARY

2-13

SMM PROGRAMMER'S GUIDE

3.

SMM SOFTWARE CONSIDERATIONS

This section provides information helpful in the development of SMM code. 3.1 Initializing SMM

Many systems have memory controllers that aid in the initialization of SMM memory. Cyrix SMM features allow the initialization of SMM memory without external hardware memory remapping. When loading SMM memory with an SMM interrupt handler it is important that the SMI# does not occur before the handler is loaded. To load SMM memory with a program it is first necessary to enable SMM memory without enabling the SMI pins. This is done by setting

SMAC = 1 and loading SMAR with the SMM address region. Setting USE_SMI = 1 will then map the SMM memory region over main memory. The SMM region is physically mapped by the assertion of SMADS# to allow memory access within the SMM region. A REP MOV instruction can then be used to transfer the program to SMM memory. After initializing SMM memory, negate SMAC to activate potential SMI#s. SMM space can be located anywhere in the 4-GByte address range. However, if the location of SMM space is above 1 MByte, the value in CS will truncate the segment above 16 bits when stored from the stack. This would prohibit doing calls or interrupts from real mode without restoring the 32-bit features of the 486 because of the incorrect return address on the stack.

PRELIMINARY

3-1

; load SMM memory from system memory (Cyrix SMM mode only ) include SMIMAC.INC SMMBASE = 68000h SMMSIZE = 4000h SMI = 1 shl 1 SMAC = 1 shl 2 MMAC = 1 shl 3 ;interrupts should mov out mov out mov out mov out mov out mov out mov out in mov mov out mov or out mov mov mov mov mov mov mov

;SMM SIZE is 16K

be disabled al, 0cdh 22h, al al, 00h 23h, al al, 0ceh 22h, al al, 06h 23h, al al, 0cfh 22h, al al, 083h 23h, al al, 0c1h 22h, al al, 23h ah, al al, 0c1h 22h, al al, ah al, SMI or 23h, al

here ;index SMAR, SMM base ;select ;set high SMM address to 00 ;write value ;index SMAR,SMM base ;select ;set mid SMM address to 06h ;write value ;SMAR,SMM base & SIZE ;select ;set SMM lower addr. 80h, 16K ;write value ;index to CCR1 ;select CCR1 register ;read current CCR1 value ;save it ;index to CCR1 ;select CCR1 register

SMAC; set SMI and SMAC ;new value now in CCR1, SMM now ;mapped in ax, SMMBASE shr 4 es, ax edi, 0 ;es:di = start of the SMM area esi, offset SMI_ROUTINE ;start of copy of SMM ax, seg SMI_ROUTINE ;routine in main memory ds, ax ecx, (SMI_ROUTINE_LENGTH+3)/4 ;calc. length

; this line copies the SMM routine from DS:ESI to ES:EDI rep movs dword ptr es:[edi],dword ptr ds:[esi] ; now disable SMI by clearing SMAC and SMI mov al, 0c1h ;index to CCR1 out 22h, al ;select CCR1 register mov al, ah ;AH is still old value and al, NOT SMAC;disable SMAC, enable SMI# out 23h, al ;write new value to CCR1

3-2

PRELIMINARY

3
3.2 SMM Handler Entry State Before entering an SMM routine, certain portions of the CPU state are saved at the top of SMM memory. To optimize the speed of SMM entry and exit, the CPU saves the minimum CPU state information necessary for an SMI interrupt handler to execute and return to the interrupted context. The information is saved to the SMM header at the top of the defined SMM region (starting at SMM base + size - 30h) as shown in Figure 3-1. Only the CS, EIP, EFLAGS, CR0, and DR7 are saved upon entry to SMM. Data accesses must use a CS segment override to save other registers and access data in SMM memory. To use any other segment register, the SMM programmer must first save the contents using the SVDC instruction for segment registers or MOV operations for general purpose registers (See Cyrix SMM instruction description Section 2.3). It is possible to save all the CPU registers as needed. See Section 3.3 for an example of saving and restoring the entire CPU state.

Top of SMM

31 DR7

0

Address Space

-4h
EFLAGS -8h CR0 -Ch Current IP -10h 31 Reserved 22 21 Next IP 16 15 CS Selector -18h CS Descriptor (Bits 63-32) -1Ch 31 CS Descriptor (Bits 31-0) Reserved 16 15 0 -14h

CPL Reserved

4 3 2 10
H S P I

-20h -24h

I/O Data Size I/O Write Data

I/O Address
-28h -2Ch ESI or EDI

-30h

1713506

Figure 3-1. SMM Memory Space Header PRELIMINARY 3-3

Upon execution of an RSM instruction, control is returned to NEXT_IP. The value of NEXT_IP may need to be modified for restarting I/O instructions. This modification is a simple move of the CURRENT_IP value to the NEXT_IP location. Execution is then returned to the I/O instruction, rather than to the instruction after the I/O instruction.

