sb/intel/common/firmware: Don't touch descriptor region

This patch makes the way to protect flash regions selectable. If you
don't want to use ifdtool for modification of flash descriptor, enable
the new option. Otherwise, the previous config settings for all
mainboards will be retained.

Change-Id: I46ec6339008edcc78fe76682eed5714f85354937
Signed-off-by: Mario Scheithauer <mario.scheithauer@siemens.com>
Reviewed-on: https://review.coreboot.org/c/31639
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Nico Huber <nico.h@gmx.de>

3 files changed, 27 insertions, 7 deletions

diff --git a/src/southbridge/intel/common/firmware/Kconfig b/src/southbridge/intel/common/firmware/Kconfig
index 31a3df32c9..c0dd43984d 100644
--- a/src/southbridge/intel/common/firmware/Kconfig
+++ b/src/southbridge/intel/common/firmware/Kconfig
@@ -141,9 +141,23 @@ config EC_BIN_PATH
 	depends on HAVE_EC_BIN
 	default "3rdparty/blobs/mainboard/$(MAINBOARDDIR)/ec.bin"
 
+choice
+	prompt "Protect flash regions"
+	default UNLOCK_FLASH_REGIONS
+	help
+	  This option allows you to protect flash regions.
+
+config DO_NOT_TOUCH_DESCRIPTOR_REGION
+	bool "Use the preset values to protect the regions"
+	help
+	  Read and write access permissions to different regions in the flash
+	  can be controlled via dedicated bitfields in the flash descriptor.
+	  These permissions can be modified with the Intel Flash Descriptor
+	  Tool (ifdtool). If you don't want to change these permissions and
+	  keep the ones provided in the initial descriptor, use this option.
+
 config LOCK_MANAGEMENT_ENGINE
 	bool "Lock ME/TXE section"
-	default n
 	help
 	  The Intel Firmware Descriptor supports preventing write accesses
 	  from the host to the ME or TXE section in the firmware
@@ -152,7 +166,15 @@ config LOCK_MANAGEMENT_ENGINE
 	  want to increase security of your ROM image once you are sure
 	  that the ME/TXE firmware is no longer going to change.
 
-	  If unsure, say N.
+	  If unsure, select "Unlock flash regions".
+
+config UNLOCK_FLASH_REGIONS
+	bool "Unlock flash regions"
+	help
+	  All regions are completely unprotected and can be overwritten using
+	  a flash programming tool.
+
+endchoice
 
 config CBFS_SIZE
 	hex
diff --git a/src/southbridge/intel/common/firmware/Makefile.inc b/src/southbridge/intel/common/firmware/Makefile.inc
index 774bb2391a..898ab60770 100644
--- a/src/southbridge/intel/common/firmware/Makefile.inc
+++ b/src/southbridge/intel/common/firmware/Makefile.inc
@@ -68,12 +68,14 @@ ifeq ($(CONFIG_HAVE_EC_BIN),y)
 		$(obj)/coreboot.pre
 	mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
 endif
+
 ifeq ($(CONFIG_LOCK_MANAGEMENT_ENGINE),y)
 	printf "    IFDTOOL    Locking Management Engine\n"
 	$(objutil)/ifdtool/ifdtool \
 		$(IFDTOOL_USE_CHIPSET) -l $(obj)/coreboot.pre
 	mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
-else
+endif
+ifeq ($(CONFIG_UNLOCK_FLASH_REGIONS),y)
 	printf "    IFDTOOL    Unlocking Management Engine\n"
 	$(objutil)/ifdtool/ifdtool \
 	$(IFDTOOL_USE_CHIPSET) -u $(obj)/coreboot.pre
diff --git a/src/southbridge/intel/lynxpoint/Kconfig b/src/southbridge/intel/lynxpoint/Kconfig
index 79f30ae706..87e197070b 100644
--- a/src/southbridge/intel/lynxpoint/Kconfig
+++ b/src/southbridge/intel/lynxpoint/Kconfig
@@ -79,8 +79,4 @@ config FINALIZE_USB_ROUTE_XHCI
 	  If you set this option to y, the USB ports will be routed
 	  to the XHCI controller during the finalize SMM callback.
 
-config LOCK_MANAGEMENT_ENGINE
-	bool
-	default n
-
 endif