diff options
| author | Sridhar Siricilla <sridhar.siricilla@intel.com> | 2020-12-03 17:56:49 +0530 |
|---|---|---|
| committer | Patrick Georgi <pgeorgi@google.com> | 2020-12-07 14:06:28 +0000 |
| commit | 416b828f47655b6306d3f1ae49e3c3227a1296dd (patch) | |
| tree | 3f557372c92d107176bbfe589de3ae63f7d283ab /src/southbridge/intel/common/firmware/Makefile.inc | |
| parent | e02b62a4f537ef4ad10e22c05b209c045884ef37 (diff) | |
sb/intel/common: Modify CONFIG_LOCK_MANAGEMENT_ENGINE behavior
The patch modifies KConfig behaviour if CSE Lite SKU is integrated into
the coreboot. When the CSE Lite SKU is integrated, the KConfig prevents
writing to ME region but keeps read access enabled. Since CSE Lite driver
checks the signature of RW partition to identify the interrupted CSE
firmware update, so host must have read access to the ME region. Also, the
patch modifies the KConfig's help text to reflect the change.
When CSE Lite SKU is integrated, master access permissions:
FLMSTR1: 0x002007ff (Host CPU/BIOS)
EC Region Write Access: disabled
Platform Data Region Write Access: disabled
GbE Region Write Access: disabled
Intel ME Region Write Access: disabled
Host CPU/BIOS Region Write Access: enabled
Flash Descriptor Write Access: disabled
EC Region Read Access: disabled
Platform Data Region Read Access: disabled
GbE Region Read Access: disabled
Intel ME Region Read Access: enabled
Host CPU/BIOS Region Read Access: enabled
Flash Descriptor Read Access: enabled
BUG=b:174118018
TEST=Built and verified the access permissions.
Signed-off-by: Sridhar Siricilla <sridhar.siricilla@intel.com>
Change-Id: I2f6677ab7b59ddce827d3fcaae61508a30dc1b28
Reviewed-on: https://review.coreboot.org/c/coreboot/+/48267
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Tim Wawrzynczak <twawrzynczak@chromium.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
Reviewed-by: Karthik Ramasubramanian <kramasub@google.com>
Reviewed-by: Jamie Ryu <jamie.m.ryu@intel.com>
Diffstat (limited to 'src/southbridge/intel/common/firmware/Makefile.inc')
| -rw-r--r-- | src/southbridge/intel/common/firmware/Makefile.inc | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/src/southbridge/intel/common/firmware/Makefile.inc b/src/southbridge/intel/common/firmware/Makefile.inc index df9a57f168..516cd4d453 100644 --- a/src/southbridge/intel/common/firmware/Makefile.inc +++ b/src/southbridge/intel/common/firmware/Makefile.inc @@ -17,6 +17,12 @@ ifneq ($(call strip_quotes,$(CONFIG_IFD_CHIPSET)),) IFDTOOL_USE_CHIPSET := -p $(CONFIG_IFD_CHIPSET) endif +ifeq ($(CONFIG_ME_REGION_ALLOW_CPU_READ_ACCESS),y) +IFDTOOL_LOCK_ME_MODE := -lr +else +IFDTOOL_LOCK_ME_MODE := -l +endif + add_intel_firmware: $(call strip_quotes,$(CONFIG_IFD_BIN_PATH)) ifeq ($(CONFIG_HAVE_ME_BIN),y) add_intel_firmware: $(call strip_quotes,$(CONFIG_ME_BIN_PATH)) @@ -73,7 +79,7 @@ endif ifeq ($(CONFIG_LOCK_MANAGEMENT_ENGINE),y) printf " IFDTOOL Locking Management Engine\n" $(objutil)/ifdtool/ifdtool \ - $(IFDTOOL_USE_CHIPSET) -l \ + $(IFDTOOL_USE_CHIPSET) $(IFDTOOL_LOCK_ME_MODE) \ -O $(obj)/coreboot.pre \ $(obj)/coreboot.pre endif |