| # This file is part of the coreboot project. |
| # SPDX-License-Identifier: GPL-2.0-only |
| |
| config HAVE_INTEL_FIRMWARE |
| bool |
| default y if INTEL_DESCRIPTOR_MODE_CAPABLE |
| help |
| Platform uses the Intel Firmware Descriptor to describe the |
| layout of the SPI ROM chip. Enabling this option will allow you to |
| select further features that rely on this like providing individual |
| firmware blobs. |
| |
| if HAVE_INTEL_FIRMWARE |
| |
| comment "Intel Firmware" |
| |
| config HAVE_IFD_BIN |
| bool "Add Intel descriptor.bin file" |
| select HAVE_EM100_SUPPORT # We use ifdtool to enable this. |
| help |
| The descriptor binary |
| |
| config IFD_BIN_PATH |
| string "Path and filename of the descriptor.bin file" |
| default "3rdparty/blobs/mainboard/$(MAINBOARDDIR)/descriptor.bin" |
| depends on HAVE_IFD_BIN |
| |
| config HAVE_ME_BIN |
| bool "Add Intel ME/TXE firmware" |
| depends on HAVE_IFD_BIN |
| help |
| The Intel processor in the selected system requires a special firmware |
| for an integrated controller. This might be called the Management |
| Engine (ME), the Trusted Execution Engine (TXE) or something else |
| depending on the chip. This firmware might or might not be available |
| in coreboot's 3rdparty/blobs repository. If it is not and if you don't |
| have access to the firmware from elsewhere, you can still build |
| coreboot without it. In this case however, you'll have to make sure |
| that you don't overwrite your ME/TXE firmware on your flash ROM. |
| |
| config ME_BIN_PATH |
| string "Path to management engine firmware" |
| default "3rdparty/blobs/mainboard/$(MAINBOARDDIR)/me.bin" |
| depends on HAVE_ME_BIN |
| |
| config CHECK_ME |
| bool "Verify the integrity of the supplied ME/TXE firmware" |
| default n |
| depends on HAVE_ME_BIN && (NORTHBRIDGE_INTEL_IRONLAKE || \ |
| NORTHBRIDGE_INTEL_SANDYBRIDGE || \ |
| NORTHBRIDGE_INTEL_HASWELL || \ |
| SOC_INTEL_BROADWELL || SOC_INTEL_SKYLAKE || \ |
| SOC_INTEL_KABYLAKE || SOC_INTEL_BAYTRAIL || SOC_INTEL_BRASWELL) |
| help |
| Verify the integrity of the supplied Intel ME/TXE firmware before |
| proceeding with the build, in order to prevent an accidental loading |
| of a corrupted ME/TXE image. |
| |
| config USE_ME_CLEANER |
| bool "Strip down the Intel ME/TXE firmware" |
| depends on HAVE_ME_BIN && (NORTHBRIDGE_INTEL_IRONLAKE || \ |
| NORTHBRIDGE_INTEL_SANDYBRIDGE || \ |
| NORTHBRIDGE_INTEL_HASWELL || \ |
| SOC_INTEL_BROADWELL || SOC_INTEL_SKYLAKE || \ |
| SOC_INTEL_KABYLAKE || SOC_INTEL_BAYTRAIL || SOC_INTEL_BRASWELL) |
| help |
| Use me_cleaner to remove all the non-fundamental code from the Intel |
| ME/TXE firmware. |
| The resulting Intel ME/TXE firmware will have only the code |
| responsible for the very basic hardware initialization, leaving the |
| ME/TXE subsystem essentially in a disabled state. |
| |
| Don't flash a modified ME/TXE firmware and a new coreboot image at the |
| same time, test them in two different steps. |
| |
| WARNING: this tool isn't based on any official Intel documentation but |
| only on reverse engineering and trial & error. |
| |
| See the project's page |
| https://github.com/corna/me_cleaner |
| or the wiki |
| https://github.com/corna/me_cleaner/wiki/How-to-apply-me_cleaner |
| https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F |
| https://github.com/corna/me_cleaner/wiki/me_cleaner-status |
| for more info about this tool |
| |
| If unsure, say N. |
| |
| comment "Please test the modified ME/TXE firmware and coreboot in two steps" |
| depends on USE_ME_CLEANER |
| |
| config ME_CLEANER_ARGS |
| string |
| depends on USE_ME_CLEANER |
| default "-S" |
| |
| config MAINBOARD_USES_IFD_GBE_REGION |
| def_bool n |
| |
| config HAVE_GBE_BIN |
| bool "Add gigabit ethernet configuration" |
| depends on HAVE_IFD_BIN && MAINBOARD_USES_IFD_GBE_REGION |
| help |
| The integrated gigabit ethernet controller needs a configuration |
| file. Select this if you are going to use the PCH integrated |
| controller and want to add that file. |
| |
| config GBE_BIN_PATH |
| string "Path to gigabit ethernet configuration" |
| depends on HAVE_GBE_BIN |
| default "3rdparty/blobs/mainboard/$(MAINBOARDDIR)/gbe.bin" |
| |
| config MAINBOARD_USES_IFD_EC_REGION |
| def_bool n |
| |
| config HAVE_EC_BIN |
| bool "Add EC firmware" |
| depends on HAVE_IFD_BIN && MAINBOARD_USES_IFD_EC_REGION |
| help |
| The embedded controller needs a firmware file. |
| |
| Select this if you are going to use the PCH integrated controller |
| and have the EC firmware. EC firmware will be added to final image |
| through ifdtool. |
| |
| config EC_BIN_PATH |
| string "Path to EC firmware" |
| depends on HAVE_EC_BIN |
| default "3rdparty/blobs/mainboard/$(MAINBOARDDIR)/ec.bin" |
| |
| choice |
| prompt "Protect flash regions" |
| default UNLOCK_FLASH_REGIONS |
| help |
| This option allows you to protect flash regions. |
| |
| config DO_NOT_TOUCH_DESCRIPTOR_REGION |
| bool "Use the preset values to protect the regions" |
| help |
| Read and write access permissions to different regions in the flash |
| can be controlled via dedicated bitfields in the flash descriptor. |
| These permissions can be modified with the Intel Flash Descriptor |
| Tool (ifdtool). If you don't want to change these permissions and |
| keep the ones provided in the initial descriptor, use this option. |
| |
| config LOCK_MANAGEMENT_ENGINE |
| bool "Lock ME/TXE section" |
| help |
| The Intel Firmware Descriptor supports preventing write accesses |
| from the host to the ME or TXE section in the firmware |
| descriptor. If the section is locked, it can only be overwritten |
| with an external SPI flash programmer. You will want this if you |
| want to increase security of your ROM image once you are sure |
| that the ME/TXE firmware is no longer going to change. |
| |
| If unsure, select "Unlock flash regions". |
| |
| config UNLOCK_FLASH_REGIONS |
| bool "Unlock flash regions" |
| help |
| All regions are completely unprotected and can be overwritten using |
| a flash programming tool. |
| |
| endchoice |
| |
| config CBFS_SIZE |
| hex |
| default 0x100000 |
| help |
| Reduce CBFS size to give room to the IFD blobs. |
| |
| endif #INTEL_FIRMWARE |