[coreboot] Patch set updated for coreboot: 5a369c9 Add Kconfig option to lock/unlock ME firmware during build

Mon, 12 Nov 2012 14:26:32 -0800 

Stefan Reinauer ([email protected]) just uploaded a new patch set to 
gerrit, which you can find at http://review.coreboot.org/1798

-gerrit

commit 5a369c91ac7b0cf957e23132ccab22437e57a933
Author: Stefan Reinauer <[email protected]>
Date:   Wed Oct 31 17:30:13 2012 -0700

    Add Kconfig option to lock/unlock ME firmware during build
    
    For reasons of security and testing we want to be able to
    enable/disable ME section locking through a config option.
    
    Change-Id: I341c577cdae86be62c0e3d32bbd6b3333c004a5f
    Signed-off-by: Stefan Reinauer <[email protected]>
---
 src/southbridge/intel/bd82x6x/Kconfig      | 13 +++++++++++++
 src/southbridge/intel/bd82x6x/Makefile.inc |  9 +++++++++
 2 files changed, 22 insertions(+)

diff --git a/src/southbridge/intel/bd82x6x/Kconfig 
b/src/southbridge/intel/bd82x6x/Kconfig
index 7634b80..e330fb4 100644
--- a/src/southbridge/intel/bd82x6x/Kconfig
+++ b/src/southbridge/intel/bd82x6x/Kconfig
@@ -58,4 +58,17 @@ config HPET_MIN_TICKS
        hex
        default 0x80
 
+config LOCK_MANAGEMENT_ENGINE
+       bool "Lock Management Engine section"
+       default n
+       help
+         The Intel Management Engine supports preventing write accesses
+         from the host to the Management Engine section in the firmware
+         descriptor. If the ME section is locked, it can only be overwritten
+         with an external SPI flash programmer. You will want this if you
+         want to increase security of your ROM image once you are sure
+         that the ME firmware is no longer going to change.
+
+         If unsure, say N.
+
 endif
diff --git a/src/southbridge/intel/bd82x6x/Makefile.inc 
b/src/southbridge/intel/bd82x6x/Makefile.inc
index eca3d9e..7fd6ca8 100644
--- a/src/southbridge/intel/bd82x6x/Makefile.inc
+++ b/src/southbridge/intel/bd82x6x/Makefile.inc
@@ -60,5 +60,14 @@ bd82x6x_add_me: $(obj)/coreboot.pre $(IFDTOOL)
                -i ME:3rdparty/mainboard/$(MAINBOARDDIR)/me.bin \
                $(obj)/coreboot.pre
        mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
+ifeq ($(CONFIG_LOCK_MANAGEMENT_ENGINE),y)
+       printf "    IFDTOOL    Locking Management Engine\n"
+       $(objutil)/ifdtool/ifdtool -l $(obj)/coreboot.pre
+       mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
+else
+       printf "    IFDTOOL    Unlocking Management Engine\n"
+       $(objutil)/ifdtool/ifdtool -u $(obj)/coreboot.pre
+       mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
+endif
 
 PHONY += bd82x6x_add_me

-- 
coreboot mailing list: [email protected]
http://www.coreboot.org/mailman/listinfo/coreboot

Reply via email to