This CURRENT_IP value is valid only if the instruction executing when the SMI occurred was an I/O instruction. Table 3-1 lists the SMM header information needed to restart an I/O instruction. The restarting of I/O instructions may also require modifications to the ESI, ECX and EDI depending on the instruction (see Section 3.6 for an example.)

Table 3-1. I/O Trap Information
Bit Description Size

H

HALT Indicator If = 1: The CPU was in a halt or shut down prior to serving the SMM interrupt. If = 0: The CPU was not in a halt or shut down prior to serving the SMM interrupt. Software SMM Entry Indicator S=1, if current SMM is the result of an SMINT instruction. S=0, if current SMM is not the result of an SMINT instruction. REP INSx/OUTSx Indicator If = 1: Current instruction does not have a REP prefix If = 0: Current instruction has a REP prefix IN, INSx, OUT, or OUTSx Indicator If = 1: Current instruction performed an I/O WRITE If = 0: Current instruction performed an I/O READ Indicates size of data for the trapped I/O 01h = byte 03h = word 0fh = dword Address of the trapped I/O Data written during I/O trapped write Value of appropriate index register before the trapped I/O instruction

1 bit

S

1 bit

P

1 bit

I

1 bit

I/O Data Size

2 bytes

I/O Address I/O Write Data ESI or EDI

2 bytes 4 bytes 4 bytes

3-4

PRELIMINARY

3
The EFLAGS, CR0 and DR7 registers are set to their reset values upon entry to the SMI handler. Resetting these registers has implications for setting breakpoints using the debug registers. Breakpoints in SMM address space can not be set prior to the SMI interrupt using debug registers. A debugger will only be able to set a code breakpoint using INT 3 outside of the SMM handler. See Section 3.11 for restrictions on debugging SMM code. Once the SMI has occurred and the debugger has control in SMM space, the debug registers can be used for the remainder of the SMI handler execution. If the S bit in the SMM header is set, the SMM entry resulted from an SMINT instruction. Upon SMM entry, I/O trap information is stored in the SMM memory space header. This information allows restarting of I/O instructions, as well as the easy emulation of I/O functions by the SMM handler. This data is valid only if the instruction executing when the SMI occurred was an I/O instruction. On DX2/DX4 devices, only I/O writes generate valid I/O fields to allow I/O restart. On 5x86 and 6x86 devices, both I/O reads and I/O write traps result in valid I/O fields and current P and I field values. If the H bit in the SMM header is set, a HLT instruction was being executed when the SMI occurred. To resume execution of the HLT instruction, the field NEXT-IP in the SMM header should be decremental by one before executing RSM instruction. The DX2/DX4 processors do not support the H bit. Refer to Appendix B for instruction on handling resume to halt operations on a DX2 or DX4.

PRELIMINARY

3-5

The values found in the I/O trap information fields are specified below for all cases.

Table 3-2. Valid I/O Trap Cases
Valid Cases P I I/O Write Data Size I/O Write Address I/O Write Data ESI or EDI

Not an I/O instruction IN al IN ax IN eax INSB INSW INSD REP INSB REP INSW REP INSD OUT al OUT ax OUT eax OUTSB OUTSW OUTSD REP OUTSB REP OUTSW REP OUTSD

x 0 0 0 0 0 0 1 1 1 0 0 0 0 0 0 1 1 1

x 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1

x 01h 03h 0Fh 01h 03h 0Fh 01h 03h 0Fh 01h 03h 0Fh 01h 03h 0Fh 01h 03h 0Fh

x I/O Address I/O Address I/O Address I/O Address I/O Address I/O Address I/O Address I/O Address I/O Address I/O Address I/O Address I/O Address I/O Address I/O Address I/O Address I/O Address I/O Address I/O Address

x

x EDI EDI EDI EDI EDI EDI EDI EDI EDI ESI ESI ESI ESI ESI ESI ESI ESI ESI

xxxxxxx x xxxxxxx x xxxxxxx x xxxxxxx x xxxxxxx x xxxxxxx x xxxxxxx x xxxxxxx x xxxxxxx x xxxxxxd d xxxxddd d ddddddd d xxxxxxd d xxxxddd d ddddddd d xxxxxxd d xxxxddd d ddddddd d

Note: x = invalid Note: For DX2/DX4 devices, the I/O Data size, I/O address, I/O address, I/O data fields are not valid for IN instructions. The P, I and ESI or EDI fields are valid to allow I/O restart.

