1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
|
##
## This file is part of the coreboot project.
##
## Copyright (C) 2011 Google Inc.
## Copyright (C) 2013-2014 Sage Electronic Engineering, LLC.
##
## This program is free software; you can redistribute it and/or modify
## it under the terms of the GNU General Public License as published by
## the Free Software Foundation; version 2 of the License.
##
## This program is distributed in the hope that it will be useful,
## but WITHOUT ANY WARRANTY; without even the implied warranty of
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
## GNU General Public License for more details.
##
config HAVE_INTEL_FIRMWARE
bool
help
Chipset uses the Intel Firmware Descriptor to describe the
layout of the SPI ROM chip.
if HAVE_INTEL_FIRMWARE
comment "Intel Firmware"
config HAVE_IFD_BIN
bool "Add Intel descriptor.bin file"
help
The descriptor binary
config IFD_BIN_PATH
string "Path and filename of the descriptor.bin file"
default "3rdparty/blobs/mainboard/$(MAINBOARDDIR)/descriptor.bin"
depends on HAVE_IFD_BIN && !BUILD_WITH_FAKE_IFD
config EM100
bool "Configure IFD for EM100 usage"
depends on HAVE_IFD_BIN && !BUILD_WITH_FAKE_IFD
help
Set SPI frequency to 20MHz and disable Dual Output Fast Read Support
config HAVE_ME_BIN
bool "Add Intel ME/TXE firmware"
depends on HAVE_IFD_BIN
help
The Intel processor in the selected system requires a special firmware
for an integrated controller. This might be called the Management
Engine (ME), the Trusted Execution Engine (TXE) or something else
depending on the chip. This firmware might or might not be available
in coreboot's 3rdparty/blobs repository. If it is not and if you don't
have access to the firmware from elsewhere, you can still build
coreboot without it. In this case however, you'll have to make sure
that you don't overwrite your ME/TXE firmware on your flash ROM.
config ME_BIN_PATH
string "Path to management engine firmware"
default "3rdparty/blobs/mainboard/$(MAINBOARDDIR)/me.bin"
depends on HAVE_ME_BIN
config CHECK_ME
bool "Verify the integrity of the supplied ME/TXE firmware"
default n
depends on HAVE_ME_BIN && (NORTHBRIDGE_INTEL_NEHALEM || \
NORTHBRIDGE_INTEL_SANDYBRIDGE || \
NORTHBRIDGE_INTEL_IVYBRIDGE || NORTHBRIDGE_INTEL_HASWELL || \
SOC_INTEL_BROADWELL || SOC_INTEL_SKYLAKE || \
SOC_INTEL_KABYLAKE || SOC_INTEL_BAYTRAIL || SOC_INTEL_BRASWELL)
help
Verify the integrity of the supplied Intel ME/TXE firmware before
proceeding with the build, in order to prevent an accidental loading
of a corrupted ME/TXE image.
config USE_ME_CLEANER
bool "Strip down the Intel ME/TXE firmware"
depends on HAVE_ME_BIN && (NORTHBRIDGE_INTEL_SANDYBRIDGE || \
NORTHBRIDGE_INTEL_IVYBRIDGE || NORTHBRIDGE_INTEL_HASWELL || \
SOC_INTEL_BROADWELL || SOC_INTEL_SKYLAKE || \
SOC_INTEL_KABYLAKE || SOC_INTEL_BAYTRAIL || SOC_INTEL_BRASWELL)
help
Use me_cleaner to remove all the non-fundamental code from the Intel
ME/TXE firmware.
The resulting Intel ME/TXE firmware will have only the code
responsible for the very basic hardware initialization, leaving the
ME/TXE subsystem essentially in a disabled state.
Don't flash a modified ME/TXE firmware and a new coreboot image at the
same time, test them in two different steps.
WARNING: this tool isn't based on any official Intel documentation but
only on reverse engineering and trial & error.
