diff options
| -rw-r--r-- | src/southbridge/intel/common/firmware/Kconfig | 26 | ||||
| -rw-r--r-- | src/southbridge/intel/common/firmware/Makefile.inc | 4 | ||||
| -rw-r--r-- | src/southbridge/intel/lynxpoint/Kconfig | 4 |
3 files changed, 27 insertions, 7 deletions
diff --git a/src/southbridge/intel/common/firmware/Kconfig b/src/southbridge/intel/common/firmware/Kconfig index 31a3df32c9..c0dd43984d 100644 --- a/src/southbridge/intel/common/firmware/Kconfig +++ b/src/southbridge/intel/common/firmware/Kconfig @@ -141,9 +141,23 @@ config EC_BIN_PATH depends on HAVE_EC_BIN default "3rdparty/blobs/mainboard/$(MAINBOARDDIR)/ec.bin" +choice + prompt "Protect flash regions" + default UNLOCK_FLASH_REGIONS + help + This option allows you to protect flash regions. + +config DO_NOT_TOUCH_DESCRIPTOR_REGION + bool "Use the preset values to protect the regions" + help + Read and write access permissions to different regions in the flash + can be controlled via dedicated bitfields in the flash descriptor. + These permissions can be modified with the Intel Flash Descriptor + Tool (ifdtool). If you don't want to change these permissions and + keep the ones provided in the initial descriptor, use this option. + config LOCK_MANAGEMENT_ENGINE bool "Lock ME/TXE section" - default n help The Intel Firmware Descriptor supports preventing write accesses from the host to the ME or TXE section in the firmware @@ -152,7 +166,15 @@ config LOCK_MANAGEMENT_ENGINE want to increase security of your ROM image once you are sure that the ME/TXE firmware is no longer going to change. - If unsure, say N. + If unsure, select "Unlock flash regions". + +config UNLOCK_FLASH_REGIONS + bool "Unlock flash regions" + help + All regions are completely unprotected and can be overwritten using + a flash programming tool. + +endchoice config CBFS_SIZE hex diff --git a/src/southbridge/intel/common/firmware/Makefile.inc b/src/southbridge/intel/common/firmware/Makefile.inc index 774bb2391a..898ab60770 100644 --- a/src/southbridge/intel/common/firmware/Makefile.inc +++ b/src/southbridge/intel/common/firmware/Makefile.inc @@ -68,12 +68,14 @@ ifeq ($(CONFIG_HAVE_EC_BIN),y) $(obj)/coreboot.pre mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre endif + ifeq ($(CONFIG_LOCK_MANAGEMENT_ENGINE),y) printf " IFDTOOL Locking Management Engine\n" $(objutil)/ifdtool/ifdtool \ $(IFDTOOL_USE_CHIPSET) -l $(obj)/coreboot.pre mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre -else +endif +ifeq ($(CONFIG_UNLOCK_FLASH_REGIONS),y) printf " IFDTOOL Unlocking Management Engine\n" $(objutil)/ifdtool/ifdtool \ $(IFDTOOL_USE_CHIPSET) -u $(obj)/coreboot.pre diff --git a/src/southbridge/intel/lynxpoint/Kconfig b/src/southbridge/intel/lynxpoint/Kconfig index 79f30ae706..87e197070b 100644 --- a/src/southbridge/intel/lynxpoint/Kconfig +++ b/src/southbridge/intel/lynxpoint/Kconfig @@ -79,8 +79,4 @@ config FINALIZE_USB_ROUTE_XHCI If you set this option to y, the USB ports will be routed to the XHCI controller during the finalize SMM callback. -config LOCK_MANAGEMENT_ENGINE - bool - default n - endif |