From 268744306a512de20839fa566f847d33cfec03bc Mon Sep 17 00:00:00 2001 From: Mario Scheithauer Date: Wed, 27 Feb 2019 10:29:01 +0100 Subject: sb/intel/common/firmware: Don't touch descriptor region This patch makes the way to protect flash regions selectable. If you don't want to use ifdtool for modification of flash descriptor, enable the new option. Otherwise, the previous config settings for all mainboards will be retained. Change-Id: I46ec6339008edcc78fe76682eed5714f85354937 Signed-off-by: Mario Scheithauer Reviewed-on: https://review.coreboot.org/c/31639 Tested-by: build bot (Jenkins) Reviewed-by: Nico Huber --- src/southbridge/intel/common/firmware/Kconfig | 26 ++++++++++++++++++++-- src/southbridge/intel/common/firmware/Makefile.inc | 4 +++- src/southbridge/intel/lynxpoint/Kconfig | 4 ---- 3 files changed, 27 insertions(+), 7 deletions(-) (limited to 'src') diff --git a/src/southbridge/intel/common/firmware/Kconfig b/src/southbridge/intel/common/firmware/Kconfig index 31a3df32c9..c0dd43984d 100644 --- a/src/southbridge/intel/common/firmware/Kconfig +++ b/src/southbridge/intel/common/firmware/Kconfig @@ -141,9 +141,23 @@ config EC_BIN_PATH depends on HAVE_EC_BIN default "3rdparty/blobs/mainboard/$(MAINBOARDDIR)/ec.bin" +choice + prompt "Protect flash regions" + default UNLOCK_FLASH_REGIONS + help + This option allows you to protect flash regions. + +config DO_NOT_TOUCH_DESCRIPTOR_REGION + bool "Use the preset values to protect the regions" + help + Read and write access permissions to different regions in the flash + can be controlled via dedicated bitfields in the flash descriptor. + These permissions can be modified with the Intel Flash Descriptor + Tool (ifdtool). If you don't want to change these permissions and + keep the ones provided in the initial descriptor, use this option. + config LOCK_MANAGEMENT_ENGINE bool "Lock ME/TXE section" - default n help The Intel Firmware Descriptor supports preventing write accesses from the host to the ME or TXE section in the firmware @@ -152,7 +166,15 @@ config LOCK_MANAGEMENT_ENGINE want to increase security of your ROM image once you are sure that the ME/TXE firmware is no longer going to change. - If unsure, say N. + If unsure, select "Unlock flash regions". + +config UNLOCK_FLASH_REGIONS + bool "Unlock flash regions" + help + All regions are completely unprotected and can be overwritten using + a flash programming tool. + +endchoice config CBFS_SIZE hex diff --git a/src/southbridge/intel/common/firmware/Makefile.inc b/src/southbridge/intel/common/firmware/Makefile.inc index 774bb2391a..898ab60770 100644 --- a/src/southbridge/intel/common/firmware/Makefile.inc +++ b/src/southbridge/intel/common/firmware/Makefile.inc @@ -68,12 +68,14 @@ ifeq ($(CONFIG_HAVE_EC_BIN),y) $(obj)/coreboot.pre mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre endif + ifeq ($(CONFIG_LOCK_MANAGEMENT_ENGINE),y) printf " IFDTOOL Locking Management Engine\n" $(objutil)/ifdtool/ifdtool \ $(IFDTOOL_USE_CHIPSET) -l $(obj)/coreboot.pre mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre -else +endif +ifeq ($(CONFIG_UNLOCK_FLASH_REGIONS),y) printf " IFDTOOL Unlocking Management Engine\n" $(objutil)/ifdtool/ifdtool \ $(IFDTOOL_USE_CHIPSET) -u $(obj)/coreboot.pre diff --git a/src/southbridge/intel/lynxpoint/Kconfig b/src/southbridge/intel/lynxpoint/Kconfig index 79f30ae706..87e197070b 100644 --- a/src/southbridge/intel/lynxpoint/Kconfig +++ b/src/southbridge/intel/lynxpoint/Kconfig @@ -79,8 +79,4 @@ config FINALIZE_USB_ROUTE_XHCI If you set this option to y, the USB ports will be routed to the XHCI controller during the finalize SMM callback. -config LOCK_MANAGEMENT_ENGINE - bool - default n - endif -- cgit v1.2.3