From eecc611d736ba1bde874b8e4022da29299872d87 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Tue, 22 Oct 2024 06:46:14 -0400 Subject: [PATCH] bin/lock_chip: Correct PR0 statement Signed-off-by: Thierry Laurion --- initrd/bin/lock_chip | 26 +++++--------------------- 1 file changed, 5 insertions(+), 21 deletions(-) diff --git a/initrd/bin/lock_chip b/initrd/bin/lock_chip index 9519dc16..7578295f 100755 --- a/initrd/bin/lock_chip +++ b/initrd/bin/lock_chip @@ -15,27 +15,11 @@ if [ "$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" = "y" ]; then fi if [ -n "$APM_CNT" -a -n "$FIN_CODE" ]; then - # SMI PR0 lockdown is implemented by Intel as part of the SMM Supervisor feature. - # SMM Supervisor is a software component that runs in SMM and acts as a gatekeeper - # for SMM access. - # - # It uses the processor’s memory protection and paging mechanisms to restrict what - # SMM code can read and write. SMM Supervisor marks critical pages, such as its - # own code, data, and page tables, as supervisor pages, which are only accessible - # from the most privileged level (CPL0). - # - # It also marks the rest of the SMM memory as user pages, which are accessible - # from any privilege level. - # - # This way, SMM Supervisor can isolate itself from other SMM code and enforce a policy - # that states what resources the SMI handlers (the interrupt handlers that run in SMM) - # require access to. - # - # SMI PR0 lockdown is enabled by setting a lock bit (FLOCKDN) in the SPI controller, - # which prevents further changes to the SMM memory and configuration. - # Once SMI PR0 lockdown is enabled, it cannot be disabled until the next system reset. - # This ensures that malicious code cannot tamper with the SMM Supervisor or the SMI handlers - # after the system boots. + # PR0 lockdown is enabled by setting a lock bit (FLOCKDN) in the SPI controller, + # which prevents further changes to the SPI controller configuration. The flash + # will become write protected in the range specified in the PR0 register. Once + # the protection is set and locked, it cannot be disabled + # until the next system reset. echo "Finalizing chipset Write Protection through SMI PR0 lockdown call" io386 -o b -b x $APM_CNT $FIN_CODE else