See the project's page
https://github.com/corna/me_cleaner
or the wiki
https://github.com/corna/me_cleaner/wiki/How-to-apply-me_cleaner
https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F
https://github.com/corna/me_cleaner/wiki/me_cleaner-status
for more info about this tool
If unsure, say N.
comment "Please test the modified ME/TXE firmware and coreboot in two steps"
depends on USE_ME_CLEANER
config ME_CLEANER_ARGS
string
depends on USE_ME_CLEANER
default "-S"
config HAVE_GBE_BIN
bool "Add gigabit ethernet firmware"
depends on HAVE_IFD_BIN
help
The integrated gigabit ethernet controller needs a firmware file.
Select this if you are going to use the PCH integrated controller
and have the firmware.
config GBE_BIN_PATH
string "Path to gigabit ethernet firmware"
depends on HAVE_GBE_BIN
default "3rdparty/blobs/mainboard/$(MAINBOARDDIR)/gbe.bin"
config HAVE_EC_BIN
bool "Add EC firmware"
depends on HAVE_IFD_BIN
help
The embedded controller needs a firmware file.
Select this if you are going to use the PCH integrated controller
and have the EC firmware. EC firmware will be added to final image
through ifdtool.
config EC_BIN_PATH
string "Path to EC firmware"
depends on HAVE_EC_BIN
default "3rdparty/blobs/mainboard/$(MAINBOARDDIR)/ec.bin"
##### Fake IFD #####
config BUILD_WITH_FAKE_IFD
bool "Build with a fake IFD" if !HAVE_IFD_BIN
help
If you don't have an Intel Firmware Descriptor (descriptor.bin) for your
board, you can select this option and coreboot will build without it.
The resulting coreboot.rom will not contain all parts required
to get coreboot running on your board. You can however write only the
BIOS section to your board's flash ROM and keep the other sections
untouched. Unfortunately the current version of flashrom doesn't
support this yet. But there is a patch pending [1].
WARNING: Never write a complete coreboot.rom to your flash ROM if it
was built with a fake IFD. It just won't work.
[1] http://www.flashrom.org/pipermail/flashrom/2013-June/011083.html
config IFD_BIOS_SECTION
depends on BUILD_WITH_FAKE_IFD
string "BIOS Region Starting:Ending addresses within the ROM"
default ""
help
The BIOS region is typically the size of the CBFS area, and is located
at the end of the ROM space.
For an 8MB ROM with a 3MB CBFS area, this would look like:
0x00500000:0x007fffff
config IFD_ME_SECTION
depends on BUILD_WITH_FAKE_IFD
string "ME/TXE Region Starting:Ending addresses within the ROM"
default ""
help
The ME/TXE region typically starts at around 0x1000 and often fills the
ROM space not used by CBFS.
For an 8MB ROM with a 3MB CBFS area, this might look like:
0x00001000:0x004fffff
config IFD_GBE_SECTION
depends on BUILD_WITH_FAKE_IFD
string "GBE Region Starting:Ending addresses within the ROM"
default ""
help
The Gigabit Ethernet ROM region is used when an Intel NIC is built into
the Southbridge/SOC and the platform uses this device instead of an external
PCIe NIC. It will be located between the ME/TXE and the BIOS region.
Leave this empty if you're unsure.
config IFD_PLATFORM_SECTION
depends on BUILD_WITH_FAKE_IFD
string "Platform Region Starting:Ending addresses within the Rom"
default ""
help
The Platform region is used for platform specific data.
It will be located between the ME/TXE and the BIOS region.
Leave this empty if you're unsure.
config LOCK_MANAGEMENT_ENGINE
bool "Lock ME/TXE section"
default n
help
The Intel Firmware Descriptor supports preventing write accesses
from the host to the ME or TXE section in the firmware
descriptor. If the section is locked, it can only be overwritten
with an external SPI flash programmer. You will want this if you
want to increase security of your ROM image once you are sure
that the ME/TXE firmware is no longer going to change.
If unsure, say N.
config CBFS_SIZE
hex
default 0x100000
help
Reduce CBFS size to give room to the IFD blobs.
endif #INTEL_FIRMWARE
|