1# SPDX-License-Identifier: GPL-2.0-only 2 3config HAVE_INTEL_FIRMWARE 4 bool 5 default y if INTEL_DESCRIPTOR_MODE_CAPABLE 6 help 7 Platform uses the Intel Firmware Descriptor to describe the 8 layout of the SPI ROM chip. Enabling this option will allow you to 9 select further features that rely on this like providing individual 10 firmware blobs. 11 12if HAVE_INTEL_FIRMWARE 13 14comment "Intel Firmware" 15 16config HAVE_IFD_BIN 17 bool "Add Intel descriptor.bin file" 18 select HAVE_EM100_SUPPORT # We use ifdtool to enable this. 19 help 20 The descriptor binary 21 22config IFD_BIN_PATH 23 string "Path and filename of the descriptor.bin file" 24 default "3rdparty/blobs/mainboard/\$(MAINBOARDDIR)/descriptor.bin" 25 depends on HAVE_IFD_BIN 26 27config HAVE_ME_BIN 28 bool "Add Intel ME/TXE firmware" 29 depends on HAVE_IFD_BIN 30 help 31 The Intel processor in the selected system requires a special firmware 32 for an integrated controller. This might be called the Management 33 Engine (ME), the Trusted Execution Engine (TXE) or something else 34 depending on the chip. This firmware might or might not be available 35 in coreboot's 3rdparty/blobs repository. If it is not and if you don't 36 have access to the firmware from elsewhere, you can still build 37 coreboot without it. In this case however, you'll have to make sure 38 that you don't overwrite your ME/TXE firmware on your flash ROM. 39 40config STITCH_ME_BIN 41 bool "Stitch individual ME/CSE components" 42 default n 43 depends on HAVE_ME_BIN 44 help 45 This config can be selected by mainboard if it wants to stitch ME/CSE 46 components during build time instead of supplying a pre-stitched 47 binary. 48 49config ME_BIN_PATH 50 string "Path to management engine firmware" if !STITCH_ME_BIN 51 default "3rdparty/blobs/mainboard/\$(MAINBOARDDIR)/me.bin" 52 depends on HAVE_ME_BIN && !STITCH_ME_BIN 53 54config CHECK_ME 55 bool "Verify the integrity of the supplied ME/TXE firmware" 56 default n 57 depends on HAVE_ME_BIN && (NORTHBRIDGE_INTEL_IRONLAKE || \ 58 NORTHBRIDGE_INTEL_SANDYBRIDGE || \ 59 NORTHBRIDGE_INTEL_HASWELL || \ 60 SOC_INTEL_BROADWELL || SOC_INTEL_SKYLAKE || \ 61 SOC_INTEL_KABYLAKE || SOC_INTEL_BAYTRAIL || SOC_INTEL_BRASWELL) 62 help 63 Verify the integrity of the supplied Intel ME/TXE firmware before 64 proceeding with the build, in order to prevent an accidental loading 65 of a corrupted ME/TXE image. 66 67config ME_REGION_ALLOW_CPU_READ_ACCESS 68 bool "Allows HOST/CPU read access to ME region" 69 depends on HAVE_IFD_BIN 70 default y if SOC_INTEL_CSE_LITE_SKU || SOC_INTEL_CSE_LITE_SYNC_BY_PAYLOAD 71 default n 72 help 73 The config ensures Host has read access to the ME region if it is locked 74 through LOCK_MANAGEMENT_ENGINE config. This config is enabled when the CSE 75 Lite SKU is integrated. 76 77config USE_ME_CLEANER 78 bool "Strip down the Intel ME/TXE firmware" 79 depends on HAVE_ME_BIN && (NORTHBRIDGE_INTEL_IRONLAKE || \ 80 NORTHBRIDGE_INTEL_SANDYBRIDGE || \ 81 NORTHBRIDGE_INTEL_HASWELL || \ 82 SOC_INTEL_BROADWELL || SOC_INTEL_SKYLAKE || \ 83 SOC_INTEL_KABYLAKE || SOC_INTEL_BAYTRAIL || SOC_INTEL_BRASWELL) 84 help 85 Use me_cleaner to remove all the non-fundamental code from the Intel 86 ME/TXE firmware. 87 The resulting Intel ME/TXE firmware will have only the code 88 responsible for the very basic hardware initialization, leaving the 89 ME/TXE subsystem essentially in a disabled state. 90 91 Don't flash a modified ME/TXE firmware and a new coreboot image at the 92 same time, test them in two different steps. 93 94 WARNING: this tool isn't based on any official Intel documentation but 95 only on reverse engineering and trial & error. 