[coreboot] Patch set updated for coreboot: a0e1d17 Add Kconfig option to lock/unlock ME firmware during build

Stefan Reinauer (stefan.reinauer@coreboot.org) gerrit at coreboot.org
Thu Nov 8 20:52:31 CET 2012

Stefan Reinauer (stefan.reinauer at coreboot.org) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/1798


commit a0e1d17401ab2f10475d4fecee21ae09e2b6a5c8
Author: Stefan Reinauer <reinauer at chromium.org>
Date:   Wed Oct 31 17:30:13 2012 -0700

    Add Kconfig option to lock/unlock ME firmware during build
    For reasons of security and testing we want to be able to
    enable/disable ME section locking through a config option.
    Change-Id: I341c577cdae86be62c0e3d32bbd6b3333c004a5f
    Signed-off-by: Stefan Reinauer <reinauer at google.com>
 src/southbridge/intel/bd82x6x/Kconfig      | 13 +++++++++++++
 src/southbridge/intel/bd82x6x/Makefile.inc | 15 ++++++++++++---
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/src/southbridge/intel/bd82x6x/Kconfig b/src/southbridge/intel/bd82x6x/Kconfig
index 75858c2..f68e89e 100644
--- a/src/southbridge/intel/bd82x6x/Kconfig
+++ b/src/southbridge/intel/bd82x6x/Kconfig
@@ -59,4 +59,17 @@ config HPET_MIN_TICKS
 	default 0x80
+	bool "Lock Management Engine section"
+	default n
+	help
+	  The Intel Management Engine supports preventing write accesses
+	  from the host to the Management Engine section in the firmware
+	  descriptor. If the ME section is locked, it can only be overwritten
+	  with an external SPI flash programmer. You will want this if you
+	  want to increase security of your ROM image once you are sure
+	  that the ME firmware is no longer going to change.
+	  If unsure, say N.
diff --git a/src/southbridge/intel/bd82x6x/Makefile.inc b/src/southbridge/intel/bd82x6x/Makefile.inc
index 7abf4f2..3a3e1a8 100644
--- a/src/southbridge/intel/bd82x6x/Makefile.inc
+++ b/src/southbridge/intel/bd82x6x/Makefile.inc
@@ -20,7 +20,7 @@
 # Run an intermediate step when producing coreboot.rom
 # that adds additional components to the final firmware
 # image outside of CBFS
 driver-y += pch.c
 driver-y += azalia.c
@@ -50,7 +50,7 @@ ramstage-$(CONFIG_USBDEBUG) += usb_debug.c
 smm-$(CONFIG_USBDEBUG) += usb_debug.c
 romstage-y += reset.c
-$(INTERMEDIATE): $(obj)/coreboot.pre $(IFDTOOL)
+bd82x6x_add_me: $(obj)/coreboot.pre $(IFDTOOL)
 	printf "    DD         Adding Intel Firmware Descriptor\n"
 	dd if=3rdparty/mainboard/$(MAINBOARDDIR)/descriptor.bin \
 		of=$(obj)/coreboot.pre conv=notrunc >/dev/null 2>&1
@@ -59,5 +59,14 @@ $(INTERMEDIATE): $(obj)/coreboot.pre $(IFDTOOL)
 		-i ME:3rdparty/mainboard/$(MAINBOARDDIR)/me.bin \
 	mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
+	printf "    IFDTOOL    Locking Management Engine\n"
+	$(objutil)/ifdtool/ifdtool -l $(obj)/coreboot.pre
+	mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
+	printf "    IFDTOOL    Unlocking Management Engine\n"
+	$(objutil)/ifdtool/ifdtool -u $(obj)/coreboot.pre
+	mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
+PHONY += bd82x6x_add_me

More information about the coreboot mailing list