3-6

PRELIMINARY

3

Upon SMM entry, the CPU enters the state described in Table 3-1.
Table 3-1.
Register Register Content

SMM Entry State
Comments

CS

SMM base specified by SMAR 0000 0000h 0000 0002h 0000 0010h 6000 0010h

CS limit is set to 4 GBytes (64 KBytes for a DX2/DX4 devices). Begins execution at the base of SMM memory Reset State DX2/DX4 only: EM is not modified. Other than DX2/DX4: NW will not be modified if LOCK_NW is set. Traps disabled

EIP EFLAGS CR0

DR7

0000 0400h

PRELIMINARY

3-7

3.3

Maintaining the CPU State

The following registers are not automatically saved on SMM entry or restored on SMM exit. General Purpose Registers: Pointer and Index Registers: Selector/Segment Registers: Descriptor Table Registers: Control Registers: Debug Registers: Configuration Registers: FPU Registers: EAX, EBX, ECX, EDX EBP, ESI, EDI, ESP DS, ES, SS, FS, GS GDTR, IDTR, LDTR, TR CR2, CR3 DR0, DR1, DR2, DR3, DR6 all valid configuration registers Entire FPU state.

If the SMM routine will use any of these registers, their contents must be saved after entry into the SMM routine and then restored prior to exit from SMM. Additionally, if power is to be removed from the CPU and the system is required to return to the same system state after power is reapplied, then the entire CPU state must be saved to a non-volatile memory subsystem such as a hard disk. 3.3.1 Maintaining Common CPU Registers

The following is an example of the instructions needed to save the entire CPU state and restore it. This code sequence will work from real mode if the conditions needed to execute Cyrix SMM instructions are met (see Section 2.3). Configuration registers would also need to be saved if power is to be removed.
; Save and Restore the common CPU registers. ; The information automatically saved in the ; header on entry to SMM is not saved again. include SMIMAC.INC .386P mov mov mov mov mov mov mov mov svdc svdc svdc svdc svdc svldt ;required for SMIMAC.INC macro cs:save_eax,eax cs:save_ebx,ebx cs:save_ecx,ecx cs:save_edx,edx cs:save_esi,esi cs:save_edi,edi cs:save_ebp,ebp cs:save_esp,esp cs:,save_ds,ds cs:,save_es,es cs:,save_fs,fs cs:,save_gs,gs cs:,save_ss,ss cs:,save_ldt

;sldt is not valid in real mode

3-8

PRELIMINARY

3
svts db sgdt db sidt cs:,save_tsr ;str is not valid in real mode 66h ;32bit version saves everything fword ptr cs:[save_gdt] 66h ;32bit version saves everything fword ptr cs:[save_idt]

; at the end of the SMM routine the following code ; sequence will reload the entire CPU state mov eax,cs:save_eax mov ebx,cs:save_ebx mov ecx,cs:save_ecx mov edx,cs:save_edx mov esi,cs:save_esi mov edi,cs:save_edi mov ebp,cs:save_ebp mov esp,cs:save_esp rsdc ds,cs:,save_ds rsdc es,cs:,save_es rsdc fs,cs:,save_fs rsdc gs,cs:,save_gs rsdc ss,cs:,save_ss rsldt cs:,save_ldt rsts cs:,save_tsr db 66h lgdt fword ptr cs:[save_gdt] db 66h lidt fword ptr cs:[save_idt] ; the data space so save the CPU state is in ; the Code Segment for this example save_ds dt ? save_es dt ? save_fs dt ? save_gs dt ? save_ss dt ? save_ldt dt ? save_tsr dt ? save_eax dd ? save_ebx dd ? save_ecx dd ? save_edx dd ? save_esi dd ? save_edi dd ? save_ebp dd ? save_esp dd ? save_gdt df ? save_idt df ?

PRELIMINARY

3-9

3.3.2

Maintaining Control Registers

3.3.5

Maintaining FPU State

CR0 is maintained in the SMM header. CR2 and CR3 should be saved if the SMM routine will be entering protected mode and enabling paging. Most SMM routines will not need to enable paging. However, if the CPU will be powered off, these registers should be saved. 3.3.3 Maintaining Debug Registers

If power will be removed from the CPU or if the SMM routine will execute FPU instructions, then the FPU state should be maintained for the application running before SMM was entered. If the FPU state is to be saved and restored from within SMM, there are certain guidelines that must be followed to make SMM completely transparent to the application program. The complete state of the FPU can be saved and restored with the FNSAVE and FNRSTOR instructions. FNSAVE is used instead of the FSAVE because FSAVE will wait for the FPU to check for existing error conditions before storing the FPU state. If there is a unmasked FPU exception condition pending, the FSAVE instruction will wait until the exception condition is serviced. To maintain transparency for the application program, the SMM routine should not service this exception. If the FPU state is restored with the FNRSTOR instruction before returning to normal mode, the application program can correctly service the exception. Any FPU instructions can be executed within SMM once the FPU state has been saved. The information saved with the FSAVE instruction varies depending on the operating mode of the CPU. To save and restore all FPU information, the 32-bit protected mode version of the FPU save and restore instruction should be used. This can be accomplished by using the following code example:

