OK, I have it working. For the Q35 qemu mainboard, I can direct SMI to the kernel. The final issue was that the existing linux trampoline can't work at present if you have enabled NX and set the top bit of a PTE to 1, since the trampoline doesn't enable NX correctly. Easy fix: add nonx=off to the commandline. that's not a typo, even though one might expect it to be nonx=on
So, it's possible to have your kernel handle SMIs and run code that otherwise would be in ring -2.
We've been advised that the best thing to do with SMI is disable it totally (I agree -- that's what we did in in linuxbios 1999-2006) and so we'll probably pursue that path instead. But it's good to know that this is possible.
For more, see https://github.com/rminnich/linux/tree/monitor
The test is simple, outb to 0xb2 (IIRC) and you'll see the SMI handler in the kernel print something.