Search code examples
simics

Does Simics use SMM?

I'd like to understand if the QSP-x86 project is simulating SMM at all. I didn't see anything in the available registers/memory from the GUI debugger that would suggest there was a way for me to see SMRAM / SMI handler code. Therefore I'm wondering if I could use it to debug some SMM code or not.

I found a page that says "The Simics Quick-Start Platform is an Intel-based platform that boots from a TianoCore-base...", so is the Simics QSP source code available somewhere? Or is it just a special build of EDK2/UDK? If so, which build and how to build it? (Because that'd make my life much easier if it was just a particular TianoCore build I could fiddle with.)

Solution

  • About the UEFI:

    If you look at https://software.intel.com/content/www/us/en/develop/articles/simics-simulator.html there is a link to https://github.com/tianocore/edk2-platforms/tree/master/Platform/Intel/SimicsOpenBoardPkg

    You can also look at the Slim Boot Loader project for another QSP-compatible BIOS: https://slimbootloader.github.io/supported-hardware/qsp.html

    SMM:

    To stop when a target core enters SMM, use a hap breakpoint (no dedicated command is available at the moment). I.e., bp.hap.break

    If you use this after running the qsp-client-core.simics script you should see:

    simics> bp.hap.break X86_Enter_SMM
Breakpoint 1: Break on hap X86_Enter_SMM
simics> bp.list
┌──┬──────────────────────────┬───────┬───────┬────────────┬─────────┐
│ID│       Description        │Enabled│Oneshot│Ignore count│Hit count│
├──┼──────────────────────────┼───────┼───────┼────────────┼─────────┤
│ 1│Break on hap X86_Enter_SMM│  true │ false │           0│        0│
└──┴──────────────────────────┴───────┴───────┴────────────┴─────────┘
simics> r
[board.mb.sb.lpc.bank.cs_conf unimpl] Write to unimplemented field cs_conf.oic.aen (0x31ff) (value written = 0x01, contents = 0x00), will not warn again.
[board.mb.cpu0.core[1][0]] Breakpoint 1: board.mb.cpu0.core[1][0] X86_Enter_SMM 0
[board.mb.cpu0.core[1][0]] Breakpoint 1: board.mb.cpu0.core[1][0] X86_Enter_SMM 1
simics> pselect board.mb.cpu0.core[1][0]
Setting new inspection object: board.mb.cpu0.core[1][0]
simics> si
[board.mb.cpu0.core[1][0]] cs:0x0000000000008000 p:0x0000038000  mov ebp,dword ptr cs:[0x8010]
simics>

    Simics stops when any processor core goes into SMM. Note you might have to select the processor where execution stops. Also note that precise output is likely to change with the version of Simics base and the model.