DR7 is maintained in the SMM Header. Since DR7 is automatically initialized to the reset state on entry to SMM, the Global Disable bit (DR7 bit 13) will be cleared. This allows the SMM routine to access all of the Debug Registers. Returning from the SMM handler will reload DR7 with its previous value. In most cases, SMM routines will not make use of the Debug Registers and they will need to be saved only if the CPU needs to be powered down. 3.3.4 Maintaining Configuration Control Registers

The SMM routine should be written so that it maintains the Configuration Control Registers in the same state as they were initialized by the BIOS at power-up.

3-10

PRELIMINARY

3
; Save the FPU state mov eax,CR0 or eax,00000001h mov CR0,eax jmp $+2 db 66h fnsave [save_fpu] mov and mov ;now the SMM ;Restore the FNINIT mov or mov jmp db frstor mov and mov eax,CR0 eax, 0FFFFFFFEh CR0,eax ;set the PE bit in CR0 ;clear the prefetch que ;do 32bit version of fnsave ;saves fpu state to ;the address DS:[save_fpu] ;clear PE bit in CR0 ;return to real mode

routine can do any FPU instruction. FPU state before executing a RSM ;initialize the FPU to a valid state eax,CR0 eax,00000001h CR0,eax ;set the PE bit in CR0 $+2 ;clear the prefetch que 66h ;do 32bit version of fnsave [save_fpu] ;restore the FPU state ;Some assemblers may require ;use of the fnrstor instruction eax,CR0 eax, 0FFFFFFFEh ;clear PE bit in CR0 CR0,eax ;return to real mode

Be sure that all interrupts are disabled before using this method for entering protected mode. Any attempt to load a selector register while in protected mode will shutdown the CPU since no GDT is set up. Setting up a GDT and doing a long jump to enter protected mode will also work correctly. 3.4 Initializing the SMM Environment

used. The protected mode application could have set a segment limit to less than 64K. To avoid a protection error, all segment registers can be given limits of 4 GBytes. This can be done with the Cyrix RSDC instruction and will allow access to the full 4 GBytes of possible system memory without entering protected mode. Once the limits of a segment register are set, the base can be changed by use of the MOV instruction. If necessary, an Interrupt Descriptor Table (IDT) should be set up in SMM memory before any interrupts or exceptions occur. The Descriptor Table Register can be loaded with an LIDT instruction to point to a small IDT in SMM memory that can handle the possible interrupts and exceptions that might occur while in the SMM routine.

After entering SMM and saving the CPU registers that will be used by the SMM routine, a few registers need to be initialized. Segment registers need to be initialized if the CPU was operating in protected mode when the SMI interrupt occurred. Segment registers that will be used by the SMM routine should be loaded with known limits before they are

PRELIMINARY

3-11

A stack should always be set up in SMM memory so that stack operations done within SMM do not affect the system memory.
; SMM environment initialization example include SMIMAC.INC ; see Appendix A rsdc ds,cs:,seg4G ;DS is a 4GByte segment, base=0 rsdc es,cs:,seg4G ;ES is a 4GByte segment, base=0 rsdc fs,cs:,seg4G ;FS is a 4GByte segment, base=0 rsdc gs,cs:,seg4G ;GS is a 4GByte segment, base=0 rsdc ss,cs:,seg4G ;SS is a 4GByte segment, base=0 lidt cs:smm_idt ;load IDT base and limit for ;SMM's IDT mov esp, smm_stack jmp continue_smm_code ; ;descriptor of 4GByte data segment for use by rsdc seg4G dw 0ffffh ; limit 4G dw 0 ; base = 0 db 0 ; base = 0 db 10010011B ; data segment, DPL=0,P=1 db 8fh ; limit = 4G, db 0h ; base = 0 dw 0 ; segment register = 0 smm_idt dw smm_idt_limit dd smm_idt_base

3.5

Accessing Main Memory Overlapped by SMM Memory

In SMM mode, there are instances where the program needs access to the system memory that is overlapping with SMM memory. This need for access this area of system memory most commonly occurs when the SMM routine is trying to save the entire memory image to disk before powering down the system. If using Cyrix SMM mode, access is made to main memory that overlaps SMM space by setting the MMAC bit in CCR1. The following code will enable and then disable MMAC.
; Set MMAC to access main memory ; this code is only valid for Cyrix SMM mode operations MMAC = 1 shl 3 mov al, 0c1h ;select CCR1 out 22h, al in al, 23h ;get CCR1 current value mov ah, al ;save it mov al, 0c1h ;select CCR1 again out 22h, al mov al, ah or al, MMAC ;set MMAC out 23h, al ;write new value to CCR1
3-12 PRELIMINARY

