1 files changed, 67 insertions, 0 deletions
diff --git a/Silicon/Intel/KabylakeSiliconPkg/Pch/Include/ConfigBlock/LockDownConfig.h b/Silicon/Intel/KabylakeSiliconPkg/Pch/Include/ConfigBlock/LockDownConfig.h
new file mode 100644
index 0000000000..f083b3b50c
--- /dev/null
+++ b/Silicon/Intel/KabylakeSiliconPkg/Pch/Include/ConfigBlock/LockDownConfig.h
@@ -0,0 +1,67 @@
+/** @file
+  Lock down policy
+
+Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>
+This program and the accompanying materials are licensed and made available under
+the terms and conditions of the BSD License that accompanies this distribution.
+The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php.
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+#ifndef _LOCK_DOWN_CONFIG_H_
+#define _LOCK_DOWN_CONFIG_H_
+
+#define LOCK_DOWN_CONFIG_REVISION 1
+extern EFI_GUID gLockDownConfigGuid;
+
+#pragma pack (push,1)
+
+/**
+  The PCH_LOCK_DOWN_CONFIG block describes the expected configuration of the PCH
+  for security requirement.
+**/
+typedef struct {
+  CONFIG_BLOCK_HEADER   Header;                   ///< Config Block Header
+  /**
+    <b>(Test)</b> Enable SMI_LOCK bit to prevent writes to the Global SMI Enable bit. 0: Disable; <b>1: Enable</b>.
+  **/
+  UINT32  GlobalSmi      :  1;
+  /**
+    <b>(Test)</b> Enable BIOS Interface Lock Down bit to prevent writes to the Backup Control Register
+    Top Swap bit and the General Control and Status Registers Boot BIOS Straps. 0: Disable; <b>1: Enable</b>.
+  **/
+  UINT32  BiosInterface  :  1;
+  /**
+    <b>(Test)</b> Enable RTC lower and upper 128 byte Lock bits to lock Bytes 38h-3Fh in the upper
+    and lower 128-byte bank of RTC RAM. 0: Disable; <b>1: Enable</b>.
+  **/
+  UINT32  RtcLock        :  1;
+  /**
+    Enable the BIOS Lock Enable (BLE) feature and set EISS bit (D31:F5:RegDCh[5])
+    for the BIOS region protection. When it is enabled, the BIOS Region can only be
+    modified from SMM after EndOfDxe protocol is installed.
+    Note: When BiosLock is enabled, platform code also needs to update to take care
+    of BIOS modification (including SetVariable) in DXE or runtime phase after
+    EndOfDxe protocol is installed. 0: Disable; <b>1: Enable</b>.
+  **/
+  UINT32  BiosLock       :  1;
+  /**
+    Enable InSMM.STS (EISS) in SPI
+    If this bit is set, then WPD must be a '1' and InSMM.STS must be '1' also
+    in order to write to BIOS regions of SPI Flash. If this bit is clear,
+    then the InSMM.STS is a don't care.
+    The BIOS must set the EISS bit while BIOS Guard support is enabled.
+    In recovery path, platform can temporary disable EISS for SPI programming in
+    PEI phase or early DXE phase.
+    0: Clear EISS bit; <b>1: Set EISS bit</b>.
+  **/
+  UINT32  SpiEiss        :  1;
+  UINT32  RsvdBits0      : 27;          ///< Reserved bits
+} PCH_LOCK_DOWN_CONFIG;
+
+#pragma pack (pop)
+
+#endif // _LOCK_DOWN_CONFIG_H_