The main memory on computer platforms in high security environments contains sensible data. On unexpected reboot the data might persist and could be read by a malicious application in the bootflow or userspace.
In order to prevent leaking information from pre-reset, the boot firmware can clear the main system memory on boot, wiping all information.
A common API indicates if the main memory has to be cleared. That could be on user request or by a Trusted Execution Environment indicating that secrets are in memory.
As every platform has different bring-up mechanisms and memory-layouts, every The device must indicate support for memory clearing as part of the boot process.
A platform that supports memory clearing selects Kconfig
PLATFORM_HAS_DRAM_CLEAR and calls
to detect if memory should be cleared.
The memory is cleared in ramstage as part of
DEV_INIT stage. It's possible to clear it earlier on some platforms, but on x86 MTRRs needs to be programmed first, which happens in
Without MTRRs (and caches enabled) clearing memory takes multiple seconds.
As some platforms place code and stack in DRAM (FSP1.0), the regions can be skipped.