coreboot-kgpe-d16/Documentation/security/memory_clearing.md

# Memory clearing

The main memory on computer platforms in high security environments contains
sensible data. On unexpected reboot the data might persist and could be
read by a malicious application in the bootflow or userspace.

In order to prevent leaking information from pre-reset, the boot firmware can
clear the main system memory on boot, wiping all information.

A common API indicates if the main memory has to be cleared. That could be
on user request or by a Trusted Execution Environment indicating that secrets
are in memory.

As every platform has different bring-up mechanisms and memory-layouts, every
The device must indicate support for memory clearing as part of the boot
process.

## Requirements

1. The platform must clear all platform memory (DRAM) if requested
2. Code that is placed in DRAM might be skipped (as workaround)
3. Stack that is placed in DRAM might be skipped (as workaround)
4. All DRAM is cleared with zeros

## Implementation

A platform that supports memory clearing selects Kconfig
``PLATFORM_HAS_DRAM_CLEAR`` and calls

```C
bool security_clear_dram_request(void);
```

to detect if memory should be cleared.

The memory is cleared in ramstage as part of `DEV_INIT` stage. It's possible to
clear it earlier on some platforms, but on x86 MTRRs needs to be programmed
first, which happens in `DEV_INIT`.

Without MTRRs (and caches enabled) clearing memory takes multiple seconds.
## Exceptions

As some platforms place code and stack in DRAM (FSP1.0), the regions can be
skipped.

## Architecture specific implementations

* [x86 PAE](../arch/x86/pae.md)
security: Add memory subfolder Add files to introduce a memory clearing framework. Introduce Kconfig PLATFORM_HAS_DRAM_CLEAR that is to be selected by platforms, that are able to clear all DRAM. Introduce Kconfig SECURITY_CLEAR_DRAM_ON_REGULAR_BOOT that is user selectable to always clear DRAM on non S3 boot. The function security_clear_dram_request tells the calling platform when to wipe all DRAM. Will be extended by TEE frameworks. Add Documentation for the new security API. Change-Id: Ifba25bfdd1057049f5cbae8968501bd9be487110 Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/31548 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com> Reviewed-by: Christian Walter <christian.walter@9elements.com> 2019-02-21 12:04:21 +01:00			`# Memory clearing`

			`The main memory on computer platforms in high security environments contains`
			`sensible data. On unexpected reboot the data might persist and could be`
			`read by a malicious application in the bootflow or userspace.`

			`In order to prevent leaking information from pre-reset, the boot firmware can`
			`clear the main system memory on boot, wiping all information.`

			`A common API indicates if the main memory has to be cleared. That could be`
			`on user request or by a Trusted Execution Environment indicating that secrets`
			`are in memory.`

			`As every platform has different bring-up mechanisms and memory-layouts, every`
			`The device must indicate support for memory clearing as part of the boot`
			`process.`

			`## Requirements`

			`1. The platform must clear all platform memory (DRAM) if requested`
			`2. Code that is placed in DRAM might be skipped (as workaround)`
			`3. Stack that is placed in DRAM might be skipped (as workaround)`
			`4. All DRAM is cleared with zeros`

			`## Implementation`

			`A platform that supports memory clearing selects Kconfig`
			``PLATFORM_HAS_DRAM_CLEAR`` and calls

			```C
			`bool security_clear_dram_request(void);`
			```

			`to detect if memory should be cleared.`

			The memory is cleared in ramstage as part of `DEV_INIT` stage. It's possible to
			`clear it earlier on some platforms, but on x86 MTRRs needs to be programmed`
			first, which happens in `DEV_INIT`.

			`Without MTRRs (and caches enabled) clearing memory takes multiple seconds.`
			`## Exceptions`

			`As some platforms place code and stack in DRAM (FSP1.0), the regions can be`
			`skipped.`
cpu/x86/pae/pgtbl: Add memset with PAE To clear all DRAM on x86_32, add a new method that uses PAE to access more than 32bit of address space. Add Documentation as well. Required for clearing all system memory as part of security API. Tested on wedge100s: Takes less than 2 seconds to clear 8GiB of DRAM. Tested on P8H61M-Pro: Takes less than 1 second to clear 4GiB of DRAM. Change-Id: I00f7ecf87b5c9227a9d58a0b61eecc38007e1a57 Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/31549 Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com> Tested-by: build bot (Jenkins) <no-reply@coreboot.org> 2019-02-21 10:27:04 +01:00
			`## Architecture specific implementations`

			`* [x86 PAE](../arch/x86/pae.md)`