Stefan Reinauer ([email protected]) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/1798
-gerrit commit a0e1d17401ab2f10475d4fecee21ae09e2b6a5c8 Author: Stefan Reinauer <[email protected]> Date: Wed Oct 31 17:30:13 2012 -0700 Add Kconfig option to lock/unlock ME firmware during build For reasons of security and testing we want to be able to enable/disable ME section locking through a config option. Change-Id: I341c577cdae86be62c0e3d32bbd6b3333c004a5f Signed-off-by: Stefan Reinauer <[email protected]> --- src/southbridge/intel/bd82x6x/Kconfig | 13 +++++++++++++ src/southbridge/intel/bd82x6x/Makefile.inc | 15 ++++++++++++--- 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/src/southbridge/intel/bd82x6x/Kconfig b/src/southbridge/intel/bd82x6x/Kconfig index 75858c2..f68e89e 100644 --- a/src/southbridge/intel/bd82x6x/Kconfig +++ b/src/southbridge/intel/bd82x6x/Kconfig @@ -59,4 +59,17 @@ config HPET_MIN_TICKS hex default 0x80 +config LOCK_MANAGEMENT_ENGINE + bool "Lock Management Engine section" + default n + help + The Intel Management Engine supports preventing write accesses + from the host to the Management Engine section in the firmware + descriptor. If the ME section is locked, it can only be overwritten + with an external SPI flash programmer. You will want this if you + want to increase security of your ROM image once you are sure + that the ME firmware is no longer going to change. + + If unsure, say N. + endif diff --git a/src/southbridge/intel/bd82x6x/Makefile.inc b/src/southbridge/intel/bd82x6x/Makefile.inc index 7abf4f2..3a3e1a8 100644 --- a/src/southbridge/intel/bd82x6x/Makefile.inc +++ b/src/southbridge/intel/bd82x6x/Makefile.inc @@ -20,7 +20,7 @@ # Run an intermediate step when producing coreboot.rom # that adds additional components to the final firmware # image outside of CBFS -INTERMEDIATE:=bd82x6x_add_me +INTERMEDIATE+=bd82x6x_add_me driver-y += pch.c driver-y += azalia.c @@ -50,7 +50,7 @@ ramstage-$(CONFIG_USBDEBUG) += usb_debug.c smm-$(CONFIG_USBDEBUG) += usb_debug.c romstage-y += reset.c -$(INTERMEDIATE): $(obj)/coreboot.pre $(IFDTOOL) +bd82x6x_add_me: $(obj)/coreboot.pre $(IFDTOOL) printf " DD Adding Intel Firmware Descriptor\n" dd if=3rdparty/mainboard/$(MAINBOARDDIR)/descriptor.bin \ of=$(obj)/coreboot.pre conv=notrunc >/dev/null 2>&1 @@ -59,5 +59,14 @@ $(INTERMEDIATE): $(obj)/coreboot.pre $(IFDTOOL) -i ME:3rdparty/mainboard/$(MAINBOARDDIR)/me.bin \ $(obj)/coreboot.pre mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre +ifeq ($(CONFIG_LOCK_MANAGEMENT_ENGINE),y) + printf " IFDTOOL Locking Management Engine\n" + $(objutil)/ifdtool/ifdtool -l $(obj)/coreboot.pre + mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre +else + printf " IFDTOOL Unlocking Management Engine\n" + $(objutil)/ifdtool/ifdtool -u $(obj)/coreboot.pre + mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre +endif -PHONY += $$(INTERMEDIATE) +PHONY += bd82x6x_add_me -- coreboot mailing list: [email protected] http://www.coreboot.org/mailman/listinfo/coreboot
