diff --git a/src/soc/intel/common/block/cse/Kconfig b/src/soc/intel/common/block/cse/Kconfig index ee6ce68c1f..d3b7288a81 100644 --- a/src/soc/intel/common/block/cse/Kconfig +++ b/src/soc/intel/common/block/cse/Kconfig @@ -17,6 +17,7 @@ config SOC_INTEL_CSE_LITE_SKU bool default n depends on CHROMEOS + select ME_REGION_ALLOW_CPU_READ_ACCESS help Enables CSE Lite SKU diff --git a/src/southbridge/intel/common/firmware/Kconfig b/src/southbridge/intel/common/firmware/Kconfig index 4e934265bb..cd975ba4e6 100644 --- a/src/southbridge/intel/common/firmware/Kconfig +++ b/src/southbridge/intel/common/firmware/Kconfig @@ -55,6 +55,14 @@ config CHECK_ME proceeding with the build, in order to prevent an accidental loading of a corrupted ME/TXE image. +config ME_REGION_ALLOW_CPU_READ_ACCESS + bool "Allows HOST/CPU read access to ME region" + default n + help + The config ensures Host has read access to the ME region if it is locked + through LOCK_MANAGEMENT_ENGINE config. This config is enabled when the CSE + Lite SKU is integrated. + config USE_ME_CLEANER bool "Strip down the Intel ME/TXE firmware" depends on HAVE_ME_BIN && (NORTHBRIDGE_INTEL_IRONLAKE || \ @@ -145,12 +153,12 @@ config DO_NOT_TOUCH_DESCRIPTOR_REGION config LOCK_MANAGEMENT_ENGINE bool "Lock ME/TXE section" help - The Intel Firmware Descriptor supports preventing write accesses - from the host to the ME or TXE section in the firmware - descriptor. If the section is locked, it can only be overwritten - with an external SPI flash programmer. You will want this if you - want to increase security of your ROM image once you are sure - that the ME/TXE firmware is no longer going to change. + The Intel Firmware Descriptor supports preventing write and read + accesses from the host to the ME or TXE section. If the section + is locked, it can only be overwritten with an external SPI flash + programmer or HECI HMRFPO_ENABLE command needs to be sent to CSE + before writing to the ME Section. If CSE Lite SKU is integrated, + the Kconfig prevents only writing to the ME section. If unsure, select "Unlock flash regions". diff --git a/src/southbridge/intel/common/firmware/Makefile.inc b/src/southbridge/intel/common/firmware/Makefile.inc index df9a57f168..516cd4d453 100644 --- a/src/southbridge/intel/common/firmware/Makefile.inc +++ b/src/southbridge/intel/common/firmware/Makefile.inc @@ -17,6 +17,12 @@ ifneq ($(call strip_quotes,$(CONFIG_IFD_CHIPSET)),) IFDTOOL_USE_CHIPSET := -p $(CONFIG_IFD_CHIPSET) endif +ifeq ($(CONFIG_ME_REGION_ALLOW_CPU_READ_ACCESS),y) +IFDTOOL_LOCK_ME_MODE := -lr +else +IFDTOOL_LOCK_ME_MODE := -l +endif + add_intel_firmware: $(call strip_quotes,$(CONFIG_IFD_BIN_PATH)) ifeq ($(CONFIG_HAVE_ME_BIN),y) add_intel_firmware: $(call strip_quotes,$(CONFIG_ME_BIN_PATH)) @@ -73,7 +79,7 @@ endif ifeq ($(CONFIG_LOCK_MANAGEMENT_ENGINE),y) printf " IFDTOOL Locking Management Engine\n" $(objutil)/ifdtool/ifdtool \ - $(IFDTOOL_USE_CHIPSET) -l \ + $(IFDTOOL_USE_CHIPSET) $(IFDTOOL_LOCK_ME_MODE) \ -O $(obj)/coreboot.pre \ $(obj)/coreboot.pre endif