[coreboot] New patch to review for coreboot: 0443576 Add Kconfig option to lock/unlock ME firmware during build

Stefan Reinauer (stefan.reinauer@coreboot.org) gerrit at coreboot.org
Wed Nov 7 03:56:10 CET 2012


Stefan Reinauer (stefan.reinauer at coreboot.org) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/1798

-gerrit

commit 0443576264c1323070e072a629bca54a3684d4be
Author: Stefan Reinauer <reinauer at chromium.org>
Date:   Wed Oct 31 17:30:13 2012 -0700

    Add Kconfig option to lock/unlock ME firmware during build
    
    For reasons of security and testing we want to be able to
    enable/disable ME section locking through a config option.
    
    Change-Id: I341c577cdae86be62c0e3d32bbd6b3333c004a5f
    Signed-off-by: Stefan Reinauer <reinauer at google.com>
---
 src/southbridge/intel/bd82x6x/Kconfig      | 13 +++++++++++++
 src/southbridge/intel/bd82x6x/Makefile.inc | 15 ++++++++++++---
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/src/southbridge/intel/bd82x6x/Kconfig b/src/southbridge/intel/bd82x6x/Kconfig
index 7634b80..e330fb4 100644
--- a/src/southbridge/intel/bd82x6x/Kconfig
+++ b/src/southbridge/intel/bd82x6x/Kconfig
@@ -58,4 +58,17 @@ config HPET_MIN_TICKS
 	hex
 	default 0x80
 
+config LOCK_MANAGEMENT_ENGINE
+	bool "Lock Management Engine section"
+	default n
+	help
+	  The Intel Management Engine supports preventing write accesses
+	  from the host to the Management Engine section in the firmware
+	  descriptor. If the ME section is locked, it can only be overwritten
+	  with an external SPI flash programmer. You will want this if you
+	  want to increase security of your ROM image once you are sure
+	  that the ME firmware is no longer going to change.
+
+	  If unsure, say N.
+
 endif
diff --git a/src/southbridge/intel/bd82x6x/Makefile.inc b/src/southbridge/intel/bd82x6x/Makefile.inc
index 374b1e8..7fd6ca8 100644
--- a/src/southbridge/intel/bd82x6x/Makefile.inc
+++ b/src/southbridge/intel/bd82x6x/Makefile.inc
@@ -20,7 +20,7 @@
 # Run an intermediate step when producing coreboot.rom
 # that adds additional components to the final firmware
 # image outside of CBFS
-INTERMEDIATE:=bd82x6x_add_me
+INTERMEDIATE+=bd82x6x_add_me
 
 driver-y += pch.c
 driver-y += azalia.c
@@ -51,7 +51,7 @@ smm-$(CONFIG_USBDEBUG) += usb_debug.c
 romstage-y += reset.c
 romstage-y += early_spi.c
 
-$(INTERMEDIATE): $(obj)/coreboot.pre $(IFDTOOL)
+bd82x6x_add_me: $(obj)/coreboot.pre $(IFDTOOL)
 	printf "    DD         Adding Intel Firmware Descriptor\n"
 	dd if=3rdparty/mainboard/$(MAINBOARDDIR)/descriptor.bin \
 		of=$(obj)/coreboot.pre conv=notrunc >/dev/null 2>&1
@@ -60,5 +60,14 @@ $(INTERMEDIATE): $(obj)/coreboot.pre $(IFDTOOL)
 		-i ME:3rdparty/mainboard/$(MAINBOARDDIR)/me.bin \
 		$(obj)/coreboot.pre
 	mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
+ifeq ($(CONFIG_LOCK_MANAGEMENT_ENGINE),y)
+	printf "    IFDTOOL    Locking Management Engine\n"
+	$(objutil)/ifdtool/ifdtool -l $(obj)/coreboot.pre
+	mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
+else
+	printf "    IFDTOOL    Unlocking Management Engine\n"
+	$(objutil)/ifdtool/ifdtool -u $(obj)/coreboot.pre
+	mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
+endif
 
-PHONY += $$(INTERMEDIATE)
+PHONY += bd82x6x_add_me




More information about the coreboot mailing list