summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/soc/intel/common/block/cse/Kconfig1
-rw-r--r--src/southbridge/intel/common/firmware/Kconfig20
-rw-r--r--src/southbridge/intel/common/firmware/Makefile.inc8
3 files changed, 22 insertions, 7 deletions
diff --git a/src/soc/intel/common/block/cse/Kconfig b/src/soc/intel/common/block/cse/Kconfig
index ee6ce68c1f..d3b7288a81 100644
--- a/src/soc/intel/common/block/cse/Kconfig
+++ b/src/soc/intel/common/block/cse/Kconfig
@@ -17,6 +17,7 @@ config SOC_INTEL_CSE_LITE_SKU
bool
default n
depends on CHROMEOS
+ select ME_REGION_ALLOW_CPU_READ_ACCESS
help
Enables CSE Lite SKU
diff --git a/src/southbridge/intel/common/firmware/Kconfig b/src/southbridge/intel/common/firmware/Kconfig
index 4e934265bb..cd975ba4e6 100644
--- a/src/southbridge/intel/common/firmware/Kconfig
+++ b/src/southbridge/intel/common/firmware/Kconfig
@@ -55,6 +55,14 @@ config CHECK_ME
proceeding with the build, in order to prevent an accidental loading
of a corrupted ME/TXE image.
+config ME_REGION_ALLOW_CPU_READ_ACCESS
+ bool "Allows HOST/CPU read access to ME region"
+ default n
+ help
+ The config ensures Host has read access to the ME region if it is locked
+ through LOCK_MANAGEMENT_ENGINE config. This config is enabled when the CSE
+ Lite SKU is integrated.
+
config USE_ME_CLEANER
bool "Strip down the Intel ME/TXE firmware"
depends on HAVE_ME_BIN && (NORTHBRIDGE_INTEL_IRONLAKE || \
@@ -145,12 +153,12 @@ config DO_NOT_TOUCH_DESCRIPTOR_REGION
config LOCK_MANAGEMENT_ENGINE
bool "Lock ME/TXE section"
help
- The Intel Firmware Descriptor supports preventing write accesses
- from the host to the ME or TXE section in the firmware
- descriptor. If the section is locked, it can only be overwritten
- with an external SPI flash programmer. You will want this if you
- want to increase security of your ROM image once you are sure
- that the ME/TXE firmware is no longer going to change.
+ The Intel Firmware Descriptor supports preventing write and read
+ accesses from the host to the ME or TXE section. If the section
+ is locked, it can only be overwritten with an external SPI flash
+ programmer or HECI HMRFPO_ENABLE command needs to be sent to CSE
+ before writing to the ME Section. If CSE Lite SKU is integrated,
+ the Kconfig prevents only writing to the ME section.
If unsure, select "Unlock flash regions".
diff --git a/src/southbridge/intel/common/firmware/Makefile.inc b/src/southbridge/intel/common/firmware/Makefile.inc
index df9a57f168..516cd4d453 100644
--- a/src/southbridge/intel/common/firmware/Makefile.inc
+++ b/src/southbridge/intel/common/firmware/Makefile.inc
@@ -17,6 +17,12 @@ ifneq ($(call strip_quotes,$(CONFIG_IFD_CHIPSET)),)
IFDTOOL_USE_CHIPSET := -p $(CONFIG_IFD_CHIPSET)
endif
+ifeq ($(CONFIG_ME_REGION_ALLOW_CPU_READ_ACCESS),y)
+IFDTOOL_LOCK_ME_MODE := -lr
+else
+IFDTOOL_LOCK_ME_MODE := -l
+endif
+
add_intel_firmware: $(call strip_quotes,$(CONFIG_IFD_BIN_PATH))
ifeq ($(CONFIG_HAVE_ME_BIN),y)
add_intel_firmware: $(call strip_quotes,$(CONFIG_ME_BIN_PATH))
@@ -73,7 +79,7 @@ endif
ifeq ($(CONFIG_LOCK_MANAGEMENT_ENGINE),y)
printf " IFDTOOL Locking Management Engine\n"
$(objutil)/ifdtool/ifdtool \
- $(IFDTOOL_USE_CHIPSET) -l \
+ $(IFDTOOL_USE_CHIPSET) $(IFDTOOL_LOCK_ME_MODE) \
-O $(obj)/coreboot.pre \
$(obj)/coreboot.pre
endif