3
;Now all data memory access will use ADS#, Code fetches ;will continue to be done with SMADS# from SMM memory. ; ;Disable MMAC mov al, 0c1h ;select CCR1 out 22h, al mov al, ah ;get old value of CCR1 out 23h, al ;and restore it

3.6

I/O Restart

Often when implementing a power management design, peripherals are required to be powered down by the system when not in use. When an I/O instruction is issued to a powered down device, the SMM routine is called to power up the peripheral and then reissue the I/O instruction. Cyrix CPUs make it easy to restart the I/O instruction that has generated an SMI interrupt. The system will generate an SMI interrupt when an I/O bus cycle to a powered-down peripheral is detected. The SMM routine should interrogate the system hardware to find out if the SMI was caused by an I/O trap. By checking the SMM header information, the SMM routine can determine the type of I/O instruction that was trapped. If the I/O instruction has a REP prefix, the ECX register needs to be incremented before restarting the instruction. If the I/O trap was on a string I/O instruction, the ESI or EDI registers must be restored to their previous value before restarting the instruction. The following code example shows how easy I/O restart is with the Cyrix CPU.
include SMIMAC.INC ;see Appendix A ;Restart the interrupted instruction mov eax,dword ptr cs:[SMI_CURRENTIP] mov dword ptr cs:[SMI_NEXTIP],eax mov al,byte ptr cs:[SMI_BITS] ;test for REP instruction bt ax,2 adc test ecx,0 al,1 shl 1 ;rep instruction? ;(result to Carry) ;if so, increment ecx ;test bit 1 to see ;if an OUTS or INS

jnz out_instr ; A port read (INS or IN) instruction caused the ; chipset to generate an SMI instruction. ; Restore EDI from SMM header. mov edi, dword ptr cs:[SMI_ESIEDI] jmp common1 ; A port write (OUTS or OUT) instruction caused the

PRELIMINARY

3-13

; chipset to generate an SMI instruction. ; Restore ESI from SMM header. out_instr: mov esi, dword ptr cs:[SMI_ESIEDI] common1:

3.7

I/O Port Shadowing and Emulation

Some system peripherals contain write-only ports. In a system that does power management, these peripherals need to be powered off and then reinitialized when their functions are needed later. The Cyrix SMM implementation makes it very easy to monitor the last value written to specific I/O ports. This process is known as shadowing. If the system can generate an SMI whenever specific I/O addresses get accessed, the SMM routine can, transparently to the system, monitor the port activity. The SMM header contains the address of the I/O write as well as the data. In addition, information is saved which indicates whether it is a byte, word or dword write. With this information, shadowing system write-only ports becomes trivial.

Some peripheral components contain registers that must be programmed in a specific order. If an SMI interrupt occurs while an application is accessing this type of peripheral, the SMI routine must be sure to reload the peripheral registers to the same stage before returning to normal mode. If the SMM routine needs to access such a peripheral, the previous normalmode state must be restored. The previous accesses that were shadowed by previous SMM calls can be used to reload the peripheral registers back to the stage where the application was interrupted. The application can then continue where it left off accessing the peripheral. In a similar way, the Cyrix SMM implementation allows the SMM routine to emulate the function of peripheral components in software.

3-14

PRELIMINARY

3
3.8 Resume to HLT Instruction To make an SMI interrupt truly transparent to the system, an SMI interrupt from a HLT instruction should return to the HLT instruction. There are known cases with DOS software where returning from an SMI handler to the instruction following the HLT will cause a system error. To determine if a HLT instruction was interrupted by the SMI, the H bit in the SMM header must be interrogated. If the H bit is set, the SMI interrupted a HLT instruction. To restart the HLT instruction simply decrement the NEXT_IP field in the SMM header. The H bit is not available on a Cx486DX2/DX4. See Appendix B for a explanation on how to resume to a HLT instruction on a Cx486DX2/DX4.

;This is the start of specific code to check if the SMI ;occurred while in a HLT instruction. If it did, then ;resume back to the HLT instruction when SMI is finished. include SMIMAC.INC ;see Appendix A

mov test je dec not_hlt:

ax,cs:word ptr[SMI_BITS] ax,0010h not_hlt cs:dword ptr[SMI_NEXTIP]

;get H bit ;check if H=1 ;was not a HLT ;decrement NEXT_IP

PRELIMINARY

3-15

3.9

Exiting the SMI Handler

3.10

When the RSM instruction is executed at the end of the SMI handler, the EIP is loaded from the SMM header at the address (SMMbase + SMMsize - 14h) called NEXT_IP. This permits the instruction to be restarted if NEXT_IP was modified by the SMM program. The values of ECX, ESI, and EDI, prior to the execution of the instruction that was interrupted by SMI, can be restored from information in the header which pertains to the INx and OUTx instructions. See Section 3.6 for an example program to restart an I/O instruction. The only registers that are restored from the SMM header are CS, NEXT_IP, EFLAGS, CR0, and DR7. All other registers which were modified by the SMM program need to be restored before executing the RSM instruction.

