summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Reinauer <reinauer@chromium.org>2012-10-31 17:30:13 -0700
committerRonald G. Minnich <rminnich@gmail.com>2012-11-13 18:24:06 +0100
commit7004b7c9e61640f1e7e7bf9043bf7b2a8603d956 (patch)
tree0d59a8d0dd30f16f30754f5fb5a07b29b02f6376
parent1bfbbc0d8f68b43af7ccda1dde796ed15950c508 (diff)
downloadcoreboot-7004b7c9e61640f1e7e7bf9043bf7b2a8603d956.tar.xz
Add Kconfig option to lock/unlock ME firmware during build
For reasons of security and testing we want to be able to enable/disable ME section locking through a config option. Change-Id: I341c577cdae86be62c0e3d32bbd6b3333c004a5f Signed-off-by: Stefan Reinauer <reinauer@google.com> Reviewed-on: http://review.coreboot.org/1798 Tested-by: build bot (Jenkins) Reviewed-by: Ronald G. Minnich <rminnich@gmail.com>
-rw-r--r--src/southbridge/intel/bd82x6x/Kconfig13
-rw-r--r--src/southbridge/intel/bd82x6x/Makefile.inc9
2 files changed, 22 insertions, 0 deletions
diff --git a/src/southbridge/intel/bd82x6x/Kconfig b/src/southbridge/intel/bd82x6x/Kconfig
index 7634b801ff..e330fb4382 100644
--- a/src/southbridge/intel/bd82x6x/Kconfig
+++ b/src/southbridge/intel/bd82x6x/Kconfig
@@ -58,4 +58,17 @@ config HPET_MIN_TICKS
hex
default 0x80
+config LOCK_MANAGEMENT_ENGINE
+ bool "Lock Management Engine section"
+ default n
+ help
+ The Intel Management Engine supports preventing write accesses
+ from the host to the Management Engine section in the firmware
+ descriptor. If the ME section is locked, it can only be overwritten
+ with an external SPI flash programmer. You will want this if you
+ want to increase security of your ROM image once you are sure
+ that the ME firmware is no longer going to change.
+
+ If unsure, say N.
+
endif
diff --git a/src/southbridge/intel/bd82x6x/Makefile.inc b/src/southbridge/intel/bd82x6x/Makefile.inc
index eca3d9e2af..7fd6ca8a25 100644
--- a/src/southbridge/intel/bd82x6x/Makefile.inc
+++ b/src/southbridge/intel/bd82x6x/Makefile.inc
@@ -60,5 +60,14 @@ bd82x6x_add_me: $(obj)/coreboot.pre $(IFDTOOL)
-i ME:3rdparty/mainboard/$(MAINBOARDDIR)/me.bin \
$(obj)/coreboot.pre
mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
+ifeq ($(CONFIG_LOCK_MANAGEMENT_ENGINE),y)
+ printf " IFDTOOL Locking Management Engine\n"
+ $(objutil)/ifdtool/ifdtool -l $(obj)/coreboot.pre
+ mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
+else
+ printf " IFDTOOL Unlocking Management Engine\n"
+ $(objutil)/ifdtool/ifdtool -u $(obj)/coreboot.pre
+ mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
+endif
PHONY += bd82x6x_add_me