Life cycle of the protection

In a normal boot, the page table based protection is configured by the PiSmmCpu driver just after the SmmReadyToLock event by PerformRemainingTasks() at https:\/\/github.com\/tianocore\/edk2\/blob\/master\/UefiCpuPkg\/PiSmmCpuDxeSmm\/PiSmmCpuDxeSmm.c. All read-only data must be ready before SmmReadyToLock.

In an S3 resume, the protection is disabled during SMBASE relocation because the PiSmmCpu needs to set up the environment. The PiSmmCpu uses SmmS3Cr3, which is generated by InitSmmS3Cr3() at https:\/\/github.com\/tianocore\/edk2\/blob\/master\/UefiCpuPkg\/PiSmmCpuDxeSmm\/X64\/SmmProfileArch.c with 4G paging only. After the SMBASE relocation is done, all the protection takes effect up receipt of the next SMI by PerformPreTasks() at https:\/\/github.com\/tianocore\/edk2\/blob\/master\/UefiCpuPkg\/PiSmmCpuDxeSmm\/PiSmmCpuDxeSmm.c.

If there is an additional lock that needs to be set, it can be done in SmmCpuFeaturesCompleteSmmReadyToLock() API (defined in https:\/\/github.com\/tianocore\/edk2\/blob\/master\/UefiCpuPkg\/Include\/Library\/SmmCpuFeaturesLib.h).