src/southbridge/intel/common/firmware/Kconfig

# This file is part of the coreboot project.
# SPDX-License-Identifier: GPL-2.0-only

config HAVE_INTEL_FIRMWARE
	bool
	default y if INTEL_DESCRIPTOR_MODE_CAPABLE
	help
	  Platform uses the Intel Firmware Descriptor to describe the
	  layout of the SPI ROM chip. Enabling this option will allow you to
	  select further features that rely on this like providing individual
	  firmware blobs.

if HAVE_INTEL_FIRMWARE

comment "Intel Firmware"

config HAVE_IFD_BIN
	bool "Add Intel descriptor.bin file"
	select HAVE_EM100_SUPPORT  # We use ifdtool to enable this.
	help
	  The descriptor binary

config IFD_BIN_PATH
	string "Path and filename of the descriptor.bin file"
	default "3rdparty/blobs/mainboard/$(MAINBOARDDIR)/descriptor.bin"
	depends on HAVE_IFD_BIN

config HAVE_ME_BIN
	bool "Add Intel ME/TXE firmware"
	depends on HAVE_IFD_BIN
	help
	  The Intel processor in the selected system requires a special firmware
	  for an integrated controller.  This might be called the Management
	  Engine (ME), the Trusted Execution Engine (TXE) or something else
	  depending on the chip. This firmware might or might not be available
	  in coreboot's 3rdparty/blobs repository. If it is not and if you don't
	  have access to the firmware from elsewhere, you can still build
	  coreboot without it. In this case however, you'll have to make sure
	  that you don't overwrite your ME/TXE firmware on your flash ROM.

config ME_BIN_PATH
	string "Path to management engine firmware"
	default "3rdparty/blobs/mainboard/$(MAINBOARDDIR)/me.bin"
	depends on HAVE_ME_BIN

config CHECK_ME
	bool "Verify the integrity of the supplied ME/TXE firmware"
	default n
	depends on HAVE_ME_BIN && (NORTHBRIDGE_INTEL_IRONLAKE || \
		NORTHBRIDGE_INTEL_SANDYBRIDGE || \
		NORTHBRIDGE_INTEL_HASWELL || \
		SOC_INTEL_BROADWELL || SOC_INTEL_SKYLAKE || \
		SOC_INTEL_KABYLAKE || SOC_INTEL_BAYTRAIL || SOC_INTEL_BRASWELL)
	help
	  Verify the integrity of the supplied Intel ME/TXE firmware before
	  proceeding with the build, in order to prevent an accidental loading
	  of a corrupted ME/TXE image.

config USE_ME_CLEANER
	bool "Strip down the Intel ME/TXE firmware"
	depends on HAVE_ME_BIN && (NORTHBRIDGE_INTEL_IRONLAKE || \
		NORTHBRIDGE_INTEL_SANDYBRIDGE || \
		NORTHBRIDGE_INTEL_HASWELL || \
		SOC_INTEL_BROADWELL || SOC_INTEL_SKYLAKE || \
		SOC_INTEL_KABYLAKE || SOC_INTEL_BAYTRAIL || SOC_INTEL_BRASWELL)
	help
	  Use me_cleaner to remove all the non-fundamental code from the Intel
	  ME/TXE firmware.
	  The resulting Intel ME/TXE firmware will have only the code
	  responsible for the very basic hardware initialization, leaving the
	  ME/TXE subsystem essentially in a disabled state.

	  Don't flash a modified ME/TXE firmware and a new coreboot image at the
	  same time, test them in two different steps.

	  WARNING: this tool isn't based on any official Intel documentation but
	           only on reverse engineering and trial & error.

	  See the project's page
	   https://github.com/corna/me_cleaner
	  or the wiki
	   https://github.com/corna/me_cleaner/wiki/How-to-apply-me_cleaner
	   https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F
	   https://github.com/corna/me_cleaner/wiki/me_cleaner-status
	  for more info about this tool

	  If unsure, say N.

comment "Please test the modified ME/TXE firmware and coreboot in two steps"
	depends on USE_ME_CLEANER

config ME_CLEANER_ARGS
	string
	depends on USE_ME_CLEANER
	default "-S"

config MAINBOARD_USES_IFD_GBE_REGION
	def_bool n

config HAVE_GBE_BIN
	bool "Add gigabit ethernet configuration"
	depends on HAVE_IFD_BIN && MAINBOARD_USES_IFD_GBE_REGION
	help
	  The integrated gigabit ethernet controller needs a configuration
	  file. Select this if you are going to use the PCH integrated
	  controller and want to add that file.

config GBE_BIN_PATH
	string "Path to gigabit ethernet configuration"
	depends on HAVE_GBE_BIN
	default "3rdparty/blobs/mainboard/$(MAINBOARDDIR)/gbe.bin"

config MAINBOARD_USES_IFD_EC_REGION
	def_bool n

config HAVE_EC_BIN
	bool "Add EC firmware"
	depends on HAVE_IFD_BIN && MAINBOARD_USES_IFD_EC_REGION
	help
	  The embedded controller needs a firmware file.

	  Select this if you are going to use the PCH integrated controller
	  and have the EC firmware. EC firmware will be added to final image
	  through ifdtool.

config EC_BIN_PATH
	string "Path to EC firmware"
	depends on HAVE_EC_BIN
	default "3rdparty/blobs/mainboard/$(MAINBOARDDIR)/ec.bin"

choice
	prompt "Protect flash regions"
	default UNLOCK_FLASH_REGIONS
	help
	  This option allows you to protect flash regions.

config DO_NOT_TOUCH_DESCRIPTOR_REGION
	bool "Use the preset values to protect the regions"
	help
	  Read and write access permissions to different regions in the flash
	  can be controlled via dedicated bitfields in the flash descriptor.
	  These permissions can be modified with the Intel Flash Descriptor
	  Tool (ifdtool). If you don't want to change these permissions and
	  keep the ones provided in the initial descriptor, use this option.

config LOCK_MANAGEMENT_ENGINE
	bool "Lock ME/TXE section"
	help
	  The Intel Firmware Descriptor supports preventing write accesses
	  from the host to the ME or TXE section in the firmware
	  descriptor. If the section is locked, it can only be overwritten
	  with an external SPI flash programmer. You will want this if you
	  want to increase security of your ROM image once you are sure
	  that the ME/TXE firmware is no longer going to change.

	  If unsure, select "Unlock flash regions".

config UNLOCK_FLASH_REGIONS
	bool "Unlock flash regions"
	help
	  All regions are completely unprotected and can be overwritten using
	  a flash programming tool.

endchoice

config CBFS_SIZE
	hex
	default 0x100000
	help
	  Reduce CBFS size to give room to the IFD blobs.

endif #INTEL_FIRMWARE