sb/intel/common: Modify CONFIG_LOCK_MANAGEMENT_ENGINE behavior

The patch modifies KConfig behaviour if CSE Lite SKU is integrated into
the coreboot. When the CSE Lite SKU is integrated, the KConfig prevents
writing to ME region but keeps read access enabled. Since CSE Lite driver
checks the signature of RW partition to identify the interrupted CSE
firmware update, so host must have read access to the ME region. Also, the
patch modifies the KConfig's help text to reflect the change.

When CSE Lite SKU is integrated, master access permissions:
FLMSTR1:   0x002007ff (Host CPU/BIOS)
  EC Region Write Access:            disabled
  Platform Data Region Write Access: disabled
  GbE Region Write Access:           disabled
  Intel ME Region Write Access:      disabled
  Host CPU/BIOS Region Write Access: enabled
  Flash Descriptor Write Access:     disabled
  EC Region Read Access:             disabled
  Platform Data Region Read Access:  disabled
  GbE Region Read Access:            disabled
  Intel ME Region Read Access:       enabled
  Host CPU/BIOS Region Read Access:  enabled
  Flash Descriptor Read Access:      enabled

BUG=b:174118018
TEST=Built and verified the access permissions.

Signed-off-by: Sridhar Siricilla <sridhar.siricilla@intel.com>
Change-Id: I2f6677ab7b59ddce827d3fcaae61508a30dc1b28
Reviewed-on: https://review.coreboot.org/c/coreboot/+/48267
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Tim Wawrzynczak <twawrzynczak@chromium.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
Reviewed-by: Karthik Ramasubramanian <kramasub@google.com>
Reviewed-by: Jamie Ryu <jamie.m.ryu@intel.com>

src/soc/intel/common/block/cse/Kconfig

@@ -17,6 +17,7 @@ config SOC_INTEL_CSE_LITE_SKU
 	bool
 	default n
 	depends on CHROMEOS
+	select ME_REGION_ALLOW_CPU_READ_ACCESS
 	help
 	 Enables CSE Lite SKU
 

src/southbridge/intel/common/firmware/Kconfig

@@ -55,6 +55,14 @@ config CHECK_ME
 	  proceeding with the build, in order to prevent an accidental loading
 	  of a corrupted ME/TXE image.
 
+config ME_REGION_ALLOW_CPU_READ_ACCESS
+	bool "Allows HOST/CPU read access to ME region"
+	default n
+	help
+	 The config ensures Host has read access to the ME region if it is locked
+	 through LOCK_MANAGEMENT_ENGINE config. This config is enabled when the CSE
+	 Lite SKU is integrated.
+
 config USE_ME_CLEANER
 	bool "Strip down the Intel ME/TXE firmware"
 	depends on HAVE_ME_BIN && (NORTHBRIDGE_INTEL_IRONLAKE || \
@@ -145,12 +153,12 @@ config DO_NOT_TOUCH_DESCRIPTOR_REGION
 config LOCK_MANAGEMENT_ENGINE
 	bool "Lock ME/TXE section"
 	help
-	  The Intel Firmware Descriptor supports preventing write accesses
-	  from the host to the ME or TXE section in the firmware
-	  descriptor. If the section is locked, it can only be overwritten
-	  with an external SPI flash programmer. You will want this if you
-	  want to increase security of your ROM image once you are sure
-	  that the ME/TXE firmware is no longer going to change.
+	  The Intel Firmware Descriptor supports preventing write and read
+	  accesses from the host to the ME or TXE section. If the section
+	  is locked, it can only be overwritten with an external SPI flash
+	  programmer or HECI HMRFPO_ENABLE command needs to be sent to CSE
+	  before writing to the ME Section. If CSE Lite SKU is integrated,
+	  the Kconfig prevents only writing to the ME section.
 
 	  If unsure, select "Unlock flash regions".
 

src/southbridge/intel/common/firmware/Makefile.inc

@@ -17,6 +17,12 @@ ifneq ($(call strip_quotes,$(CONFIG_IFD_CHIPSET)),)
 IFDTOOL_USE_CHIPSET := -p $(CONFIG_IFD_CHIPSET)
 endif
 
+ifeq ($(CONFIG_ME_REGION_ALLOW_CPU_READ_ACCESS),y)
+IFDTOOL_LOCK_ME_MODE := -lr
+else
+IFDTOOL_LOCK_ME_MODE := -l
+endif
+
 add_intel_firmware: $(call strip_quotes,$(CONFIG_IFD_BIN_PATH))
 ifeq ($(CONFIG_HAVE_ME_BIN),y)
 add_intel_firmware: $(call strip_quotes,$(CONFIG_ME_BIN_PATH))
@@ -73,7 +79,7 @@ endif
 ifeq ($(CONFIG_LOCK_MANAGEMENT_ENGINE),y)
 	printf "    IFDTOOL    Locking Management Engine\n"
 	$(objutil)/ifdtool/ifdtool \
-		$(IFDTOOL_USE_CHIPSET) -l \
+		$(IFDTOOL_USE_CHIPSET) $(IFDTOOL_LOCK_ME_MODE) \
 		-O $(obj)/coreboot.pre \
 		$(obj)/coreboot.pre
 endif