sravan/system76-coreboot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
416b828f47655b6306d3f1ae49e3c3227a1296dd
system76-coreboot/src/southbridge/intel/common/firmware/Kconfig
Sridhar Siricilla 416b828f47 sb/intel/common: Modify CONFIG_LOCK_MANAGEMENT_ENGINE behavior 
The patch modifies KConfig behaviour if CSE Lite SKU is integrated into
the coreboot. When the CSE Lite SKU is integrated, the KConfig prevents
writing to ME region but keeps read access enabled. Since CSE Lite driver
checks the signature of RW partition to identify the interrupted CSE
firmware update, so host must have read access to the ME region. Also, the
patch modifies the KConfig's help text to reflect the change.

When CSE Lite SKU is integrated, master access permissions:
FLMSTR1:   0x002007ff (Host CPU/BIOS)
  EC Region Write Access:            disabled
  Platform Data Region Write Access: disabled
  GbE Region Write Access:           disabled
  Intel ME Region Write Access:      disabled
  Host CPU/BIOS Region Write Access: enabled
  Flash Descriptor Write Access:     disabled
  EC Region Read Access:             disabled
  Platform Data Region Read Access:  disabled
  GbE Region Read Access:            disabled
  Intel ME Region Read Access:       enabled
  Host CPU/BIOS Region Read Access:  enabled
  Flash Descriptor Read Access:      enabled

BUG=b:174118018
TEST=Built and verified the access permissions.

Signed-off-by: Sridhar Siricilla <sridhar.siricilla@intel.com>
Change-Id: I2f6677ab7b59ddce827d3fcaae61508a30dc1b28
Reviewed-on: https://review.coreboot.org/c/coreboot/+/48267
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Tim Wawrzynczak <twawrzynczak@chromium.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
Reviewed-by: Karthik Ramasubramanian <kramasub@google.com>
Reviewed-by: Jamie Ryu <jamie.m.ryu@intel.com>
2020-12-07 14:06:28 +00:00

