Add Kconfig option to lock/unlock ME firmware during build
For reasons of security and testing we want to be able to enable/disable ME section locking through a config option. Change-Id: I341c577cdae86be62c0e3d32bbd6b3333c004a5f Signed-off-by: Stefan Reinauer <reinauer@google.com> Reviewed-on: http://review.coreboot.org/1798 Tested-by: build bot (Jenkins) Reviewed-by: Ronald G. Minnich <rminnich@gmail.com>
This commit is contained in:
parent
1bfbbc0d8f
commit
7004b7c9e6
|
@ -58,4 +58,17 @@ config HPET_MIN_TICKS
|
|||
hex
|
||||
default 0x80
|
||||
|
||||
config LOCK_MANAGEMENT_ENGINE
|
||||
bool "Lock Management Engine section"
|
||||
default n
|
||||
help
|
||||
The Intel Management Engine supports preventing write accesses
|
||||
from the host to the Management Engine section in the firmware
|
||||
descriptor. If the ME section is locked, it can only be overwritten
|
||||
with an external SPI flash programmer. You will want this if you
|
||||
want to increase security of your ROM image once you are sure
|
||||
that the ME firmware is no longer going to change.
|
||||
|
||||
If unsure, say N.
|
||||
|
||||
endif
|
||||
|
|
|
@ -60,5 +60,14 @@ bd82x6x_add_me: $(obj)/coreboot.pre $(IFDTOOL)
|
|||
-i ME:3rdparty/mainboard/$(MAINBOARDDIR)/me.bin \
|
||||
$(obj)/coreboot.pre
|
||||
mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
|
||||
ifeq ($(CONFIG_LOCK_MANAGEMENT_ENGINE),y)
|
||||
printf " IFDTOOL Locking Management Engine\n"
|
||||
$(objutil)/ifdtool/ifdtool -l $(obj)/coreboot.pre
|
||||
mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
|
||||
else
|
||||
printf " IFDTOOL Unlocking Management Engine\n"
|
||||
$(objutil)/ifdtool/ifdtool -u $(obj)/coreboot.pre
|
||||
mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
|
||||
endif
|
||||
|
||||
PHONY += bd82x6x_add_me
|
||||
|
|
Loading…
Reference in New Issue