sb/intel/common/firmware: Don't touch descriptor region

This patch makes the way to protect flash regions selectable. If you
don't want to use ifdtool for modification of flash descriptor, enable
the new option. Otherwise, the previous config settings for all
mainboards will be retained.

Change-Id: I46ec6339008edcc78fe76682eed5714f85354937
Signed-off-by: Mario Scheithauer <>
Tested-by: build bot (Jenkins) <>
Reviewed-by: Nico Huber <>
diff --git a/src/southbridge/intel/common/firmware/Kconfig b/src/southbridge/intel/common/firmware/Kconfig
index 31a3df3..c0dd439 100644
--- a/src/southbridge/intel/common/firmware/Kconfig
+++ b/src/southbridge/intel/common/firmware/Kconfig
@@ -141,9 +141,23 @@
 	depends on HAVE_EC_BIN
 	default "3rdparty/blobs/mainboard/$(MAINBOARDDIR)/ec.bin"
+	prompt "Protect flash regions"
+	help
+	  This option allows you to protect flash regions.
+	bool "Use the preset values to protect the regions"
+	help
+	  Read and write access permissions to different regions in the flash
+	  can be controlled via dedicated bitfields in the flash descriptor.
+	  These permissions can be modified with the Intel Flash Descriptor
+	  Tool (ifdtool). If you don't want to change these permissions and
+	  keep the ones provided in the initial descriptor, use this option.
 	bool "Lock ME/TXE section"
-	default n
 	  The Intel Firmware Descriptor supports preventing write accesses
 	  from the host to the ME or TXE section in the firmware
@@ -152,7 +166,15 @@
 	  want to increase security of your ROM image once you are sure
 	  that the ME/TXE firmware is no longer going to change.
-	  If unsure, say N.
+	  If unsure, select "Unlock flash regions".
+	bool "Unlock flash regions"
+	help
+	  All regions are completely unprotected and can be overwritten using
+	  a flash programming tool.
 config CBFS_SIZE
diff --git a/src/southbridge/intel/common/firmware/ b/src/southbridge/intel/common/firmware/
index 774bb23..898ab60 100644
--- a/src/southbridge/intel/common/firmware/
+++ b/src/southbridge/intel/common/firmware/
@@ -68,12 +68,14 @@
 	mv $(obj)/ $(obj)/coreboot.pre
 	printf "    IFDTOOL    Locking Management Engine\n"
 	$(objutil)/ifdtool/ifdtool \
 		$(IFDTOOL_USE_CHIPSET) -l $(obj)/coreboot.pre
 	mv $(obj)/ $(obj)/coreboot.pre
 	printf "    IFDTOOL    Unlocking Management Engine\n"
 	$(objutil)/ifdtool/ifdtool \
 	$(IFDTOOL_USE_CHIPSET) -u $(obj)/coreboot.pre
diff --git a/src/southbridge/intel/lynxpoint/Kconfig b/src/southbridge/intel/lynxpoint/Kconfig
index 79f30ae..87e1970 100644
--- a/src/southbridge/intel/lynxpoint/Kconfig
+++ b/src/southbridge/intel/lynxpoint/Kconfig
@@ -79,8 +79,4 @@
 	  If you set this option to y, the USB ports will be routed
 	  to the XHCI controller during the finalize SMM callback.
-	bool
-	default n