Testing and Debugging SMM Code

An SMI routine can be debugged with standard debugging tools, such as DOS DEBUG, if the following requirements are met: 1. The debugger will only be able to set a code break point using INT 3 outside of the SMI handler. The debug control register DR7 is set to the reset value upon entry to the SMI handler. Therefore, any break conditions in DR0-3 will be disabled after entry to SMM. Debug registers can be used if they are set after entry to the SMI handler and if debug registers DR0-3 are saved. The debugger must be running in real mode and the SMM routine must not enter protected mode. This insures that normal system interrupts, BIOS calls and the debugger will work correctly from SMM mode. Before an INT 3 break point is executed, all segment registers should have their limits modified to 64K, or larger, within the SMM routine.

2.

3.

3-16

PRELIMINARY

SMM PROGRAMMER'S GUIDE

Appendix A

A.

ASSEMBLER MACROS FOR CYRIX INSTRUCTIONS

The include file SMIMAC.INC provides a complex set of macros which generate SMM opcodes along with the appropriate mod/rm bytes. In order to function, the macros require that the labels which are accessed correspond to the specified segment. Thus segment overrides must be passed to the macro as an argument. Do not specify a segment override if the default segment for an address is being used. If an address size override is used, a final argument of `1' must be passed to the macro as well. Address size overrides must be presented explicitly to prevent the assembler from generating them automatically and breaking the macros.

;SMM Instruction Macros - SMIMAC.INC ;Macros which generate mod/rm automatically svdc MACRO domac ENDM MACRO domac ENDM MACRO domac ENDM MACRO domac ENDM MACRO domac ENDM MACRO domac ENDM MACRO db ENDM MACRO db ENDM segover,addr,reg,adover segover,addr,reg,adover,78h reg,segover,addr,adover segover,addr,reg,adover,79h segover,addr,adover segover,addr,es,adover,7ah segover,addr,adover segover,addr,es,adover,7bh segover,addr,adover segover,addr,es,adover,7ch segover,addr,adover segover,addr,es,adover,7dh

rsdc

svldt

rsldt

svts

rsts

rsm

0fh,0aah

smint

0fh,7eh

PRELIMINARY

A-1

;Sub-Macro used by the above macro MACRO segover,addr,reg,adover,op local place1,place2,count count = 0 ifnb count=count+1 endif ifnb count=count+1 endif if (count eq 0) nop ;expanding the opcode one byte endif place1 = $ ;pull off the proper prefix byte count mov word ptr segover addr,reg org place1+count mov word ptr segover addr,reg place2 = $ ;patch the opcode org place1+(count*2)-1 db 0Fh,op org place2 ENDM ;Offset Definition for access into SMM space SMI_SAVE STRUC $ESIEDI DD ? $IOWDATA DD ? $IOWADDR DW ? $IOWSIZE DW ? $BITS DD ? $CSSELL DD ? $CSSELH DD ? $CS DW ? $RES1 DW ? $NEXTIP DD ? $CURRENTIP DD ? $CR0 DD ? $EFLAGS DD ? $DR7 DD ? SMI_SAVE ENDS domac

A-2

PRELIMINARY

A
SMI_ESIEDI SMI_IOWDATA SMI_IOWADDR SMI_IOWSIZE SMI_BITS SMI_CSSELL SMI_CSSELH SMI_CS SMI_RES1 SMI_NEXTIP SMI_CURRENTIP SMI_CR0 SMI_EFLAGS SMI_DR7 EQU EQU EQU EQU EQU EQU EQU EQU EQU EQU EQU EQU EQU EQU ($ESIEDI + SMMSIZE ($IOWDATA+ SMMSIZE ($IOWADDR+ SMMSIZE ($IOWSIZE+ SMMSIZE ($BITS + SMMSIZE ($CSSELL + SMMSIZE ($CSSELH + SMMSIZE ($CS + SMMSIZE ($RES1 + SMMSIZE ($NEXTIP + SMMSIZE ($CURRENTIP+ SMMSIZE ($CR0 + SMMSIZE ($EFLAGS + SMMSIZE ($DR7 + SMMSIZE SIZE SMI_SAVE) SIZE SMI_SAVE) SIZE SMI_SAVE) SIZE SMI_SAVE) SIZE SMI_SAVE) SIZE SMI_SAVE) SIZE SMI_SAVE) SIZE SMI_SAVE) SIZE SMI_SAVE) SIZE SMI_SAVE) -SIZE SMI_SAVE) SIZE SMI_SAVE) SIZE SMI_SAVE) SIZE SMI_SAVE)