180 lines
5.9 KiB
Plaintext
Raw Blame History

# SPDX-License-Identifier: GPL-2.0-only
config HAVE_INTEL_FIRMWARE
bool
default y if INTEL_DESCRIPTOR_MODE_CAPABLE
help
Platform uses the Intel Firmware Descriptor to describe the
layout of the SPI ROM chip. Enabling this option will allow you to
select further features that rely on this like providing individual
firmware blobs.
if HAVE_INTEL_FIRMWARE
comment "Intel Firmware"
config HAVE_IFD_BIN
bool "Add Intel descriptor.bin file"
select HAVE_EM100_SUPPORT # We use ifdtool to enable this.
help
The descriptor binary
config IFD_BIN_PATH
string "Path and filename of the descriptor.bin file"
default "3rdparty/blobs/mainboard/\$(MAINBOARDDIR)/descriptor.bin"
depends on HAVE_IFD_BIN
config HAVE_ME_BIN
bool "Add Intel ME/TXE firmware"
depends on HAVE_IFD_BIN
help
The Intel processor in the selected system requires a special firmware
for an integrated controller. This might be called the Management
Engine (ME), the Trusted Execution Engine (TXE) or something else
depending on the chip. This firmware might or might not be available
in coreboot's 3rdparty/blobs repository. If it is not and if you don't
have access to the firmware from elsewhere, you can still build
coreboot without it. In this case however, you'll have to make sure
that you don't overwrite your ME/TXE firmware on your flash ROM.
config ME_BIN_PATH
string "Path to management engine firmware"
default "3rdparty/blobs/mainboard/\$(MAINBOARDDIR)/me.bin"
depends on HAVE_ME_BIN
config CHECK_ME
bool "Verify the integrity of the supplied ME/TXE firmware"
default n
depends on HAVE_ME_BIN && (NORTHBRIDGE_INTEL_IRONLAKE || \
NORTHBRIDGE_INTEL_SANDYBRIDGE || \
NORTHBRIDGE_INTEL_HASWELL || \
SOC_INTEL_BROADWELL || SOC_INTEL_SKYLAKE || \
SOC_INTEL_KABYLAKE || SOC_INTEL_BAYTRAIL || SOC_INTEL_BRASWELL)
help
Verify the integrity of the supplied Intel ME/TXE firmware before
proceeding with the build, in order to prevent an accidental loading
of a corrupted ME/TXE image.
config ME_REGION_ALLOW_CPU_READ_ACCESS
bool "Allows HOST/CPU read access to ME region"
default n
help
The config ensures Host has read access to the ME region if it is locked
through LOCK_MANAGEMENT_ENGINE config. This config is enabled when the CSE
Lite SKU is integrated.
config USE_ME_CLEANER
bool "Strip down the Intel ME/TXE firmware"
depends on HAVE_ME_BIN && (NORTHBRIDGE_INTEL_IRONLAKE || \
NORTHBRIDGE_INTEL_SANDYBRIDGE || \
NORTHBRIDGE_INTEL_HASWELL || \
SOC_INTEL_BROADWELL || SOC_INTEL_SKYLAKE || \
SOC_INTEL_KABYLAKE || SOC_INTEL_BAYTRAIL || SOC_INTEL_BRASWELL)
help
Use me_cleaner to remove all the non-fundamental code from the Intel
ME/TXE firmware.
The resulting Intel ME/TXE firmware will have only the code
responsible for the very basic hardware initialization, leaving the
ME/TXE subsystem essentially in a disabled state.
Don't flash a modified ME/TXE firmware and a new coreboot image at the
same time, test them in two different steps.
WARNING: this tool isn't based on any official Intel documentation but
only on reverse engineering and trial & error.
See the project's page
https://github.com/corna/me_cleaner
or the wiki
https://github.com/corna/me_cleaner/wiki/How-to-apply-me_cleaner
https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F
https://github.com/corna/me_cleaner/wiki/me_cleaner-status
for more info about this tool
If unsure, say N.
comment "Please test the modified ME/TXE firmware and coreboot in two steps"
depends on USE_ME_CLEANER
config ME_CLEANER_ARGS
string
depends on USE_ME_CLEANER
default "-S"
config MAINBOARD_USES_IFD_GBE_REGION
def_bool n
config HAVE_GBE_BIN
bool "Add gigabit ethernet configuration"
depends on HAVE_IFD_BIN && MAINBOARD_USES_IFD_GBE_REGION
help
The integrated gigabit ethernet controller needs a configuration
file. Select this if you are going to use the PCH integrated
controller and want to add that file.
config GBE_BIN_PATH
string "Path to gigabit ethernet configuration"
depends on HAVE_GBE_BIN
default "3rdparty/blobs/mainboard/\$(MAINBOARDDIR)/gbe.bin"
config MAINBOARD_USES_IFD_EC_REGION
def_bool n
config HAVE_EC_BIN
bool "Add EC firmware"
depends on HAVE_IFD_BIN && MAINBOARD_USES_IFD_EC_REGION
help
The embedded controller needs a firmware file.
Select this if you are going to use the PCH integrated controller
and have the EC firmware. EC firmware will be added to final image
through ifdtool.
config EC_BIN_PATH
string "Path to EC firmware"
depends on HAVE_EC_BIN
default "3rdparty/blobs/mainboard/\$(MAINBOARDDIR)/ec.bin"
choice
prompt "Protect flash regions"
default UNLOCK_FLASH_REGIONS
help
This option allows you to protect flash regions.
config DO_NOT_TOUCH_DESCRIPTOR_REGION
bool "Use the preset values to protect the regions"
help
Read and write access permissions to different regions in the flash
can be controlled via dedicated bitfields in the flash descriptor.
These permissions can be modified with the Intel Flash Descriptor
Tool (ifdtool). If you don't want to change these permissions and
keep the ones provided in the initial descriptor, use this option.
config LOCK_MANAGEMENT_ENGINE
bool "Lock ME/TXE section"
help
The Intel Firmware Descriptor supports preventing write and read
accesses from the host to the ME or TXE section. If the section
is locked, it can only be overwritten with an external SPI flash
programmer or HECI HMRFPO_ENABLE command needs to be sent to CSE
before writing to the ME Section. If CSE Lite SKU is integrated,
the Kconfig prevents only writing to the ME section.
If unsure, select "Unlock flash regions".
config UNLOCK_FLASH_REGIONS
bool "Unlock flash regions"
help
All regions are completely unprotected and can be overwritten using
a flash programming tool.
endchoice
config CBFS_SIZE
hex
default 0x100000
help
Reduce CBFS size to give room to the IFD blobs.
endif #INTEL_FIRMWARE
Reference in New Issue View Git Blame Copy Permalink