sb/intel/common/firmware: Don't touch descriptor region
This patch makes the way to protect flash regions selectable. If you
don't want to use ifdtool for modification of flash descriptor, enable
the new option. Otherwise, the previous config settings for all
mainboards will be retained.
Change-Id: I46ec6339008edcc78fe76682eed5714f85354937
Signed-off-by: Mario Scheithauer <mario.scheithauer@siemens.com>
Reviewed-on: https://review.coreboot.org/c/31639
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Nico Huber <nico.h@gmx.de>
diff --git a/src/southbridge/intel/common/firmware/Kconfig b/src/southbridge/intel/common/firmware/Kconfig
index 31a3df3..c0dd439 100644
--- a/src/southbridge/intel/common/firmware/Kconfig
+++ b/src/southbridge/intel/common/firmware/Kconfig
@@ -141,9 +141,23 @@
depends on HAVE_EC_BIN
default "3rdparty/blobs/mainboard/$(MAINBOARDDIR)/ec.bin"
+choice
+ prompt "Protect flash regions"
+ default UNLOCK_FLASH_REGIONS
+ help
+ This option allows you to protect flash regions.
+
+config DO_NOT_TOUCH_DESCRIPTOR_REGION
+ bool "Use the preset values to protect the regions"
+ help
+ Read and write access permissions to different regions in the flash
+ can be controlled via dedicated bitfields in the flash descriptor.
+ These permissions can be modified with the Intel Flash Descriptor
+ Tool (ifdtool). If you don't want to change these permissions and
+ keep the ones provided in the initial descriptor, use this option.
+
config LOCK_MANAGEMENT_ENGINE
bool "Lock ME/TXE section"
- default n
help
The Intel Firmware Descriptor supports preventing write accesses
from the host to the ME or TXE section in the firmware
@@ -152,7 +166,15 @@
want to increase security of your ROM image once you are sure
that the ME/TXE firmware is no longer going to change.
- If unsure, say N.
+ If unsure, select "Unlock flash regions".
+
+config UNLOCK_FLASH_REGIONS
+ bool "Unlock flash regions"
+ help
+ All regions are completely unprotected and can be overwritten using
+ a flash programming tool.
+
+endchoice
config CBFS_SIZE
hex
diff --git a/src/southbridge/intel/common/firmware/Makefile.inc b/src/southbridge/intel/common/firmware/Makefile.inc
index 774bb23..898ab60 100644
--- a/src/southbridge/intel/common/firmware/Makefile.inc
+++ b/src/southbridge/intel/common/firmware/Makefile.inc
@@ -68,12 +68,14 @@
$(obj)/coreboot.pre
mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
endif
+
ifeq ($(CONFIG_LOCK_MANAGEMENT_ENGINE),y)
printf " IFDTOOL Locking Management Engine\n"
$(objutil)/ifdtool/ifdtool \
$(IFDTOOL_USE_CHIPSET) -l $(obj)/coreboot.pre
mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
-else
+endif
+ifeq ($(CONFIG_UNLOCK_FLASH_REGIONS),y)
printf " IFDTOOL Unlocking Management Engine\n"
$(objutil)/ifdtool/ifdtool \
$(IFDTOOL_USE_CHIPSET) -u $(obj)/coreboot.pre
diff --git a/src/southbridge/intel/lynxpoint/Kconfig b/src/southbridge/intel/lynxpoint/Kconfig
index 79f30ae..87e1970 100644
--- a/src/southbridge/intel/lynxpoint/Kconfig
+++ b/src/southbridge/intel/lynxpoint/Kconfig
@@ -79,8 +79,4 @@
If you set this option to y, the USB ports will be routed
to the XHCI controller during the finalize SMM callback.
-config LOCK_MANAGEMENT_ENGINE
- bool
- default n
-
endif