[coreboot] New patch to review for coreboot: 0443576 Add Kconfig option to lock/unlock ME firmware during build
Stefan Reinauer (stefan.reinauer@coreboot.org)
gerrit at coreboot.org
Wed Nov 7 03:56:10 CET 2012
Stefan Reinauer (stefan.reinauer at coreboot.org) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/1798
-gerrit
commit 0443576264c1323070e072a629bca54a3684d4be
Author: Stefan Reinauer <reinauer at chromium.org>
Date: Wed Oct 31 17:30:13 2012 -0700
Add Kconfig option to lock/unlock ME firmware during build
For reasons of security and testing we want to be able to
enable/disable ME section locking through a config option.
Change-Id: I341c577cdae86be62c0e3d32bbd6b3333c004a5f
Signed-off-by: Stefan Reinauer <reinauer at google.com>
---
src/southbridge/intel/bd82x6x/Kconfig | 13 +++++++++++++
src/southbridge/intel/bd82x6x/Makefile.inc | 15 ++++++++++++---
2 files changed, 25 insertions(+), 3 deletions(-)
diff --git a/src/southbridge/intel/bd82x6x/Kconfig b/src/southbridge/intel/bd82x6x/Kconfig
index 7634b80..e330fb4 100644
--- a/src/southbridge/intel/bd82x6x/Kconfig
+++ b/src/southbridge/intel/bd82x6x/Kconfig
@@ -58,4 +58,17 @@ config HPET_MIN_TICKS
hex
default 0x80
+config LOCK_MANAGEMENT_ENGINE
+ bool "Lock Management Engine section"
+ default n
+ help
+ The Intel Management Engine supports preventing write accesses
+ from the host to the Management Engine section in the firmware
+ descriptor. If the ME section is locked, it can only be overwritten
+ with an external SPI flash programmer. You will want this if you
+ want to increase security of your ROM image once you are sure
+ that the ME firmware is no longer going to change.
+
+ If unsure, say N.
+
endif
diff --git a/src/southbridge/intel/bd82x6x/Makefile.inc b/src/southbridge/intel/bd82x6x/Makefile.inc
index 374b1e8..7fd6ca8 100644
--- a/src/southbridge/intel/bd82x6x/Makefile.inc
+++ b/src/southbridge/intel/bd82x6x/Makefile.inc
@@ -20,7 +20,7 @@
# Run an intermediate step when producing coreboot.rom
# that adds additional components to the final firmware
# image outside of CBFS
-INTERMEDIATE:=bd82x6x_add_me
+INTERMEDIATE+=bd82x6x_add_me
driver-y += pch.c
driver-y += azalia.c
@@ -51,7 +51,7 @@ smm-$(CONFIG_USBDEBUG) += usb_debug.c
romstage-y += reset.c
romstage-y += early_spi.c
-$(INTERMEDIATE): $(obj)/coreboot.pre $(IFDTOOL)
+bd82x6x_add_me: $(obj)/coreboot.pre $(IFDTOOL)
printf " DD Adding Intel Firmware Descriptor\n"
dd if=3rdparty/mainboard/$(MAINBOARDDIR)/descriptor.bin \
of=$(obj)/coreboot.pre conv=notrunc >/dev/null 2>&1
@@ -60,5 +60,14 @@ $(INTERMEDIATE): $(obj)/coreboot.pre $(IFDTOOL)
-i ME:3rdparty/mainboard/$(MAINBOARDDIR)/me.bin \
$(obj)/coreboot.pre
mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
+ifeq ($(CONFIG_LOCK_MANAGEMENT_ENGINE),y)
+ printf " IFDTOOL Locking Management Engine\n"
+ $(objutil)/ifdtool/ifdtool -l $(obj)/coreboot.pre
+ mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
+else
+ printf " IFDTOOL Unlocking Management Engine\n"
+ $(objutil)/ifdtool/ifdtool -u $(obj)/coreboot.pre
+ mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
+endif
-PHONY += $$(INTERMEDIATE)
+PHONY += bd82x6x_add_me
More information about the coreboot
mailing list