Attention is currently required from: Nico Huber, Tim Wawrzynczak, Angel Pons, Patrick Rudolph. Arthur Heymans has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/56107 )
Change subject: sb/intel/common: Hide IFD options if !HAVE_IFD_BIN ......................................................................
Patch Set 1:
(1 comment)
File src/southbridge/intel/common/firmware/Kconfig:
https://review.coreboot.org/c/coreboot/+/56107/comment/cb7d4729_1e6a5814 PS1, Line 27: config HAVE_ME_BIN : bool "Add Intel ME/TXE firmware" : depends on HAVE_IFD_BIN : help : The Intel processor in the selected system requires a special firmware : for an integrated controller. This might be called the Management : Engine (ME), the Trusted Execution Engine (TXE) or something else : depending on the chip. This firmware might or might not be available : in coreboot's 3rdparty/blobs repository. If it is not and if you don't : have access to the firmware from elsewhere, you can still build : coreboot without it. In this case however, you'll have to make sure : that you don't overwrite your ME/TXE firmware on your flash ROM. : : config ME_BIN_PATH : string "Path to management engine firmware" : default "3rdparty/blobs/mainboard/$(MAINBOARDDIR)/me.bin" : depends on HAVE_ME_BIN : : config CHECK_ME : bool "Verify the integrity of the supplied ME/TXE firmware" : default n : depends on HAVE_ME_BIN && (NORTHBRIDGE_INTEL_IRONLAKE || \ : NORTHBRIDGE_INTEL_SANDYBRIDGE || \ : NORTHBRIDGE_INTEL_HASWELL || \ : SOC_INTEL_BROADWELL || SOC_INTEL_SKYLAKE || \ : SOC_INTEL_KABYLAKE || SOC_INTEL_BAYTRAIL || SOC_INTEL_BRASWELL) : help : Verify the integrity of the supplied Intel ME/TXE firmware before : proceeding with the build, in order to prevent an accidental loading : of a corrupted ME/TXE image. : : config ME_REGION_ALLOW_CPU_READ_ACCESS : bool "Allows HOST/CPU read access to ME region" : depends on HAVE_IFD_BIN : default y if SOC_INTEL_CSE_LITE_SKU : default n : help : The config ensures Host has read access to the ME region if it is locked : through LOCK_MANAGEMENT_ENGINE config. This config is enabled when the CSE : Lite SKU is integrated. : : config USE_ME_CLEANER : bool "Strip down the Intel ME/TXE firmware" : depends on HAVE_ME_BIN && (NORTHBRIDGE_INTEL_IRONLAKE || \ : NORTHBRIDGE_INTEL_SANDYBRIDGE || \ : NORTHBRIDGE_INTEL_HASWELL || \ : SOC_INTEL_BROADWELL || SOC_INTEL_SKYLAKE || \ : SOC_INTEL_KABYLAKE || SOC_INTEL_BAYTRAIL || SOC_INTEL_BRASWELL) : help : Use me_cleaner to remove all the non-fundamental code from the Intel : ME/TXE firmware. : The resulting Intel ME/TXE firmware will have only the code : responsible for the very basic hardware initialization, leaving the : ME/TXE subsystem essentially in a disabled state. : : Don't flash a modified ME/TXE firmware and a new coreboot image at the : same time, test them in two different steps. : : WARNING: this tool isn't based on any official Intel documentation but : only on reverse engineering and trial & error. : : See the project's page : https://github.com/corna/me_cleaner : or the wiki : https://github.com/corna/me_cleaner/wiki/How-to-apply-me_cleaner : https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F : https://github.com/corna/me_cleaner/wiki/me_cleaner-status : for more info about this tool : : If unsure, say N. : : comment "Please test the modified ME/TXE firmware and coreboot in two steps" : depends on USE_ME_CLEANER : : config ME_CLEANER_ARGS : string : depends on USE_ME_CLEANER : default "-S" : : config MAINBOARD_USES_IFD_GBE_REGION : def_bool n : : config HAVE_GBE_BIN : bool "Add gigabit ethernet configuration" : depends on HAVE_IFD_BIN && MAINBOARD_USES_IFD_GBE_REGION : help : The integrated gigabit ethernet controller needs a configuration : file. Select this if you are going to use the PCH integrated : controller and want to add that file. : : config GBE_BIN_PATH : string "Path to gigabit ethernet configuration" : depends on HAVE_GBE_BIN : default "3rdparty/blobs/mainboard/$(MAINBOARDDIR)/gbe.bin" : : config MAINBOARD_USES_IFD_EC_REGION : def_bool n : : config HAVE_EC_BIN : bool "Add EC firmware" : depends on HAVE_IFD_BIN && MAINBOARD_USES_IFD_EC_REGION : help : The embedded controller needs a firmware file. : : Select this if you are going to use the PCH integrated controller : and have the EC firmware. EC firmware will be added to final image : through ifdtool. : : config EC_BIN_PATH : string "Path to EC firmware" : depends on HAVE_EC_BIN : default "3rdparty/blobs/mainboard/$(MAINBOARDDIR)/ec.bin" : : choice : prompt "Protect flash regions" if HAVE_IFD_BIN : default UNLOCK_FLASH_REGIONS if HAVE_IFD_BIN : help : This option allows you to protect flash regions. : : config DO_NOT_TOUCH_DESCRIPTOR_REGION : bool "Use the preset values to protect the regions" : help : Read and write access permissions to different regions in the flash : can be controlled via dedicated bitfields in the flash descriptor. : These permissions can be modified with the Intel Flash Descriptor : Tool (ifdtool). If you don't want to change these permissions and : keep the ones provided in the initial descriptor, use this option. : : config LOCK_MANAGEMENT_ENGINE : bool "Lock ME/TXE section" : help : The Intel Firmware Descriptor supports preventing write and read : accesses from the host to the ME or TXE section. If the section : is locked, it can only be overwritten with an external SPI flash : programmer or HECI HMRFPO_ENABLE command needs to be sent to CSE : before writing to the ME Section. If CSE Lite SKU is integrated, : the Kconfig prevents only writing to the ME section. : : If unsure, select "Unlock flash regions". : : config UNLOCK_FLASH_REGIONS : bool "Unlock flash regions" : help : All regions are completely unprotected and can be overwritten using : a flash programming tool. : : endchoice This whole thing does not make sense without HAVE_IFD_BIN. Maybe add an if clause?