Add Kconfig option to lock/unlock ME firmware during build

For reasons of security and testing we want to be able to
enable/disable ME section locking through a config option.

Change-Id: I341c577cdae86be62c0e3d32bbd6b3333c004a5f
Signed-off-by: Stefan Reinauer <reinauer@google.com>
Reviewed-on: http://review.coreboot.org/1798
Tested-by: build bot (Jenkins)
Reviewed-by: Ronald G. Minnich <rminnich@gmail.com>
This commit is contained in:
Stefan Reinauer 2012-10-31 17:30:13 -07:00 committed by Ronald G. Minnich
parent 1bfbbc0d8f
commit 7004b7c9e6
2 changed files with 22 additions and 0 deletions

View File

@ -58,4 +58,17 @@ config HPET_MIN_TICKS
hex
default 0x80
config LOCK_MANAGEMENT_ENGINE
bool "Lock Management Engine section"
default n
help
The Intel Management Engine supports preventing write accesses
from the host to the Management Engine section in the firmware
descriptor. If the ME section is locked, it can only be overwritten
with an external SPI flash programmer. You will want this if you
want to increase security of your ROM image once you are sure
that the ME firmware is no longer going to change.
If unsure, say N.
endif

View File

@ -60,5 +60,14 @@ bd82x6x_add_me: $(obj)/coreboot.pre $(IFDTOOL)
-i ME:3rdparty/mainboard/$(MAINBOARDDIR)/me.bin \
$(obj)/coreboot.pre
mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
ifeq ($(CONFIG_LOCK_MANAGEMENT_ENGINE),y)
printf " IFDTOOL Locking Management Engine\n"
$(objutil)/ifdtool/ifdtool -l $(obj)/coreboot.pre
mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
else
printf " IFDTOOL Unlocking Management Engine\n"
$(objutil)/ifdtool/ifdtool -u $(obj)/coreboot.pre
mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
endif
PHONY += bd82x6x_add_me