summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/southbridge/intel/common/firmware/Kconfig26
-rw-r--r--src/southbridge/intel/common/firmware/Makefile.inc4
-rw-r--r--src/southbridge/intel/lynxpoint/Kconfig4
3 files changed, 27 insertions, 7 deletions
diff --git a/src/southbridge/intel/common/firmware/Kconfig b/src/southbridge/intel/common/firmware/Kconfig
index 31a3df32c9..c0dd43984d 100644
--- a/src/southbridge/intel/common/firmware/Kconfig
+++ b/src/southbridge/intel/common/firmware/Kconfig
@@ -141,9 +141,23 @@ config EC_BIN_PATH
depends on HAVE_EC_BIN
default "3rdparty/blobs/mainboard/$(MAINBOARDDIR)/ec.bin"
+choice
+ prompt "Protect flash regions"
+ default UNLOCK_FLASH_REGIONS
+ help
+ This option allows you to protect flash regions.
+
+config DO_NOT_TOUCH_DESCRIPTOR_REGION
+ bool "Use the preset values to protect the regions"
+ help
+ Read and write access permissions to different regions in the flash
+ can be controlled via dedicated bitfields in the flash descriptor.
+ These permissions can be modified with the Intel Flash Descriptor
+ Tool (ifdtool). If you don't want to change these permissions and
+ keep the ones provided in the initial descriptor, use this option.
+
config LOCK_MANAGEMENT_ENGINE
bool "Lock ME/TXE section"
- default n
help
The Intel Firmware Descriptor supports preventing write accesses
from the host to the ME or TXE section in the firmware
@@ -152,7 +166,15 @@ config LOCK_MANAGEMENT_ENGINE
want to increase security of your ROM image once you are sure
that the ME/TXE firmware is no longer going to change.
- If unsure, say N.
+ If unsure, select "Unlock flash regions".
+
+config UNLOCK_FLASH_REGIONS
+ bool "Unlock flash regions"
+ help
+ All regions are completely unprotected and can be overwritten using
+ a flash programming tool.
+
+endchoice
config CBFS_SIZE
hex
diff --git a/src/southbridge/intel/common/firmware/Makefile.inc b/src/southbridge/intel/common/firmware/Makefile.inc
index 774bb2391a..898ab60770 100644
--- a/src/southbridge/intel/common/firmware/Makefile.inc
+++ b/src/southbridge/intel/common/firmware/Makefile.inc
@@ -68,12 +68,14 @@ ifeq ($(CONFIG_HAVE_EC_BIN),y)
$(obj)/coreboot.pre
mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
endif
+
ifeq ($(CONFIG_LOCK_MANAGEMENT_ENGINE),y)
printf " IFDTOOL Locking Management Engine\n"
$(objutil)/ifdtool/ifdtool \
$(IFDTOOL_USE_CHIPSET) -l $(obj)/coreboot.pre
mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
-else
+endif
+ifeq ($(CONFIG_UNLOCK_FLASH_REGIONS),y)
printf " IFDTOOL Unlocking Management Engine\n"
$(objutil)/ifdtool/ifdtool \
$(IFDTOOL_USE_CHIPSET) -u $(obj)/coreboot.pre
diff --git a/src/southbridge/intel/lynxpoint/Kconfig b/src/southbridge/intel/lynxpoint/Kconfig
index 79f30ae706..87e197070b 100644
--- a/src/southbridge/intel/lynxpoint/Kconfig
+++ b/src/southbridge/intel/lynxpoint/Kconfig
@@ -79,8 +79,4 @@ config FINALIZE_USB_ROUTE_XHCI
If you set this option to y, the USB ports will be routed
to the XHCI controller during the finalize SMM callback.
-config LOCK_MANAGEMENT_ENGINE
- bool
- default n
-
endif