sb/intel/common/firmware: Don't touch descriptor region
This patch makes the way to protect flash regions selectable. If you don't want to use ifdtool for modification of flash descriptor, enable the new option. Otherwise, the previous config settings for all mainboards will be retained. Change-Id: I46ec6339008edcc78fe76682eed5714f85354937 Signed-off-by: Mario Scheithauer <mario.scheithauer@siemens.com> Reviewed-on: https://review.coreboot.org/c/31639 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Nico Huber <nico.h@gmx.de>
This commit is contained in:
Mario Scheithauer
Nico Huber
parent
a7967eea16
commit
268744306a
|
|
@ -141,9 +141,23 @@ config EC_BIN_PATH
|
|||
depends on HAVE_EC_BIN
|
||||
default "3rdparty/blobs/mainboard/$(MAINBOARDDIR)/ec.bin"
|
||||
|
||||
choice
|
||||
prompt "Protect flash regions"
|
||||
default UNLOCK_FLASH_REGIONS
|
||||
help
|
||||
This option allows you to protect flash regions.
|
||||
|
||||
config DO_NOT_TOUCH_DESCRIPTOR_REGION
|
||||
bool "Use the preset values to protect the regions"
|
||||
help
|
||||
Read and write access permissions to different regions in the flash
|
||||
can be controlled via dedicated bitfields in the flash descriptor.
|
||||
These permissions can be modified with the Intel Flash Descriptor
|
||||
Tool (ifdtool). If you don't want to change these permissions and
|
||||
keep the ones provided in the initial descriptor, use this option.
|
||||
|
||||
config LOCK_MANAGEMENT_ENGINE
|
||||
bool "Lock ME/TXE section"
|
||||
default n
|
||||
help
|
||||
The Intel Firmware Descriptor supports preventing write accesses
|
||||
from the host to the ME or TXE section in the firmware
|
||||
|
|
@ -152,7 +166,15 @@ config LOCK_MANAGEMENT_ENGINE
|
|||
want to increase security of your ROM image once you are sure
|
||||
that the ME/TXE firmware is no longer going to change.
|
||||
|
||||
If unsure, say N.
|
||||
If unsure, select "Unlock flash regions".
|
||||
|
||||
config UNLOCK_FLASH_REGIONS
|
||||
bool "Unlock flash regions"
|
||||
help
|
||||
All regions are completely unprotected and can be overwritten using
|
||||
a flash programming tool.
|
||||
|
||||
endchoice
|
||||
|
||||
config CBFS_SIZE
|
||||
hex
|
||||
|
|
|
|||
|
|
@ -68,12 +68,14 @@ ifeq ($(CONFIG_HAVE_EC_BIN),y)
|
|||
$(obj)/coreboot.pre
|
||||
mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
|
||||
endif
|
||||
|
||||
ifeq ($(CONFIG_LOCK_MANAGEMENT_ENGINE),y)
|
||||
printf " IFDTOOL Locking Management Engine\n"
|
||||
$(objutil)/ifdtool/ifdtool \
|
||||
$(IFDTOOL_USE_CHIPSET) -l $(obj)/coreboot.pre
|
||||
mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
|
||||
else
|
||||
endif
|
||||
ifeq ($(CONFIG_UNLOCK_FLASH_REGIONS),y)
|
||||
printf " IFDTOOL Unlocking Management Engine\n"
|
||||
$(objutil)/ifdtool/ifdtool \
|
||||
$(IFDTOOL_USE_CHIPSET) -u $(obj)/coreboot.pre
|
||||
|
|
|
|||
|
|
@ -79,8 +79,4 @@ config FINALIZE_USB_ROUTE_XHCI
|
|||
If you set this option to y, the USB ports will be routed
|
||||
to the XHCI controller during the finalize SMM callback.
|
||||
|
||||
config LOCK_MANAGEMENT_ENGINE
|
||||
bool
|
||||
default n
|
||||
|
||||
endif
|
||||
|
|
|
|||
Loading…
Reference in New Issue