diff --git a/src/southbridge/intel/bd82x6x/Kconfig b/src/southbridge/intel/bd82x6x/Kconfig
index 7634b801ff..e330fb4382 100644
--- a/src/southbridge/intel/bd82x6x/Kconfig
+++ b/src/southbridge/intel/bd82x6x/Kconfig
@@ -58,4 +58,17 @@ config HPET_MIN_TICKS
 	hex
 	default 0x80
 
+config LOCK_MANAGEMENT_ENGINE
+	bool "Lock Management Engine section"
+	default n
+	help
+	  The Intel Management Engine supports preventing write accesses
+	  from the host to the Management Engine section in the firmware
+	  descriptor. If the ME section is locked, it can only be overwritten
+	  with an external SPI flash programmer. You will want this if you
+	  want to increase security of your ROM image once you are sure
+	  that the ME firmware is no longer going to change.
+
+	  If unsure, say N.
+
 endif
diff --git a/src/southbridge/intel/bd82x6x/Makefile.inc b/src/southbridge/intel/bd82x6x/Makefile.inc
index eca3d9e2af..7fd6ca8a25 100644
--- a/src/southbridge/intel/bd82x6x/Makefile.inc
+++ b/src/southbridge/intel/bd82x6x/Makefile.inc
@@ -60,5 +60,14 @@ bd82x6x_add_me: $(obj)/coreboot.pre $(IFDTOOL)
 		-i ME:3rdparty/mainboard/$(MAINBOARDDIR)/me.bin \
 		$(obj)/coreboot.pre
 	mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
+ifeq ($(CONFIG_LOCK_MANAGEMENT_ENGINE),y)
+	printf "    IFDTOOL    Locking Management Engine\n"
+	$(objutil)/ifdtool/ifdtool -l $(obj)/coreboot.pre
+	mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
+else
+	printf "    IFDTOOL    Unlocking Management Engine\n"
+	$(objutil)/ifdtool/ifdtool -u $(obj)/coreboot.pre
+	mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
+endif
 
 PHONY += bd82x6x_add_me