Matt DeVillier (matt.devillier@gmail.com) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/6012
-gerrit
commit e689a8af1851d8a0ee0ef4eab49e5ba9d12f97dc Author: Duncan Laurie dlaurie@chromium.org Date: Thu Aug 22 09:56:42 2013 -0700
Add CONFIG_LOCK_MANAGEMENT_ENGINE entry to Kconfig
This was missing from lynxpoint.
BUG=chrome-os-partner:21796 BRANCH=falco,peppy TEST=emerge-falco chromeos-coreboot-falco
Change-Id: Id1b261a5310ce1482f11c8c032c13f49046742fc Signed-off-by: Matt DeVillier matt.devillier@gmail.com Signed-off-by: Duncan Laurie dlaurie@chromium.org Reviewed-on: https://gerrit.chromium.org/gerrit/66669 Reviewed-by: Aaron Durbin adurbin@chromium.org --- src/southbridge/intel/lynxpoint/Kconfig | 13 +++++++++++++ 1 file changed, 13 insertions(+)
diff --git a/src/southbridge/intel/lynxpoint/Kconfig b/src/southbridge/intel/lynxpoint/Kconfig index f0c62e4..8261bd2 100644 --- a/src/southbridge/intel/lynxpoint/Kconfig +++ b/src/southbridge/intel/lynxpoint/Kconfig @@ -78,4 +78,17 @@ config FINALIZE_USB_ROUTE_XHCI If you set this option to y, the USB ports will be routed to the XHCI controller during the finalize SMM callback.
+config LOCK_MANAGEMENT_ENGINE + bool "Lock Management Engine section" + default n + help + The Intel Management Engine supports preventing write accesses + from the host to the Management Engine section in the firmware + descriptor. If the ME section is locked, it can only be overwritten + with an external SPI flash programmer. You will want this if you + want to increase security of your ROM image once you are sure + that the ME firmware is no longer going to change. + + If unsure, say N. + endif