blob: 36dde562a9d8ca9b8ac633470645272834a2d5c6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
|
# SPDX-License-Identifier: GPL-2.0-only
config HAVE_INTEL_FIRMWARE
bool
default y if INTEL_DESCRIPTOR_MODE_CAPABLE
help
Platform uses the Intel Firmware Descriptor to describe the
layout of the SPI ROM chip. Enabling this option will allow you to
select further features that rely on this like providing individual
firmware blobs.
if HAVE_INTEL_FIRMWARE
comment "Intel Firmware"
config HAVE_IFD_BIN
bool "Add Intel descriptor.bin file"
select HAVE_EM100_SUPPORT # We use ifdtool to enable this.
help
The descriptor binary
config IFD_BIN_PATH
string "Path and filename of the descriptor.bin file"
default "3rdparty/blobs/mainboard/\$(MAINBOARDDIR)/descriptor.bin"
depends on HAVE_IFD_BIN
config HAVE_ME_BIN
bool "Add Intel ME/TXE firmware"
depends on HAVE_IFD_BIN
help
The Intel processor in the selected system requires a special firmware
for an integrated controller. This might be called the Management
Engine (ME), the Trusted Execution Engine (TXE) or something else
depending on the chip. This firmware might or might not be available
in coreboot's 3rdparty/blobs repository. If it is not and if you don't
have access to the firmware from elsewhere, you can still build
coreboot without it. In this case however, you'll have to make sure
that you don't overwrite your ME/TXE firmware on your flash ROM.
config ME_BIN_PATH
string "Path to management engine firmware"
default "3rdparty/blobs/mainboard/\$(MAINBOARDDIR)/me.bin"
depends on HAVE_ME_BIN
config CHECK_ME
bool "Verify the integrity of the supplied ME/TXE firmware"
default n
depends on HAVE_ME_BIN && (NORTHBRIDGE_INTEL_IRONLAKE || \
NORTHBRIDGE_INTEL_SANDYBRIDGE || \
NORTHBRIDGE_INTEL_HASWELL || \
SOC_INTEL_BROADWELL || SOC_INTEL_SKYLAKE || \
SOC_INTEL_KABYLAKE || SOC_INTEL_BAYTRAIL || SOC_INTEL_BRASWELL)
help
Verify the integrity of the supplied Intel ME/TXE firmware before
proceeding with the build, in order to prevent an accidental loading
of a corrupted ME/TXE image.
config ME_REGION_ALLOW_CPU_READ_ACCESS
bool "Allows HOST/CPU read access to ME region"
default y if SOC_INTEL_CSE_LITE_SKU
default n
help
The config ensures Host has read access to the ME region if it is locked
through LOCK_MANAGEMENT_ENGINE config. This config is enabled when the CSE
Lite SKU is integrated.
config USE_ME_CLEANER
bool "Strip down the Intel ME/TXE firmware"
depends on HAVE_ME_BIN && (NORTHBRIDGE_INTEL_IRONLAKE || \
NORTHBRIDGE_INTEL_SANDYBRIDGE || \
NORTHBRIDGE_INTEL_HASWELL || \
SOC_INTEL_BROADWELL || SOC_INTEL_SKYLAKE || \
SOC_INTEL_KABYLAKE || SOC_INTEL_BAYTRAIL || SOC_INTEL_BRASWELL)
help
Use me_cleaner to remove all the non-fundamental code from the Intel
ME/TXE firmware.
The resulting Intel ME/TXE firmware will have only the code
responsible for the very basic hardware initialization, leaving the
ME/TXE subsystem essentially in a disabled state.
Don't flash a modified ME/TXE firmware and a new coreboot image at the
same time, test them in two different steps.
WARNING: this tool isn't based on any official Intel documentation but
only on reverse engineering and trial & error.
See the project's page
https://github.com/corna/me_cleaner
or the wiki
https://github.com/corna/me_cleaner/wiki/How-to-apply-me_cleaner
https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F
https://github.com/corna/me_cleaner/wiki/me_cleaner-status
for more info about this tool
If unsure, say N.
comment "Please test the modified ME/TXE firmware and coreboot in two steps"
depends on USE_ME_CLEANER
config ME_CLEANER_ARGS
string
depends on USE_ME_CLEANER
default "-S"
config MAINBOARD_USES_IFD_GBE_REGION
def_bool n
config HAVE_GBE_BIN
bool "Add gigabit ethernet configuration"
depends on HAVE_IFD_BIN && MAINBOARD_USES_IFD_GBE_REGION
help
The integrated gigabit ethernet controller needs a configuration
file. Select this if you are going to use the PCH integrated
controller and want to add that file.
config GBE_BIN_PATH
string "Path to gigabit ethernet configuration"
depends on HAVE_GBE_BIN
default "3rdparty/blobs/mainboard/\$(MAINBOARDDIR)/gbe.bin"
config MAINBOARD_USES_IFD_EC_REGION
def_bool n
config HAVE_EC_BIN
bool "Add EC firmware"
depends on HAVE_IFD_BIN && MAINBOARD_USES_IFD_EC_REGION
help
The embedded controller needs a firmware file.
Select this if you are going to use the PCH integrated controller
and have the EC firmware. EC firmware will be added to final image
through ifdtool.
config EC_BIN_PATH
string "Path to EC firmware"
depends on HAVE_EC_BIN
default "3rdparty/blobs/mainboard/\$(MAINBOARDDIR)/ec.bin"
choice
prompt "Protect flash regions"
default UNLOCK_FLASH_REGIONS
help
This option allows you to protect flash regions.
config DO_NOT_TOUCH_DESCRIPTOR_REGION
bool "Use the preset values to protect the regions"
help
Read and write access permissions to different regions in the flash
can be controlled via dedicated bitfields in the flash descriptor.
These permissions can be modified with the Intel Flash Descriptor
Tool (ifdtool). If you don't want to change these permissions and
keep the ones provided in the initial descriptor, use this option.
config LOCK_MANAGEMENT_ENGINE
bool "Lock ME/TXE section"
help
The Intel Firmware Descriptor supports preventing write and read
accesses from the host to the ME or TXE section. If the section
is locked, it can only be overwritten with an external SPI flash
programmer or HECI HMRFPO_ENABLE command needs to be sent to CSE
before writing to the ME Section. If CSE Lite SKU is integrated,
the Kconfig prevents only writing to the ME section.
If unsure, select "Unlock flash regions".
config UNLOCK_FLASH_REGIONS
bool "Unlock flash regions"
help
All regions are completely unprotected and can be overwritten using
a flash programming tool.
endchoice
config CBFS_SIZE
hex
default 0x100000
help
Reduce CBFS size to give room to the IFD blobs.
endif #INTEL_FIRMWARE
|