96 97 See the project's page 98 https://github.com/corna/me_cleaner 99 or the wiki 100 https://github.com/corna/me_cleaner/wiki/How-to-apply-me_cleaner 101 https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F 102 https://github.com/corna/me_cleaner/wiki/me_cleaner-status 103 for more info about this tool 104 105 If unsure, say N. 106 107comment "Please test coreboot with the original, unmodified ME firmware before using me_cleaner" 108 depends on USE_ME_CLEANER 109 110config ME_CLEANER_ARGS 111 string 112 depends on USE_ME_CLEANER 113 default "-S" 114 115config MAINBOARD_USES_IFD_GBE_REGION 116 def_bool n 117 118config HAVE_GBE_BIN 119 bool "Add gigabit ethernet configuration" 120 depends on HAVE_IFD_BIN && MAINBOARD_USES_IFD_GBE_REGION 121 help 122 The integrated gigabit ethernet controller needs a configuration 123 file. Select this if you are going to use the PCH integrated 124 controller and want to add that file. 125 126config GBE_BIN_PATH 127 string "Path to gigabit ethernet configuration" 128 depends on HAVE_GBE_BIN 129 default "3rdparty/blobs/mainboard/\$(MAINBOARDDIR)/gbe.bin" 130 131config MAINBOARD_USES_IFD_EC_REGION 132 def_bool n 133 134config HAVE_EC_BIN 135 bool "Add EC firmware" 136 depends on HAVE_IFD_BIN && MAINBOARD_USES_IFD_EC_REGION 137 help 138 The embedded controller needs a firmware file. 139 140 Select this if you are going to use the PCH integrated controller 141 and have the EC firmware. EC firmware will be added to final image 142 through ifdtool. 143 144config EC_BIN_PATH 145 string "Path to EC firmware" 146 depends on HAVE_EC_BIN 147 default "3rdparty/blobs/mainboard/\$(MAINBOARDDIR)/ec.bin" 148 149config MAINBOARD_USES_IFD_10GBE_0_REGION 150 def_bool n 151 152config HAVE_10GBE_0_BIN 153 bool "Add 10GbE Firmware Region 0" 154 depends on HAVE_IFD_BIN && MAINBOARD_USES_IFD_10GBE_0_REGION 155 help 156 The 10GbE region firmware file for LAN device 0. 157 158 Select this if you are going to use the 10GbE 0 region and have the 159 firmware. The firmware will be added to final image through ifdtool. 160 161config 10GBE_0_BIN_PATH 162 string "Path to 10GbE region 0 firmware" 163 depends on HAVE_10GBE_0_BIN 164 default "3rdparty/blobs/mainboard/\$(MAINBOARDDIR)/10gbe0.bin" 165 166config MAINBOARD_USES_IFD_10GBE_1_REGION 167 def_bool n 168 depends on MAINBOARD_USES_IFD_10GBE_0_REGION 169 170config HAVE_10GBE_1_BIN 171 bool "Add 10GbE Firmware Region 1" 172 depends on HAVE_IFD_BIN && MAINBOARD_USES_IFD_10GBE_1_REGION 173 help 174 The 10GbE region firmware file for LAN device 1. 175 176 Select this if you are going to use the 10GbE 1 region and have the 177 firmware. The firmware will be added to final image through ifdtool. 178 179config 10GBE_1_BIN_PATH 180 string "Path to 10GbE region 1 firmware" 181 depends on HAVE_10GBE_1_BIN 182 default "3rdparty/blobs/mainboard/\$(MAINBOARDDIR)/10gbe1.bin" 183 184choice 185 prompt "Protect flash regions" if HAVE_IFD_BIN 186 default UNLOCK_FLASH_REGIONS if HAVE_IFD_BIN 187 help 188 This option allows you to protect flash regions. 189 190config DO_NOT_TOUCH_DESCRIPTOR_REGION 191 bool "Use the preset values to protect the regions" 192 help 193 Read and write access permissions to different regions in the flash 194 can be controlled via dedicated bitfields in the flash descriptor. 195 These permissions can be modified with the Intel Flash Descriptor 196 Tool (ifdtool). If you don't want to change these permissions and 197 keep the ones provided in the initial descriptor, use this option. 198 199config LOCK_MANAGEMENT_ENGINE 200 bool "Lock ME/TXE section" 201 help 202 The Intel Firmware Descriptor supports preventing write and read 203 accesses from the host to the ME or TXE section. If the section 204 is locked, it can only be overwritten with an external SPI flash 205 programmer or HECI HMRFPO_ENABLE command needs to be sent to CSE 206 before writing to the ME Section. If CSE Lite SKU is integrated, 207 the Kconfig prevents only writing to the ME section. 208 209 If unsure, select "Unlock flash regions". 210 211config UNLOCK_FLASH_REGIONS 212 bool "Unlock flash regions" 213 help 214 All regions are completely unprotected and can be overwritten using 215 a flash programming tool. 216 217endchoice 218 219config CBFS_SIZE 220 default 0x100000 221 help 222 Reduce CBFS size to give room to the IFD blobs. 223 224endif #INTEL_FIRMWARE 225