# SMI PR0 lockdown is implemented by Intel as part of the SMM Supervisor feature.
# SMM Supervisor is a software component that runs in SMM and acts as a gatekeeper
# for SMM access.
#
# It uses the processor’s memory protection and paging mechanisms to restrict what
# SMM code can read and write. SMM Supervisor marks critical pages, such as its
# own code, data, and page tables, as supervisor pages, which are only accessible
# from the most privileged level (CPL0).
#
# It also marks the rest of the SMM memory as user pages, which are accessible
# from any privilege level.
#
# This way, SMM Supervisor can isolate itself from other SMM code and enforce a policy
# that states what resources the SMI handlers (the interrupt handlers that run in SMM)
# require access to.
#
# SMI PR0 lockdown is enabled by setting a lock bit (FLOCKDN) in the SPI controller,
# which prevents further changes to the SMM memory and configuration.
# Once SMI PR0 lockdown is enabled, it cannot be disabled until the next system reset.
# This ensures that malicious code cannot tamper with the SMM Supervisor or the SMI handlers
# after the system boots.
What is basically essential here in PR0 lockdown would be this one short sentence:
# PR0 lockdown is enabled by setting a lock bit (FLOCKDN) in the SPI controller,
# which prevents further changes to the SPI controller configuration. The flash
# will become write protected in the range specified in the PR0 register. Once
# the protection is set and locked, it cannot be disabled # until the next system
# reset.
What is basically essential here in PR0 lockdown would be this one short sentence:
Reported by @miczyg1