SMM Instruction macro example: TEST.ASM
.MODEL SMALL .386 ;SMM Macro Examples

include smimac.inc 0000 0000 000A 0000 0006 000C 0012 001D 0021 0026 002C 0032 0038 0043 0047 004C 004E end .DATA there .CODE

0A*(??)

db

10 dup (?) cs:,hello,ds ds,cs:,hello gs,cs:,hello cs:,[eax+ebx*2+hello],1 ,[ebx],fs,1 ,there,gs cs:,hello cs:,hello cs:,hello cs:,[eax+ebx*2+hello], 1 ,[ebx],1 ,there

2E 0F 78 1E 004E svdc 2E 0F 79 1E 004E rsdc 2E 0F 79 2E 004E rsdc 2E 67 2E 0F 78 9C 58 0000004E svdc 67| 0F 78 23 svdc 0F 78 2E 0000 2E 0F 7A 06 004E 2E 0F 7B 06 004E svdc svldt rsldt

2E 0F 7D 06 004E rsts 2E 67 2E 0F 7C 84 58 0000004E svts 67| 0F 7A 03 svldt 0F 7C 06 0000 svts 0F AA rsm 0A*(??) hello

db

10 dup (? )

PRELIMINARY

A-3

SMM PROGRAMMER'S GUIDE

Appendix B

B.

DX2/DX4 Resume to Halt

The Cx486DX2/DX4 does not support the H bit in the SMM header. To make an SMI interrupt truly transparent to the system, an SMI interrupt from a HLT instruction should return to the HLT instruction. There are known cases with DOS software where returning from an SMI handler to the instruction following the HLT will cause a system error. To determine if a HLT instruction was interrupted by the SMI, the opcode from memory needs to be interrogated. This code example describes how to determine if the current instruction is a HLT and how to restart it.

;This is the start of specific code to check if the SMI ;occurred while in a HLT instruction. If it did, then ;return back to the HLT instruction when SMI is finished. rsdc fs,cs:,[seg4G] ;FS is base=0 limit=4G data ;segment to be used to check if ;HLT instruction was executing

;on a Cyrix part, if the SMI occurred while in a HLT ;instruction, the CURRENT IP and the NEXT IP will both ;point to the instruction following the HLT. mov eax,cs:dword ptr[SMI_CURRENTIP] cmp eax,cs:dword ptr[SMI_NEXTIP] jne not_hlt ;can't be a HLT but could be ;a LOOP or REP ;load EAX with CS base from the SMM header mov ax,cs:word ptr [SMI_CSSELH+2] mov al,cs:byte ptr [SMI_CSSELH] shl eax,10h mov ax,cs:word ptr[SMI_CSSELL+2] ;calculate linear address add eax,cs:dword ptr [SMI_CURRENTIP] dec eax ;decrement to HLT instruction mov edx,eax ;save lin addr in edx

PRELIMINARY

B-1

eax,cs:dword ptr [SMI_CR0] ;check if paging on eax,80000000h no_paging ;if no paging then linear ;address = physical address ;set MMAC to get access to Main memory mov al,0c1h out 22h,al in al,23h mov cl,al ;save old CCR1 value in cl mov al,0c1h out 22h,al mov al,cl or al,08h ;set MMAC bit in CCR1 mov al,0c1h out 23h,al mov eax,CR3 ;get Page Directory Base Reg and eax,0fffff000h mov ebx,edx ;linear address shr ebx,22 ;get 10 byte Directory Entry ;read Directory Table mov eax,dword ptr fs:[eax+ebx*4] and eax,0fffff000h mov ebx,edx ;linear address shr ebx,12 and ebx,03ffh ;get 10 byte Page Table Entry mov eax,dword ptr fs:[eax+ebx*4] and eax,0fffff000h mov ebx,edx ;linear address and ebx,0fffh ;get 12 byte offset into page ;Get the physical address of the instruction before the ;Current IP. Save in BL. mov bl,byte ptr fs:[eax+ebx] mov al,0c1h ;set MMAC back to normal out 22h,al mov al,cl out 23h,al ;MMAC = 0 jmp got_inst ;If paging is not enabled then checking for the HLT ;instruction is easy since the linear address equals ;the physical address. no_paging: mov out in mov al,0c1h 22h,al al,23h ah,al ;set MMAC

mov test je

B-2

PRELIMINARY

B
mov al,0c1h out 22h,al mov al,ah or al,08h out 23h,al ;get instruction interrupted by SMI mov bl,byte ptr fs:[edx] mov al,0c1h ;store it in BL out 22h,al mov al,ah out 23h,al ;set MMAC back to normal got_inst: cmp jne ;was it ;if not ;set up ;to the cs:dword ptr [SMI_NEXTIP] continue_SMI_routine the SMM Space Code Segment 0ffffh ;limit 15-0 0 ;base 0 ;base 10010011B ;data segment, DPL=0, present 8Fh ;high limit =f, Gran =4K, 16 bit 0 ;base 0 bl,0f4h not_hlt a HLT instruction? a F4 then not a HLT SMM header to return HLT instruction

dec not_hlt: jmp

; data within seg4G dw dw db db db db dw

PRELIMINARY

B-3

SMM PROGRAMMER'S GUIDE

Appendix C

C.

