Intel Firmware Descriptor: Add Lock ME Kconfig question Add the Kconfig question to allow the user to lock the ME section using ifdtool. Change-Id: I46018c3bc9df3e309aa3083d693cbebf00e18062 Signed-off-by: Martin Roth <gaumless@gmail.com> Reviewed-on: http://review.coreboot.org/10648 Tested-by: build bot (Jenkins) Reviewed-by: Stefan Reinauer <stefan.reinauer@coreboot.org>

commit: 775d50828ef090339ae57d93da55f46676f4bf58 [log] [tgz]
author: Martin Roth <gaumless@gmail.com> Tue Jun 23 21:47:19 2015 -0600
committer: Stefan Reinauer <stefan.reinauer@coreboot.org> Thu Jul 02 02:26:21 2015 +0200
tree: 3d0da4f488af973645f66804c3737a4ca58dc4d4
parent: c407cb97bc121ef28770cdda1d7ee7e2f06157e8 [diff] [blame]
diff --git a/src/southbridge/intel/common/firmware/Kconfig b/src/southbridge/intel/common/firmware/Kconfig
index 8ad1fed..2767c0e 100644
--- a/src/southbridge/intel/common/firmware/Kconfig
+++ b/src/southbridge/intel/common/firmware/Kconfig

@@ -92,4 +92,18 @@
 	string
 	default ""
 
+config LOCK_MANAGEMENT_ENGINE
+	bool "Lock ME/TXE section"
+	depends on HAVE_ME_BIN
+	default n
+	help
+	  The Intel Firmware Descriptor supports preventing write accesses
+	  from the host to the ME or TXE section in the firmware
+	  descriptor. If the section is locked, it can only be overwritten
+	  with an external SPI flash programmer. You will want this if you
+	  want to increase security of your ROM image once you are sure
+	  that the ME/TXE firmware is no longer going to change.
+
+	  If unsure, say N.
+
 endif #INTEL_FIRMWARE
commit	775d50828ef090339ae57d93da55f46676f4bf58	[log] [tgz]
author	Martin Roth <gaumless@gmail.com>	Tue Jun 23 21:47:19 2015 -0600
committer	Stefan Reinauer <stefan.reinauer@coreboot.org>	Thu Jul 02 02:26:21 2015 +0200
tree	3d0da4f488af973645f66804c3737a4ca58dc4d4
parent	c407cb97bc121ef28770cdda1d7ee7e2f06157e8 [diff] [blame]