[coreboot-gerrit] Patch set updated for coreboot: Intel Firmware Descriptor: Add Lock ME Kconfig question

[Martin Roth (gaumless@gmail.com)]

Martin Roth (gaumless at gmail.com) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/10648

-gerrit

commit ee122faf0b587b0d1f8d7e5374d48b53628b9ae2
Author: Martin Roth <gaumless at gmail.com>
Date:   Tue Jun 23 21:47:19 2015 -0600

    Intel Firmware Descriptor: Add Lock ME Kconfig question
    
    Add the Kconfig question to allow the user to lock the ME section
    using ifdtool.
    
    Change-Id: I46018c3bc9df3e309aa3083d693cbebf00e18062
    Signed-off-by: Martin Roth <gaumless at gmail.com>
---
 src/southbridge/intel/common/firmware/Kconfig | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/src/southbridge/intel/common/firmware/Kconfig b/src/southbridge/intel/common/firmware/Kconfig
index 8ad1fed..2767c0e 100644
--- a/src/southbridge/intel/common/firmware/Kconfig
+++ b/src/southbridge/intel/common/firmware/Kconfig
@@ -92,4 +92,18 @@ config IFD_PLATFORM_SECTION
 	string
 	default ""
 
+config LOCK_MANAGEMENT_ENGINE
+	bool "Lock ME/TXE section"
+	depends on HAVE_ME_BIN
+	default n
+	help
+	  The Intel Firmware Descriptor supports preventing write accesses
+	  from the host to the ME or TXE section in the firmware
+	  descriptor. If the section is locked, it can only be overwritten
+	  with an external SPI flash programmer. You will want this if you
+	  want to increase security of your ROM image once you are sure
+	  that the ME/TXE firmware is no longer going to change.
+
+	  If unsure, say N.
+
 endif #INTEL_FIRMWARE