Add Kconfig option to lock/unlock ME firmware during build

For reasons of security and testing we want to be able to enable/disable ME section locking through a config option. Change-Id: I341c577cdae86be62c0e3d32bbd6b3333c004a5f Signed-off-by: Stefan Reinauer <reinauer@google.com> Reviewed-on: http://review.coreboot.org/1798 Tested-by: build bot (Jenkins) Reviewed-by: Ronald G. Minnich <rminnich@gmail.com>
2012-10-31 17:30:13 -07:00 · 2012-10-31 17:30:13 -07:00 · 7004b7c9e6
parent 1bfbbc0d8f
commit 7004b7c9e6
2 changed files with 22 additions and 0 deletions
--- a/src/southbridge/intel/bd82x6x/Kconfig
+++ b/src/southbridge/intel/bd82x6x/Kconfig
@ -58,4 +58,17 @@ config HPET_MIN_TICKS
 	hex
 	default 0x80

+config LOCK_MANAGEMENT_ENGINE
+	bool "Lock Management Engine section"
+	default n
+	help
+	  The Intel Management Engine supports preventing write accesses
+	  from the host to the Management Engine section in the firmware
+	  descriptor. If the ME section is locked, it can only be overwritten
+	  with an external SPI flash programmer. You will want this if you
+	  want to increase security of your ROM image once you are sure
+	  that the ME firmware is no longer going to change.
+
+	  If unsure, say N.
+
 endif
--- a/src/southbridge/intel/bd82x6x/Makefile.inc
+++ b/src/southbridge/intel/bd82x6x/Makefile.inc
@ -60,5 +60,14 @@ bd82x6x_add_me: $(obj)/coreboot.pre $(IFDTOOL)
 		-i ME:3rdparty/mainboard/$(MAINBOARDDIR)/me.bin \
 		$(obj)/coreboot.pre
 	mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
+ifeq ($(CONFIG_LOCK_MANAGEMENT_ENGINE),y)
+	printf "    IFDTOOL    Locking Management Engine\n"
+	$(objutil)/ifdtool/ifdtool -l $(obj)/coreboot.pre
+	mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
+else
+	printf "    IFDTOOL    Unlocking Management Engine\n"
+	$(objutil)/ifdtool/ifdtool -u $(obj)/coreboot.pre
+	mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
+endif

 PHONY += bd82x6x_add_me