[coreboot-gerrit] New patch to review for coreboot: Intel Firmware Descriptor: Add Lock ME Kconfig question
Martin Roth (gaumless@gmail.com)
gerrit at coreboot.org
Wed Jun 24 05:53:44 CEST 2015
Martin Roth (gaumless at gmail.com) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/10648
-gerrit
commit 4b54e2255943a9fe034805d758796a7fdea5caaf
Author: Martin Roth <gaumless at gmail.com>
Date: Tue Jun 23 21:47:19 2015 -0600
Intel Firmware Descriptor: Add Lock ME Kconfig question
Add the Kconfig question to allow the user to lock the ME section
using ifdtool.
Change-Id: I46018c3bc9df3e309aa3083d693cbebf00e18062
Signed-off-by: Martin Roth <gaumless at gmail.com>
---
src/southbridge/intel/common/firmware/Kconfig | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/src/southbridge/intel/common/firmware/Kconfig b/src/southbridge/intel/common/firmware/Kconfig
index 06edab5..cc7c51a 100644
--- a/src/southbridge/intel/common/firmware/Kconfig
+++ b/src/southbridge/intel/common/firmware/Kconfig
@@ -92,5 +92,18 @@ config IFD_PLATFORM_SECTION
string
default ""
+config LOCK_MANAGEMENT_ENGINE
+ bool "Lock ME/TXE section"
+ depends on HAVE_ME_BIN && USES_INTEL_ME
+ default n
+ help
+ The Intel Firmware Descriptor supports preventing write accesses
+ from the host to the ME or TXE section in the firmware
+ descriptor. If the section is locked, it can only be overwritten
+ with an external SPI flash programmer. You will want this if you
+ want to increase security of your ROM image once you are sure
+ that the ME/TXE firmware is no longer going to change.
+
+ If unsure, say N.
endif #INTEL_FIRMWARE
More information about the coreboot-gerrit
mailing list