Sridhar Siricilla has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/48267 )
Change subject: sb/intel/common: Modify CONFIG_LOCK_MANAGEMENT_ENGINE behavior ......................................................................
sb/intel/common: Modify CONFIG_LOCK_MANAGEMENT_ENGINE behavior
The patch modifies KConfig behaviour if CSE Lite SKU is integrated into the coreboot. When the CSE Lite SKU is integrated, the KConfig prevents writing to ME region. Also, it modifies the KConfig's help text to reflect the change.
When CSE Lite SKU is integrated, master access permissions: FLMSTR1: 0x002007ff (Host CPU/BIOS) EC Region Write Access: disabled Platform Data Region Write Access: disabled GbE Region Write Access: disabled Intel ME Region Write Access: disabled Host CPU/BIOS Region Write Access: enabled Flash Descriptor Write Access: disabled EC Region Read Access: disabled Platform Data Region Read Access: disabled GbE Region Read Access: disabled Intel ME Region Read Access: enabled Host CPU/BIOS Region Read Access: enabled Flash Descriptor Read Access: enabled
BUG=b:174118018 TEST=Built and verified the access permissions.
Signed-off-by: Sridhar Siricilla sridhar.siricilla@intel.com Change-Id: I2f6677ab7b59ddce827d3fcaae61508a30dc1b28 --- M src/southbridge/intel/common/firmware/Kconfig M src/southbridge/intel/common/firmware/Makefile.inc 2 files changed, 14 insertions(+), 7 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/67/48267/1
diff --git a/src/southbridge/intel/common/firmware/Kconfig b/src/southbridge/intel/common/firmware/Kconfig index 4e93426..999930a 100644 --- a/src/southbridge/intel/common/firmware/Kconfig +++ b/src/southbridge/intel/common/firmware/Kconfig @@ -145,12 +145,12 @@ config LOCK_MANAGEMENT_ENGINE bool "Lock ME/TXE section" help - The Intel Firmware Descriptor supports preventing write accesses - from the host to the ME or TXE section in the firmware - descriptor. If the section is locked, it can only be overwritten - with an external SPI flash programmer. You will want this if you - want to increase security of your ROM image once you are sure - that the ME/TXE firmware is no longer going to change. + The Intel Firmware Descriptor supports preventing write and read + accesses from the host to the ME or TXE section. If the section + is locked, it can only be overwritten with an external SPI flash + programmer or HECI HMRFPO_ENABLE command needs to be sent to CSE + before writing to the ME Section. If CSE Lite SKU is integrated, + the Kconfigprevents only writing to the ME section.
If unsure, select "Unlock flash regions".
diff --git a/src/southbridge/intel/common/firmware/Makefile.inc b/src/southbridge/intel/common/firmware/Makefile.inc index df9a57f..7b0ce53 100644 --- a/src/southbridge/intel/common/firmware/Makefile.inc +++ b/src/southbridge/intel/common/firmware/Makefile.inc @@ -17,6 +17,12 @@ IFDTOOL_USE_CHIPSET := -p $(CONFIG_IFD_CHIPSET) endif
+ifeq ($(CONFIG_SOC_INTEL_CSE_LITE_SKU),y) +IFDTOOL_LOCK_ME_MODE := -lr +else +IFDTOOL_LOCK_ME_MODE := -l +endif + add_intel_firmware: $(call strip_quotes,$(CONFIG_IFD_BIN_PATH)) ifeq ($(CONFIG_HAVE_ME_BIN),y) add_intel_firmware: $(call strip_quotes,$(CONFIG_ME_BIN_PATH)) @@ -73,10 +79,11 @@ ifeq ($(CONFIG_LOCK_MANAGEMENT_ENGINE),y) printf " IFDTOOL Locking Management Engine\n" $(objutil)/ifdtool/ifdtool \ - $(IFDTOOL_USE_CHIPSET) -l \ + $(IFDTOOL_USE_CHIPSET) $(IFDTOOL_LOCK_ME_MODE) \ -O $(obj)/coreboot.pre \ $(obj)/coreboot.pre endif + ifeq ($(CONFIG_UNLOCK_FLASH_REGIONS),y) printf " IFDTOOL Unlocking Management Engine\n" $(objutil)/ifdtool/ifdtool \