Differences in Cyrix Processors

Table C-1 lists the major differences between the Cx486DX2/DX4, 5x86 and 6x86 CPUs as related to System Management Mode.
Table C-1. Differences between Cyrix CPUs
Feature Cx486DX2/DX4 5x86 6x86

SMAC CCR1 - bit 2 MMAC CCR1 - bit 3 SM3 CCR1 - bit 7

Valid only. if SMM_MODE=0. Valid only. if SMM_MODE=0. Not available register index CDh, CEh and CFh are always defined as SMAR. Available on revisions with DIR1 >= 30h. Prior revisions only support Cyrix SMM Mode. If = Fh, SMAR size set to 4 KBytes CPL=0 & USE_SMI=1 & (SMAR size > 0) & SMAC=0 & (in normal mode) CPL=0 & USE_SMI=1 & (SMAR size > 0) & SMAC=1 & SMM_Mode=0 CPL=0 & USE_SMI=1 & (SMAR size > 0) & (SMAC=1 or in SMM mode)

Valid only if SMM_MODE=0. Valid only. if SMM_MODE=0. Not available, register index CDh, CEh and CFh are always defined as SMAR. Available

Available Not available Must be set to define register index CDh CEh and CFh as SMAR. Always in SL SMM mode.

SMIACT CCR3 - bit3

SMAR SIZE field SMI# acknowledged when:

If = Fh, SMAR size set to 4K Bytes CPL=0 & USE_SMI=1 & (SMAR size > 0) & SMAC=0 & (in normal mode) CPL=0 & USE_SMI=1 & (SMAR size > 0) & SMAC=1 & SMM_Mode=0 CPL=0 & USE_SMI=1 & (SMAR size > 0) & (SMAC=1 or in SMM mode)

If = Fh, SMAR size set to 4 GBytes CPL=0 & USE_SMI=1 & (ARR3 size > 0) & SM3=1 & SMAC=0 & (in normal mode) CPL=0 & USE_SMI=1 & (ARR3 size > 0) & SM3=1 & SMAC=1 CPL=0 & USE_SMI=1 & (ARR3 size > 0) & SM3=1 & (SMAC=1 or in SMM mode)

SMINT instruction is valid when:

Cyrix Specific SMM instructions are valid when:

PRELIMINARY

C-1

Table C-1. Differences between Cyrix CPUs (Continued)
Feature Cx486DX2/DX4 5x86 6x86

H bit in SMM header

Not available, Reserved See Appendix B for details for resuming to a HLT instruction.

Valid

Valid

I/O trap information

I/O Data Size, I/O Address and I/O Data only valid for I/O writes trapped by an SMI. 64 KByte limit 0000 0010h except EM bit is not cleared on entry. The SMM routine should clear EM before executing any FPU instructions.

I/O Data Size, I/O Address and I/O Data valid for both I/O reads and writes trapped by an SMI. 4 GByte limit 6000 0010h if LOCK_NW=1 then NW is not changed

I/O Data Size, I/O Address and I/O Data valid for both I/O reads and writes trapped by an SMI. 4 GByte limit 6000 0010h if LOCK_NW=1 then NW is not changed

CS limit on entry to SMM CR0 value on entry to SMM

C-2

PRELIMINARY

Cyrix Worldwide Offices
United States Corporate Office Richardson, Texas Tel: (214) 968-8388 Fax: (214) 699-9857 Tech Support and Sales: (800) 462-9749 Internet: [email protected] BBS: (214) 968-8610 (up to 28.8K baud) See us on the Internet Worldwide Web: http://www.cyrix.com Europe United Kingdom Cyrix International Ltd. Tel: +44 (0) 1 793 417777 Fax: +44 (0) 1 793 417770 Japan Cyrix K.K. Tel: 81-45-471-1661 Fax: 81-45-471-1666 Taiwan Cyrix International, Inc. Tel: 886-2-718-4118 Fax: 886-2-719-5255 Hong Kong Cyrix International, Inc. Tel: (852) 2485-2285 Fax: (852) 2485-2920

®

Cyrix Corporation P.O. Box 850118 Richardson, TX 75085-0118 Tel: (214) 968-8388 Fax: (214) 699-9857
94211-01 March 1996

Printed in the USA on recycled paper.