diff options
author | Sridhar Siricilla <sridhar.siricilla@intel.com> | 2020-12-03 17:56:49 +0530 |
---|---|---|
committer | Patrick Georgi <pgeorgi@google.com> | 2020-12-07 14:06:28 +0000 |
commit | 416b828f47655b6306d3f1ae49e3c3227a1296dd (patch) | |
tree | 3f557372c92d107176bbfe589de3ae63f7d283ab /src/southbridge/intel/common | |
parent | e02b62a4f537ef4ad10e22c05b209c045884ef37 (diff) | |
download | coreboot-416b828f47655b6306d3f1ae49e3c3227a1296dd.tar.xz |
sb/intel/common: Modify CONFIG_LOCK_MANAGEMENT_ENGINE behavior
The patch modifies KConfig behaviour if CSE Lite SKU is integrated into
the coreboot. When the CSE Lite SKU is integrated, the KConfig prevents
writing to ME region but keeps read access enabled. Since CSE Lite driver
checks the signature of RW partition to identify the interrupted CSE
firmware update, so host must have read access to the ME region. Also, the
patch modifies the KConfig's help text to reflect the change.
When CSE Lite SKU is integrated, master access permissions:
FLMSTR1: 0x002007ff (Host CPU/BIOS)
EC Region Write Access: disabled
Platform Data Region Write Access: disabled
GbE Region Write Access: disabled
Intel ME Region Write Access: disabled
Host CPU/BIOS Region Write Access: enabled
Flash Descriptor Write Access: disabled
EC Region Read Access: disabled
Platform Data Region Read Access: disabled
GbE Region Read Access: disabled
Intel ME Region Read Access: enabled
Host CPU/BIOS Region Read Access: enabled
Flash Descriptor Read Access: enabled
BUG=b:174118018
TEST=Built and verified the access permissions.
Signed-off-by: Sridhar Siricilla <sridhar.siricilla@intel.com>
Change-Id: I2f6677ab7b59ddce827d3fcaae61508a30dc1b28
Reviewed-on: https://review.coreboot.org/c/coreboot/+/48267
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Tim Wawrzynczak <twawrzynczak@chromium.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
Reviewed-by: Karthik Ramasubramanian <kramasub@google.com>
Reviewed-by: Jamie Ryu <jamie.m.ryu@intel.com>
Diffstat (limited to 'src/southbridge/intel/common')
-rw-r--r-- | src/southbridge/intel/common/firmware/Kconfig | 20 | ||||
-rw-r--r-- | src/southbridge/intel/common/firmware/Makefile.inc | 8 |
2 files changed, 21 insertions, 7 deletions
diff --git a/src/southbridge/intel/common/firmware/Kconfig b/src/southbridge/intel/common/firmware/Kconfig index 4e934265bb..cd975ba4e6 100644 --- a/src/southbridge/intel/common/firmware/Kconfig +++ b/src/southbridge/intel/common/firmware/Kconfig @@ -55,6 +55,14 @@ config CHECK_ME proceeding with the build, in order to prevent an accidental loading of a corrupted ME/TXE image. +config ME_REGION_ALLOW_CPU_READ_ACCESS + bool "Allows HOST/CPU read access to ME region" + default n + help + The config ensures Host has read access to the ME region if it is locked + through LOCK_MANAGEMENT_ENGINE config. This config is enabled when the CSE + Lite SKU is integrated. + config USE_ME_CLEANER bool "Strip down the Intel ME/TXE firmware" depends on HAVE_ME_BIN && (NORTHBRIDGE_INTEL_IRONLAKE || \ @@ -145,12 +153,12 @@ config DO_NOT_TOUCH_DESCRIPTOR_REGION config LOCK_MANAGEMENT_ENGINE bool "Lock ME/TXE section" help - The Intel Firmware Descriptor supports preventing write accesses - from the host to the ME or TXE section in the firmware - descriptor. If the section is locked, it can only be overwritten - with an external SPI flash programmer. You will want this if you - want to increase security of your ROM image once you are sure - that the ME/TXE firmware is no longer going to change. + The Intel Firmware Descriptor supports preventing write and read + accesses from the host to the ME or TXE section. If the section + is locked, it can only be overwritten with an external SPI flash + programmer or HECI HMRFPO_ENABLE command needs to be sent to CSE + before writing to the ME Section. If CSE Lite SKU is integrated, + the Kconfig prevents only writing to the ME section. If unsure, select "Unlock flash regions". diff --git a/src/southbridge/intel/common/firmware/Makefile.inc b/src/southbridge/intel/common/firmware/Makefile.inc index df9a57f168..516cd4d453 100644 --- a/src/southbridge/intel/common/firmware/Makefile.inc +++ b/src/southbridge/intel/common/firmware/Makefile.inc @@ -17,6 +17,12 @@ ifneq ($(call strip_quotes,$(CONFIG_IFD_CHIPSET)),) IFDTOOL_USE_CHIPSET := -p $(CONFIG_IFD_CHIPSET) endif +ifeq ($(CONFIG_ME_REGION_ALLOW_CPU_READ_ACCESS),y) +IFDTOOL_LOCK_ME_MODE := -lr +else +IFDTOOL_LOCK_ME_MODE := -l +endif + add_intel_firmware: $(call strip_quotes,$(CONFIG_IFD_BIN_PATH)) ifeq ($(CONFIG_HAVE_ME_BIN),y) add_intel_firmware: $(call strip_quotes,$(CONFIG_ME_BIN_PATH)) @@ -73,7 +79,7 @@ endif ifeq ($(CONFIG_LOCK_MANAGEMENT_ENGINE),y) printf " IFDTOOL Locking Management Engine\n" $(objutil)/ifdtool/ifdtool \ - $(IFDTOOL_USE_CHIPSET) -l \ + $(IFDTOOL_USE_CHIPSET) $(IFDTOOL_LOCK_ME_MODE) \ -O $(obj)/coreboot.pre \ $(obj)/coreboot.pre endif |